Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8239501ybi; Tue, 9 Jul 2019 11:45:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqxPMUF9pY4xQ5uTEcuQVGVlZpEGNSj8q8AtlverTUID8poDultIDc1HEUBpBeMemIBrhTf6 X-Received: by 2002:a17:902:3103:: with SMTP id w3mr34734664plb.84.1562697951249; Tue, 09 Jul 2019 11:45:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562697951; cv=none; d=google.com; s=arc-20160816; b=ZwNol0K9dimGhIzTcfI89XzIVNIY59NvlPL//vN/xu2/4ZC492Jz7a8SwpBurCKtyU Z30XaZDZdbdxsaYqcio43+9BT8Xo4luvOhRfceK0eJ5XYPwozYUo0hVuPinnW1XuYFJ8 Fv1VjjkAocjIcyNGGyWVJcBbdNeOALv60R2LCH932Au2wJpYPzQzyHR/vxqgQhD/35O2 6YmrHaxcRfU0SKeHV1OX2SsXmIIl4g7JVtbSufBQDwlm1HXElYKSNZuQl5GhLPMKt7Ck B5Bqa21p8zDpK8gu1LLvAqbIZ2jPV3wllMeKN8mQBVHxqeF4lZFxxjjCFBMaugedilXa 4f+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=bDZYQo/dF/CIfpfJT9YG87rz+fjF/kjT8kLCojQVH9g=; b=gOAH7cYG6VxSXeEasjCRegGS+XOs5I/qX7dFvIPUVCmXFnjSThSiiZt9ZIG7/fs5Yg aXevN7Y82+1N4OJAeKBRZmx5TaoqSWOLhDut8M784YKOWxmqzE+GwkTq3iZEVuGQqLRl 0QkyG1CviTT3m7vdp6ClIYe0KyE0yGUqTW0lDhJmDGIJ2YC7+Hmx+Qil3huf7Ex+OK6y xB3IioJ8bj43LZG6drucV+WBNcqySvKxg/NopT/dobXdDh4Tjb/mgIGJ8SMNIrzkj/Q+ 9euPy4PHAK3sx+/W8hMcAt0m5M5kGKNal3Ggb6FjqOCbFM3j2lE5lVj01jSUz9mHmTsc r3nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RwEzZvi3; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z191si24135907pgd.572.2019.07.09.11.45.28; Tue, 09 Jul 2019 11:45:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RwEzZvi3; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729299AbfGISmt (ORCPT + 99 others); Tue, 9 Jul 2019 14:42:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:59046 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726592AbfGISmt (ORCPT ); Tue, 9 Jul 2019 14:42:49 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD7512087F; Tue, 9 Jul 2019 18:42:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562697767; bh=X3pzvbYhZ/lv/M8VWDHtODQibujWBrDAGnmxUIbdytc=; h=From:To:Cc:Subject:Date:From; b=RwEzZvi3KdLfaYuTW+bR+NOOHSYHcf+vrDf8nBBN7JZx1grEQ7oveTeePYM+qwfJi NVvUC5M45r3/6oC9Qf8Rn9qm8WGU7QohLjiMuDr8Fx+4krZJA5/JxGcudMC8LkBXO9 NfSoxlO5JjgnOixwUWMTOfMsknnDZbNTSA+qyOlk= From: Eric Biggers To: ltp@lists.linux.it Cc: linux-crypto@vger.kernel.org, =?UTF-8?q?Michal=20Such=C3=A1nek?= , chetjain@in.ibm.com Subject: [PATCH] crypto/crypto_user02.c: new test that tries to delete larval algorithm Date: Tue, 9 Jul 2019 11:42:02 -0700 Message-Id: <20190709184202.25112-1-ebiggers@kernel.org> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Eric Biggers Test for a bug in the crypto user configuration API (NETLINK_CRYPTO) where it incorrectly allowed operating on "larval" algorithms. Signed-off-by: Eric Biggers --- runtest/crypto | 1 + testcases/kernel/crypto/.gitignore | 1 + testcases/kernel/crypto/Makefile | 2 + testcases/kernel/crypto/crypto_user02.c | 108 ++++++++++++++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 testcases/kernel/crypto/crypto_user02.c diff --git a/runtest/crypto b/runtest/crypto index ad713c5edf..be8bc81d2f 100644 --- a/runtest/crypto +++ b/runtest/crypto @@ -6,3 +6,4 @@ af_alg05 af_alg05 af_alg06 af_alg06 pcrypt_aead01 pcrypt_aead01 crypto_user01 crypto_user01 +crypto_user02 crypto_user02 diff --git a/testcases/kernel/crypto/.gitignore b/testcases/kernel/crypto/.gitignore index 7340bde293..c5be01180c 100644 --- a/testcases/kernel/crypto/.gitignore +++ b/testcases/kernel/crypto/.gitignore @@ -6,3 +6,4 @@ af_alg05 af_alg06 pcrypt_aead01 crypto_user01 +crypto_user02 diff --git a/testcases/kernel/crypto/Makefile b/testcases/kernel/crypto/Makefile