[lxc-devel] [lxc/master] cve-2019-5736: add test

Tue Feb 19 17:19:57 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190219/10e38b33/attachment.bin>
-------------- next part --------------
From 56d78dddf3f53bdbe54a44db37f617608f2b681f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 19 Feb 2019 18:19:18 +0100
Subject: [PATCH] cve-2019-5736: add test

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/tests/Makefile.am     |   3 +
 src/tests/cve-2019-5736.c | 192 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 195 insertions(+)
 create mode 100644 src/tests/cve-2019-5736.c

diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 842708c44..d3683cc09 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -15,6 +15,7 @@ lxc_test_console_log_SOURCES = console_log.c lxctest.h
 lxc_test_containertests_SOURCES = containertests.c
 lxc_test_createtest_SOURCES = createtest.c
 lxc_test_criu_check_feature_SOURCES = criu_check_feature.c lxctest.h
+lxc_test_cve_2019_5763_SOURCES =  cve-2019-5763.c lxctest.h
 lxc_test_destroytest_SOURCES = destroytest.c
 lxc_test_device_add_remove_SOURCES = device_add_remove.c
 lxc_test_getkeys_SOURCES = getkeys.c
@@ -73,6 +74,7 @@ bin_PROGRAMS = lxc-test-api-reboot \
 	       lxc-test-containertests \
 	       lxc-test-createtest \
 	       lxc-test-criu-check-feature \
+	       lxc-test-cve-2019-5763 \
 	       lxc-test-destroytest \
 	       lxc-test-device-add-remove \
 	       lxc-test-getkeys \
@@ -127,6 +129,7 @@ EXTRA_DIST = basic.c \
 	     containertests.c \
 	     createtest.c \
 	     criu_check_feature.c \
+	     cve-2019-5763.c \
 	     destroytest.c \
 	     device_add_remove.c \
 	     get_item.c \
diff --git a/src/tests/cve-2019-5736.c b/src/tests/cve-2019-5736.c
new file mode 100644
index 000000000..b49f5c641
--- /dev/null
+++ b/src/tests/cve-2019-5736.c
@@ -0,0 +1,192 @@
+/* liblxcapi
+ *
+ * Copyright © 2019 Christian Brauner <christian.brauner at ubuntu.com>.
+ * Copyright © 2019 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <lxc/lxccontainer.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#include "lxctest.h"
+#include "utils.h"
+
+#define MYNAME "shortlived"
+
+static int destroy_container(void)
+{
+	int status, ret;
+	pid_t pid = fork();
+
+	if (pid < 0) {
+		perror("fork");
+		return -1;
+	}
+	if (pid == 0) {
+		execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL);
+		exit(EXIT_FAILURE);
+	}
+again:
+	ret = waitpid(pid, &status, 0);
+	if (ret == -1) {
+		if (errno == EINTR)
+			goto again;
+		perror("waitpid");
+		return -1;
+	}
+	if (ret != pid)
+		goto again;
+	if (!WIFEXITED(status))  { // did not exit normally
+		fprintf(stderr, "%d: lxc-create exited abnormally\n", __LINE__);
+		return -1;
+	}
+	return WEXITSTATUS(status);
+}
+
+static int create_container(void)
+{
+	int status, ret;
+	pid_t pid = fork();
+
+	if (pid < 0) {
+		perror("fork");
+		return -1;
+	}
+	if (pid == 0) {
+		execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL);
+		exit(EXIT_FAILURE);
+	}
+again:
+	ret = waitpid(pid, &status, 0);
+	if (ret == -1) {
+		if (errno == EINTR)
+			goto again;
+		perror("waitpid");
+		return -1;
+	}
+	if (ret != pid)
+		goto again;
+	if (!WIFEXITED(status))  { // did not exit normally
+		fprintf(stderr, "%d: lxc-create exited abnormally\n", __LINE__);
+		return -1;
+	}
+	return WEXITSTATUS(status);
+}
+
+int main(int argc, char *argv[])
+{
+	int i;
+	const char *s;
+	bool b;
+	struct lxc_container *c;
+	int ret = EXIT_FAILURE;
+
+	/* test a real container */
+	c = lxc_container_new(MYNAME, NULL);
+	if (!c) {
+		fprintf(stderr, "%d: error creating lxc_container %s\n", __LINE__, MYNAME);
+		goto out;
+	}
+
+	if (c->is_defined(c)) {
+		fprintf(stderr, "%d: %s thought it was defined\n", __LINE__, MYNAME);
+		goto out;
+	}
+
+	if (create_container() < 0) {
+		fprintf(stderr, "%d: failed to create a container\n", __LINE__);
+		goto out;
+	}
+
+	b = c->is_defined(c);
+	if (!b) {
+		fprintf(stderr, "%d: %s thought it was not defined\n", __LINE__, MYNAME);
+		goto out;
+	}
+
+	s = c->state(c);
+	if (!s || strcmp(s, "STOPPED")) {
+		fprintf(stderr, "%d: %s is in state %s, not in STOPPED.\n", __LINE__, c->name, s ? s : "undefined");
+		goto out;
+	}
+
+	b = c->load_config(c, NULL);
+	if (!b) {
+		fprintf(stderr, "%d: %s failed to read its config\n", __LINE__, c->name);
+		goto out;
+	}
+
+	if (!c->set_config_item(c, "lxc.init_cmd", "echo hello")) {
+		fprintf(stderr, "%d: failed setting lxc.init_cmd\n", __LINE__);
+		goto out;
+	}
+
+	c->want_daemonize(c, true);
+
+	if (setenv("LXC_MEMFD_REXEC", "1", 1)) {
+		fprintf(stderr, "%d: failed to set LXC_MEMFD_REXEC evironment variable\n", __LINE__);
+		goto out;
+	}
+
+	/* Test whether we can start a really short-lived daemonized container. */
+	for (i = 0; i < 10; i++) {
+		if (!c->startl(c, 0, NULL)) {
+			fprintf(stderr, "%d: %s failed to start on %dth iteration\n", __LINE__, c->name, i);
+			goto out;
+		}
+
+		if (!c->wait(c, "STOPPED", 30)) {
+			fprintf(stderr, "%d: %s failed to wait on %dth iteration\n", __LINE__, c->name, i);
+			goto out;
+		}
+	}
+
+	/* Test whether we can start a really short-lived daemonized container with lxc-init. */
+	for (i = 0; i < 10; i++) {
+		if (!c->startl(c, 1, NULL)) {
+			fprintf(stderr, "%d: %s failed to start on %dth iteration\n", __LINE__, c->name, i);
+			goto out;
+		}
+
+		if (!c->wait(c, "STOPPED", 30)) {
+			fprintf(stderr, "%d: %s failed to wait on %dth iteration\n", __LINE__, c->name, i);
+			goto out;
+		}
+	}
+
+	c->stop(c);
+
+	fprintf(stderr, "all lxc_container tests passed for %s\n", c->name);
+	ret = EXIT_SUCCESS;
+
+out:
+	if (c) {
+		c->stop(c);
+		destroy_container();
+	}
+	lxc_container_put(c);
+	exit(ret);
+}
