From: Christian Brauner Date: Tue, 19 Feb 2019 17:15:31 +0000 (+0100) Subject: cve-2019-5736: add test for rexec X-Git-Tag: lxc-2.0.10~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bcbc5495407e0f68f22479854db27368944439ca;p=thirdparty%2Flxc.git cve-2019-5736: add test for rexec Signed-off-by: Christian Brauner --- diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am index 6cbf90a5d..f71e347d6 100644 --- a/src/tests/Makefile.am +++ b/src/tests/Makefile.am @@ -29,6 +29,7 @@ lxc_test_config_jump_table_SOURCES = config_jump_table.c lxctest.h lxc_test_shortlived_SOURCES = shortlived.c lxc_test_state_server_SOURCES = state_server.c lxctest.h lxc_test_raw_clone_SOURCES = lxc_raw_clone.c lxctest.h +lxc_test_cve_2019_5736_SOURCES = cve-2019-5736.c lxctest.h AM_CFLAGS=-DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ -DLXCPATH=\"$(LXCPATH)\" \ @@ -59,7 +60,7 @@ bin_PROGRAMS = lxc-test-containertests lxc-test-locktests lxc-test-startone \ lxc-test-reboot lxc-test-list lxc-test-attach lxc-test-device-add-remove \ lxc-test-apparmor lxc-test-utils lxc-test-parse-config-file \ lxc-test-config-jump-table lxc-test-shortlived lxc-test-state-server \ - lxc-test-raw-clone + lxc-test-raw-clone lxc-test-cve-2019-5736 bin_SCRIPTS = lxc-test-automount \ lxc-test-autostart \ @@ -88,6 +89,7 @@ EXTRA_DIST = \ console.c \ containertests.c \ createtest.c \ + cve-2019-5736.c \ destroytest.c \ device_add_remove.c \ get_item.c \ diff --git a/src/tests/cve-2019-5736.c b/src/tests/cve-2019-5736.c new file mode 100644 index 000000000..b49f5c641 --- /dev/null +++ b/src/tests/cve-2019-5736.c @@ -0,0 +1,192 @@ +/* liblxcapi + * + * Copyright © 2019 Christian Brauner . + * Copyright © 2019 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "lxctest.h" +#include "utils.h" + +#define MYNAME "shortlived" + +static int destroy_container(void) +{ + int status, ret; + pid_t pid = fork(); + + if (pid < 0) { + perror("fork"); + return -1; + } + if (pid == 0) { + execlp("lxc-destroy", "lxc-destroy", "-f", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); + } +again: + ret = waitpid(pid, &status, 0); + if (ret == -1) { + if (errno == EINTR) + goto again; + perror("waitpid"); + return -1; + } + if (ret != pid) + goto again; + if (!WIFEXITED(status)) { // did not exit normally + fprintf(stderr, "%d: lxc-create exited abnormally\n", __LINE__); + return -1; + } + return WEXITSTATUS(status); +} + +static int create_container(void) +{ + int status, ret; + pid_t pid = fork(); + + if (pid < 0) { + perror("fork"); + return -1; + } + if (pid == 0) { + execlp("lxc-create", "lxc-create", "-t", "busybox", "-n", MYNAME, NULL); + exit(EXIT_FAILURE); + } +again: + ret = waitpid(pid, &status, 0); + if (ret == -1) { + if (errno == EINTR) + goto again; + perror("waitpid"); + return -1; + } + if (ret != pid) + goto again; + if (!WIFEXITED(status)) { // did not exit normally + fprintf(stderr, "%d: lxc-create exited abnormally\n", __LINE__); + return -1; + } + return WEXITSTATUS(status); +} + +int main(int argc, char *argv[]) +{ + int i; + const char *s; + bool b; + struct lxc_container *c; + int ret = EXIT_FAILURE; + + /* test a real container */ + c = lxc_container_new(MYNAME, NULL); + if (!c) { + fprintf(stderr, "%d: error creating lxc_container %s\n", __LINE__, MYNAME); + goto out; + } + + if (c->is_defined(c)) { + fprintf(stderr, "%d: %s thought it was defined\n", __LINE__, MYNAME); + goto out; + } + + if (create_container() < 0) { + fprintf(stderr, "%d: failed to create a container\n", __LINE__); + goto out; + } + + b = c->is_defined(c); + if (!b) { + fprintf(stderr, "%d: %s thought it was not defined\n", __LINE__, MYNAME); + goto out; + } + + s = c->state(c); + if (!s || strcmp(s, "STOPPED")) { + fprintf(stderr, "%d: %s is in state %s, not in STOPPED.\n", __LINE__, c->name, s ? s : "undefined"); + goto out; + } + + b = c->load_config(c, NULL); + if (!b) { + fprintf(stderr, "%d: %s failed to read its config\n", __LINE__, c->name); + goto out; + } + + if (!c->set_config_item(c, "lxc.init_cmd", "echo hello")) { + fprintf(stderr, "%d: failed setting lxc.init_cmd\n", __LINE__); + goto out; + } + + c->want_daemonize(c, true); + + if (setenv("LXC_MEMFD_REXEC", "1", 1)) { + fprintf(stderr, "%d: failed to set LXC_MEMFD_REXEC evironment variable\n", __LINE__); + goto out; + } + + /* Test whether we can start a really short-lived daemonized container. */ + for (i = 0; i < 10; i++) { + if (!c->startl(c, 0, NULL)) { + fprintf(stderr, "%d: %s failed to start on %dth iteration\n", __LINE__, c->name, i); + goto out; + } + + if (!c->wait(c, "STOPPED", 30)) { + fprintf(stderr, "%d: %s failed to wait on %dth iteration\n", __LINE__, c->name, i); + goto out; + } + } + + /* Test whether we can start a really short-lived daemonized container with lxc-init. */ + for (i = 0; i < 10; i++) { + if (!c->startl(c, 1, NULL)) { + fprintf(stderr, "%d: %s failed to start on %dth iteration\n", __LINE__, c->name, i); + goto out; + } + + if (!c->wait(c, "STOPPED", 30)) { + fprintf(stderr, "%d: %s failed to wait on %dth iteration\n", __LINE__, c->name, i); + goto out; + } + } + + c->stop(c); + + fprintf(stderr, "all lxc_container tests passed for %s\n", c->name); + ret = EXIT_SUCCESS; + +out: + if (c) { + c->stop(c); + destroy_container(); + } + lxc_container_put(c); + exit(ret); +}