index 6547e1cb63..7cbdb72d19 100644 --- a/testcases/kernel/crypto/Makefile +++ b/testcases/kernel/crypto/Makefile @@ -22,3 +22,5 @@ CFLAGS += -D_GNU_SOURCE include $(top_srcdir)/include/mk/generic_leaf_target.mk af_alg02: CFLAGS += -pthread + +crypto_user02: LDLIBS += -lrt diff --git a/testcases/kernel/crypto/crypto_user02.c b/testcases/kernel/crypto/crypto_user02.c new file mode 100644 index 0000000000..6090b5a4ea --- /dev/null +++ b/testcases/kernel/crypto/crypto_user02.c @@ -0,0 +1,108 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright 2019 Google LLC + */ + +/* + * Regression test for kernel commit 21d4120ec6f5 ("crypto: user - prevent + * operating on larval algorithms"). See the commit message for a detailed + * explanation of the problem. Basically, this test tries to cause a NULL + * pointer dereference in the kernel by abusing the CRYPTO_MSG_DELALG message in + * the NETLINK_CRYPTO interface to try to delete a "larval" algorithm, which is + * a kernel-internal marker for an algorithm which has been registered but isn't + * ready yet (e.g., hasn't completed the in-kernel crypto self-tests yet). + * + * CRYPTO_MSG_NEWALG will create such a larval algorithm. However, it waits + * (killably) for the larval to mature before returning, and it holds a lock + * that prevents CRYPTO_MSG_DELALG from running. To get around this, this test + * sends a fatal signal to the process executing CRYPTO_MSG_NEWALG. + */ + +#include +#include +#include + +#include "tst_test.h" +#include "tst_crypto.h" +#include "tst_timer.h" + +static struct tst_crypto_session ses = TST_CRYPTO_SESSION_INIT; + +static void setup(void) +{ + tst_crypto_open(&ses); +} + +static void run(void) +{ + struct crypto_user_alg alg = { + /* + * Any algorithm instantiated from a template can do here, but + * choose something that's commonly available. + */ + .cru_driver_name = "hmac(sha256-generic)", + }; + pid_t pid; + int status; + + /* Check whether the algorithm is supported before continuing. */ + TEST(tst_crypto_add_alg(&ses, &alg)); + if (TST_RET != 0 && TST_RET != -EEXIST) { + if (TST_RET == -ENOENT) + tst_brk(TCONF, "%s not supported", alg.cru_driver_name); + + tst_brk(TBROK | TRERRNO, + "unexpected error checking for algorithm support"); + } + + tst_res(TINFO, + "Starting crypto_user larval deletion test. May crash buggy kernels."); + + tst_timer_start(CLOCK_MONOTONIC); + + while (!tst_timer_expired_ms(1000)) { + pid = SAFE_FORK(); + + if (pid == 0) { + /* Child process: execute CRYPTO_MSG_NEWALG. */ + tst_crypto_open(&ses); + for (;;) { + TEST(tst_crypto_add_alg(&ses, &alg)); + if (TST_RET && TST_RET != -EEXIST) + tst_brk(TBROK | TRERRNO, + "unexpected error from tst_crypto_add_alg()"); + } + } + + /* + * Parent process: kill the child process (hopefully while it's + * executing CRYPTO_MSG_NEWALG) and execute CRYPTO_MSG_DELALG. + * Buggy kernels sometimes dereferenced a NULL pointer during + * CRYPTO_MSG_DELALG here. + */ + usleep(rand() % 5000); + kill(pid, SIGKILL); + SAFE_WAIT(&status); + if (!WIFSIGNALED(status) || WTERMSIG(status) != SIGKILL) + tst_brk(TBROK, "child %s", tst_strstatus(status)); + TEST(tst_crypto_del_alg(&ses, &alg)); + if (TST_RET && TST_RET != -ENOENT) + tst_brk(TBROK | TRERRNO, + "unexpected error from tst_crypto_del_alg()"); + } + + tst_res(TPASS, "didn't crash"); +} + +static void cleanup(void) +{ + tst_crypto_close(&ses); +} + +static struct tst_test test = { + .setup = setup, + .test_all = run, + .cleanup = cleanup, + .needs_root = 1, + .forks_child = 1, +}; -- 2.22.0