xref: /aosp_15_r20/external/ltp/testcases/kernel/syscalls/keyctl/keyctl02.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Fujitsu Ltd.
4  * Copyright (c) Linux Test Project, 2017-2024
5  * Ported: Guangwen Feng <[email protected]>
6  */
7 
8 /*\
9  * [Description]
10  *
11  * Regression test for the race between keyctl_read() and
12  * keyctl_revoke(), if the revoke happens between keyctl_read()
13  * checking the validity of a key and the key's semaphore being taken,
14  * then the key type read method will see a revoked key.
15  *
16  * This causes a problem for the user-defined key type because it
17  * assumes in its read method that there will always be a payload
18  * in a non-revoked key and doesn't check for a NULL pointer.
19  *
20  * Bug was fixed in commit
21  * b4a1b4f5047e ("KEYS: Fix race between read and revoke")
22  */
23 
24 #include <errno.h>
25 #include <pthread.h>
26 #include <sys/types.h>
27 
28 #include "tst_safe_pthread.h"
29 #include "tst_test.h"
30 #include "tst_kconfig.h"
31 #include "lapi/keyctl.h"
32 
33 #define LOOPS	20000
34 #define MAX_WAIT_FOR_GC_MS 5000
35 #define PATH_KEY_COUNT_QUOTA	"/proc/sys/kernel/keys/root_maxkeys"
36 
37 static int orig_maxkeys;
38 static int realtime_kernel;
39 
do_read(void * arg)40 static void *do_read(void *arg)
41 {
42 	key_serial_t key = (unsigned long)arg;
43 	char buffer[4] = { 0 };
44 
45 	keyctl(KEYCTL_READ, key, buffer, 4);
46 
47 	return NULL;
48 }
49 
do_revoke(void * arg)50 static void *do_revoke(void *arg)
51 {
52 	key_serial_t key = (unsigned long)arg;
53 
54 	keyctl(KEYCTL_REVOKE, key);
55 
56 	return NULL;
57 }
58 
do_test(void)59 static void do_test(void)
60 {
61 	int i, ret;
62 	key_serial_t key, key_inv;
63 	pthread_t pth[4];
64 
65 	for (i = 0; i < LOOPS; i++) {
66 		key = add_key("user", "ltptestkey", "foo", 3,
67 			KEY_SPEC_PROCESS_KEYRING);
68 		if (key == -1)
69 			tst_brk(TBROK | TERRNO, "Failed to add key");
70 
71 		SAFE_PTHREAD_CREATE(&pth[0], NULL, do_read,
72 			(void *)(unsigned long)key);
73 		SAFE_PTHREAD_CREATE(&pth[1], NULL, do_revoke,
74 			(void *)(unsigned long)key);
75 		SAFE_PTHREAD_CREATE(&pth[2], NULL, do_read,
76 			(void *)(unsigned long)key);
77 		SAFE_PTHREAD_CREATE(&pth[3], NULL, do_revoke,
78 			(void *)(unsigned long)key);
79 
80 		SAFE_PTHREAD_JOIN(pth[0], NULL);
81 		SAFE_PTHREAD_JOIN(pth[1], NULL);
82 		SAFE_PTHREAD_JOIN(pth[2], NULL);
83 		SAFE_PTHREAD_JOIN(pth[3], NULL);
84 
85 		if (!tst_remaining_runtime()) {
86 			tst_res(TINFO, "Runtime exhausted, exiting after %d loops", i);
87 			break;
88 		}
89 
90 		/*
91 		 * Realtime kernel has deferred post-join thread cleanup which
92 		 * may result in exhaustion of cgroup thread limit. Add delay
93 		 * to limit the maximum number of stale threads to 4000
94 		 * even with CONFIG_HZ=100.
95 		 */
96 		if (realtime_kernel)
97 			usleep(100);
98 	}
99 
100 	/*
101 	 * Kernel should start garbage collect when last reference to key
102 	 * is removed (see key_put()). Since we are adding keys with identical
103 	 * description and type, each replacement should schedule a gc run,
104 	 * see comment at __key_link().
105 	 *
106 	 * We create extra key here, to remove reference to last revoked key.
107 	 */
108 	key_inv = add_key("user", "ltptestkey", "foo", 3,
109 		KEY_SPEC_PROCESS_KEYRING);
110 	if (key_inv == -1)
111 		tst_brk(TBROK | TERRNO, "Failed to add key");
112 
113 	/*
114 	 * If we have invalidate, we can drop extra key immediately as well,
115 	 * which also schedules gc.
116 	 */
117 	if (keyctl(KEYCTL_INVALIDATE, key_inv) == -1 && errno != EOPNOTSUPP)
118 		tst_brk(TBROK | TERRNO, "Failed to invalidate key");
119 
120 	/*
121 	 * At this point we are quite confident that gc has been scheduled,
122 	 * so we wait and periodically check for last test key to be removed.
123 	 */
124 	for (i = 0; i < MAX_WAIT_FOR_GC_MS; i += 100) {
125 		ret = keyctl(KEYCTL_REVOKE, key);
126 		if (ret == -1 && errno == ENOKEY)
127 			break;
128 		usleep(100*1000);
129 	}
130 
131 	if (i)
132 		tst_res(TINFO, "waiting for key gc took: %d ms", i);
133 	tst_res(TPASS, "Bug not reproduced");
134 }
135 
setup(void)136 static void setup(void)
137 {
138 	unsigned int i;
139 	struct tst_kconfig_var rt_kconfigs[] = {
140 		TST_KCONFIG_INIT("CONFIG_PREEMPT_RT"),
141 		TST_KCONFIG_INIT("CONFIG_PREEMPT_RT_FULL")
142 	};
143 
144 	SAFE_FILE_SCANF(PATH_KEY_COUNT_QUOTA, "%d", &orig_maxkeys);
145 	SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys + LOOPS + 1);
146 
147 	tst_kconfig_read(rt_kconfigs, ARRAY_SIZE(rt_kconfigs));
148 
149 	for (i = 0; i < ARRAY_SIZE(rt_kconfigs); i++)
150 		realtime_kernel |= rt_kconfigs[i].choice == 'y';
151 }
152 
cleanup(void)153 static void cleanup(void)
154 {
155 	if (orig_maxkeys > 0)
156 		SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys);
157 }
158 
159 static struct tst_test test = {
160 	.needs_root = 1,
161 	.setup = setup,
162 	.cleanup = cleanup,
163 	.max_runtime = 60,
164 	.test_all = do_test,
165 	.tags = (const struct tst_tag[]) {
166 		{"linux-git", "b4a1b4f5047e"},
167 		{"CVE", "2015-7550"},
168 		{}
169 	}
170 };
171