1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Google, Inc.
4 * Copyright (c) Linux Test Project, 2017-2024
5 */
6
7 /*\
8 * [Description]
9 *
10 * Regression test for commit c9f838d104fe ("KEYS: fix
11 * keyctl_set_reqkey_keyring() to not leak thread keyrings"), a.k.a.
12 * CVE-2017-7472. This bug could be used to exhaust kernel memory, though it
13 * would take a while to do that and it would grind the test suite to a halt.
14 * Instead we do a quick check for whether the existing thread keyring is
15 * replaced when the default request-key destination is set to the thread
16 * keyring. It shouldn't be, but before the fix it was (and the old thread
17 * keyring was leaked).
18 */
19
20 #include <errno.h>
21
22 #include "tst_test.h"
23 #include "lapi/keyctl.h"
24
do_test(void)25 static void do_test(void)
26 {
27 key_serial_t tid_keyring;
28
29 TEST(keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_THREAD_KEYRING, 1));
30 if (TST_RET < 0)
31 tst_brk(TBROK | TTERRNO, "failed to create thread keyring");
32 tid_keyring = TST_RET;
33
34 TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING, KEY_REQKEY_DEFL_THREAD_KEYRING));
35 if (TST_RET < 0)
36 tst_brk(TBROK | TTERRNO, "failed to set reqkey keyring");
37
38 TEST(keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_THREAD_KEYRING, 0));
39 if (TST_RET < 0)
40 tst_brk(TBROK | TTERRNO, "failed to get thread keyring ID");
41 if (TST_RET == tid_keyring)
42 tst_res(TPASS, "thread keyring was not leaked");
43 else
44 tst_res(TFAIL, "thread keyring was leaked!");
45 }
46
47 static struct tst_test test = {
48 .test_all = do_test,
49 .tags = (const struct tst_tag[]) {
50 {"CVE", "2017-7472"},
51 {"linux-git", "c9f838d104fe"},
52 {}
53 }
54 };
55