1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Richard Palethorpe <[email protected]>
4 * Copyright (c) 2016 Jan Horn <[email protected]>
5 */
6 /*
7 * Test for CVE-2016-10044, which was fixed in commit
8 * 22f6b4d34fcf039c aio: mark AIO pseudo-fs noexec.
9 *
10 * The test checks that we can not implicitly mark AIO mappings as
11 * executable using the READ_IMPLIES_EXEC personality.
12 */
13
14 #include <stdio.h>
15 #include <stdint.h>
16 #include <string.h>
17 #include "lapi/personality.h"
18 #include "tst_test.h"
19 #include "tst_safe_stdio.h"
20 #include "lapi/syscalls.h"
21
22 static FILE * f;
23
cleanup(void)24 static void cleanup(void)
25 {
26 if (f)
27 SAFE_FCLOSE(f);
28 }
29
run(void)30 static void run(void)
31 {
32 void *ctx = 0;
33 char perms[8], line[BUFSIZ];
34
35 SAFE_PERSONALITY(READ_IMPLIES_EXEC);
36 if (tst_syscall(__NR_io_setup, 1, &ctx))
37 tst_brk(TBROK | TERRNO, "Failed to create AIO context");
38
39 f = SAFE_FOPEN("/proc/self/maps", "r");
40 while (fgets(line, BUFSIZ, f) != NULL) {
41 if (strstr(line, "[aio]") != NULL)
42 goto found_mapping;
43 }
44 tst_brk(TCONF, "Could not find mapping in /proc/self/maps");
45
46 found_mapping:
47 if (sscanf(line, "%*x-%*x %s", perms) != 1)
48 tst_brk(TBROK, "failed to find permission string in %s", line);
49 if (strchr(perms, (int)'x'))
50 tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
51 else
52 tst_res(TPASS, "AIO mapping is not executable: %s", perms);
53
54 if (tst_syscall(__NR_io_destroy, ctx))
55 tst_brk(TBROK | TERRNO, "Failed to destroy AIO context");
56
57 SAFE_FCLOSE(f);
58 f = NULL;
59 }
60
61 static struct tst_test test = {
62 .test_all = run,
63 .cleanup = cleanup,
64 .tags = (const struct tst_tag[]) {
65 {"linux-git", "22f6b4d34fcf"},
66 {"CVE", "2016-10044"},
67 {}
68 }
69 };
70