1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (c) 2018 Google, Inc.
4 */
5
6/*
7 * Regression test for commit 4dca6ea1d943 ("KEYS: add missing permission check
8 * for request_key() destination"), or CVE-2017-17807.  This bug allowed adding
9 * a key to a keyring given only Search permission to that keyring, rather than
10 * the expected Write permission.
11 *
12 * We test for the bug by trying to add a negatively instantiated key, since
13 * adding a negatively instantiated key using the bug was easy whereas adding a
14 * positively instantiated key required exploiting a race condition.
15 */
16
17#include <errno.h>
18
19#include "tst_test.h"
20#include "lapi/keyctl.h"
21
22static void do_test(void)
23{
24	key_serial_t keyid;
25	int saved_errno;
26
27	TEST(keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL));
28	if (TST_RET < 0)
29		tst_brk(TBROK | TTERRNO, "failed to join new session keyring");
30
31	TEST(keyctl(KEYCTL_SETPERM, KEY_SPEC_SESSION_KEYRING,
32		    KEY_POS_SEARCH|KEY_POS_READ|KEY_POS_VIEW));
33	if (TST_RET < 0) {
34		tst_brk(TBROK | TTERRNO,
35			"failed to set permissions on session keyring");
36	}
37
38	TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING,
39		    KEY_REQKEY_DEFL_SESSION_KEYRING));
40	if (TST_RET < 0) {
41		tst_brk(TBROK | TTERRNO,
42			"failed to set request-key default keyring");
43	}
44
45	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
46		    &keyid, sizeof(keyid)));
47	if (TST_RET < 0)
48		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
49	if (TST_RET != 0)
50		tst_brk(TBROK, "session keyring is not empty");
51
52	TEST(request_key("user", "desc", "callout_info", 0));
53	if (TST_RET != -1)
54		tst_brk(TBROK, "request_key() unexpectedly succeeded");
55	saved_errno = TST_ERR;
56
57	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
58		    &keyid, sizeof(keyid)));
59	if (TST_RET < 0)
60		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
61	if (TST_RET != 0)
62		tst_brk(TFAIL, "added key to keyring without permission");
63
64	TST_ERR = saved_errno;
65	if (TST_ERR == EACCES) {
66		tst_res(TPASS, "request_key() failed with EACCES as expected");
67	} else {
68		tst_res(TFAIL | TTERRNO,
69			"request_key() failed with unexpected error code");
70	}
71}
72
73static struct tst_test test = {
74	.test_all = do_test,
75	.tags = (const struct tst_tag[]) {
76		{"CVE", "2017-17807"},
77		{"linux-git", "4dca6ea1d943"},
78		{}
79	}
80};
81