diff mbox series

[v3,2/2] Add landlock07 test

Message ID 20240821-landlock_houdini-v3-2-15fc43055d02@suse.com
State Superseded
Headers show
Series Reproducer for the landlock houdini bug | expand

Commit Message

Andrea Cervesato Aug. 21, 2024, 1:49 p.m. UTC 
From: Andrea Cervesato <andrea.cervesato@suse.com>

This test is a reproducer for the CVE-2024-42318 bug, also known as
landlock Houdini.

More information at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/syscalls                                |   1 +
 testcases/kernel/syscalls/landlock/.gitignore   |   1 +
 testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++
 3 files changed, 111 insertions(+)

Comments

Cyril Hrubis Aug. 21, 2024, 3:05 p.m. UTC | #1 
Hi!
> More information at:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318
> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/syscalls                                |   1 +
>  testcases/kernel/syscalls/landlock/.gitignore   |   1 +
>  testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++
>  3 files changed, 111 insertions(+)
> 
> diff --git a/runtest/syscalls b/runtest/syscalls
> index fea0c9828..a9fc8c432 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -706,6 +706,7 @@ landlock03 landlock03
>  landlock04 landlock04
>  landlock05 landlock05
>  landlock06 landlock06
> +landlock07 landlock07
>  
>  lchown01 lchown01
>  lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
> index 315ac1dca..db11bff2f 100644
> --- a/testcases/kernel/syscalls/landlock/.gitignore
> +++ b/testcases/kernel/syscalls/landlock/.gitignore
> @@ -5,3 +5,4 @@ landlock03
>  landlock04
>  landlock05
>  landlock06
> +landlock07
> diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c
> new file mode 100644
> index 000000000..68045da3b
> --- /dev/null
> +++ b/testcases/kernel/syscalls/landlock/landlock07.c
> @@ -0,0 +1,109 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/**
> + * [Description]
> + *
> + * CVE-2024-42318
> + *
> + * Test to check if sysem is affected by Landlock Houdini bug:
                          ^
			  t


Otherwise:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
Andrea Cervesato Aug. 21, 2024, 5:34 p.m. UTC | #2 
Hi!

I fix the typo and push the patch to upstream.

Thanks,
Andrea

On 8/21/24 17:05, Cyril Hrubis wrote:
> Hi!
>> More information at:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318
>>
>> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
>> ---
>>   runtest/syscalls                                |   1 +
>>   testcases/kernel/syscalls/landlock/.gitignore   |   1 +
>>   testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++
>>   3 files changed, 111 insertions(+)
>>
>> diff --git a/runtest/syscalls b/runtest/syscalls
>> index fea0c9828..a9fc8c432 100644
>> --- a/runtest/syscalls
>> +++ b/runtest/syscalls
>> @@ -706,6 +706,7 @@ landlock03 landlock03
>>   landlock04 landlock04
>>   landlock05 landlock05
>>   landlock06 landlock06
>> +landlock07 landlock07
>>   
>>   lchown01 lchown01
>>   lchown01_16 lchown01_16
>> diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
>> index 315ac1dca..db11bff2f 100644
>> --- a/testcases/kernel/syscalls/landlock/.gitignore
>> +++ b/testcases/kernel/syscalls/landlock/.gitignore
>> @@ -5,3 +5,4 @@ landlock03
>>   landlock04
>>   landlock05
>>   landlock06
>> +landlock07
>> diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c
>> new file mode 100644
>> index 000000000..68045da3b
>> --- /dev/null
>> +++ b/testcases/kernel/syscalls/landlock/landlock07.c
>> @@ -0,0 +1,109 @@
>> +// SPDX-License-Identifier: GPL-2.0-or-later
>> +/*
>> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
>> + */
>> +
>> +/**
>> + * [Description]
>> + *
>> + * CVE-2024-42318
>> + *
>> + * Test to check if sysem is affected by Landlock Houdini bug:
>                            ^
> 			  t
>
>
> Otherwise:
>
> Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
>
diff mbox series

Patch

diff --git a/runtest/syscalls b/runtest/syscalls
index fea0c9828..a9fc8c432 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -706,6 +706,7 @@  landlock03 landlock03
 landlock04 landlock04
 landlock05 landlock05
 landlock06 landlock06
+landlock07 landlock07
 
 lchown01 lchown01
 lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore
index 315ac1dca..db11bff2f 100644
--- a/testcases/kernel/syscalls/landlock/.gitignore
+++ b/testcases/kernel/syscalls/landlock/.gitignore
@@ -5,3 +5,4 @@  landlock03
 landlock04
 landlock05
 landlock06
+landlock07
diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c
new file mode 100644
index 000000000..68045da3b
--- /dev/null
+++ b/testcases/kernel/syscalls/landlock/landlock07.c
@@ -0,0 +1,109 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/**
+ * [Description]
+ *
+ * CVE-2024-42318
+ *
+ * Test to check if sysem is affected by Landlock Houdini bug:
+ * https://www.suse.com/security/cve/CVE-2024-42318.html
+ *
+ * Kernel bug fixed in:
+ *
+ *  commit 39705a6c29f8a2b93cf5b99528a55366c50014d1
+ *  Author: Jann Horn <jannh@google.com>
+ *  Date:   Wed Jul 24 14:49:01 2024 +0200
+ *
+ *  landlock: Don't lose track of restrictions on cred_transfer
+ */
+
+#include "tst_test.h"
+#include "lapi/prctl.h"
+#include "lapi/keyctl.h"
+#include "tst_test_macros.h"
+#include "landlock_common.h"
+
+static struct landlock_ruleset_attr *ruleset_attr;
+static int ruleset_fd;
+
+static pid_t spawn_houdini(void)
+{
+	pid_t pid;
+
+	SAFE_KEYCTL(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
+
+	pid = SAFE_FORK();
+	if (!pid) {
+		SAFE_KEYCTL(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
+		SAFE_KEYCTL(KEYCTL_SESSION_TO_PARENT, 0, 0, 0, 0);
+		exit(0);
+	}
+
+	return pid;
+}
+
+static void run(void)
+{
+	pid_t pid_houdini;
+
+	if (SAFE_FORK())
+		return;
+
+	SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+	SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0);
+
+	TST_EXP_FAIL(open("/dev/null", O_WRONLY), EACCES);
+	if (TST_RET != -1) {
+		SAFE_CLOSE(TST_RET);
+		return;
+	}
+
+	pid_houdini = spawn_houdini();
+	SAFE_WAITPID(pid_houdini, NULL, 0);
+
+	TST_EXP_FAIL(open("/dev/null", O_WRONLY), EACCES);
+	if (TST_RET != -1)
+		SAFE_CLOSE(TST_RET);
+
+	exit(0);
+}
+
+static void setup(void)
+{
+	verify_landlock_is_enabled();
+
+	ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE;
+	ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET(
+		ruleset_attr,
+		sizeof(struct landlock_ruleset_attr),
+		0);
+}
+
+static void cleanup(void)
+{
+	if (ruleset_fd != -1)
+		SAFE_CLOSE(ruleset_fd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.forks_child = 1,
+	.bufs = (struct tst_buffers []) {
+		{&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)},
+		{},
+	},
+	.caps = (struct tst_cap []) {
+		TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+		{}
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "39705a6c29f8"},
+		{"CVE", "2024-42318"},
+		{}
+	}
+};