aboutsummaryrefslogtreecommitdiff
blob: cb6033e15f4b58449955e126552a526c1636a9a1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
/* Test for (lack of) command execution in wordexp.
   Copyright (C) 1997-2019 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <https://www.gnu.org/licenses/>.  */

/* This test optionally counts PIDs in a PID namespace to detect
   forks.  Without kernel support for that, it will merely look at the
   error codes from wordexp to check that no command execution
   happens.  */

#include <sched.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <support/check.h>
#include <support/namespace.h>
#include <support/xunistd.h>
#include <wordexp.h>

/* Set to true if the test runs in a PID namespace and can therefore
   use next_pid below.  */
static bool pid_tests_supported;

/* The next PID, as returned from next_pid below.  Only meaningful if
   pid_tests_supported.  */
static pid_t expected_pid;

/* Allocate the next PID and return it.  The process is terminated.
   Note that the test itself advances the next PID.  */
static pid_t
next_pid (void)
{
  pid_t pid = xfork ();
  if (pid == 0)
    _exit (0);
  xwaitpid (pid, NULL, 0);
  return pid;
}

/* Check that evaluating PATTERN with WRDE_NOCMD results in
   EXPECTED_ERROR.  */
static void
expect_failure (const char *pattern, int expected_error)
{
  printf ("info: testing pattern: %s\n", pattern);
  wordexp_t w;
  TEST_COMPARE (wordexp (pattern, &w, WRDE_NOCMD), expected_error);
  if (pid_tests_supported)
    TEST_COMPARE (expected_pid++, next_pid ());
}

/* Run all the tests.  Invoked with different IFS values.  */
static void
run_tests (void)
{
  /* Integer overflow in division.  */
  {
    static const char *const numbers[] = {
      "0",
      "1",
      "65536",
      "2147483648",
      "4294967296"
      "9223372036854775808",
      "18446744073709551616",
      "170141183460469231731687303715884105728",
      "340282366920938463463374607431768211456",
      NULL
    };

    for (const char *const *num = numbers; *num != NULL; ++num)
      {
        wordexp_t w;
        char pattern[256];
        snprintf (pattern, sizeof (pattern), "$[(-%s)/(-1)]", *num);
        int ret = wordexp (pattern, &w, WRDE_NOCMD);
        if (ret == 0)
          {
            /* If the call is successful, the result must match the
               original number.  */
            TEST_COMPARE (w.we_wordc, 1);
            TEST_COMPARE_STRING (w.we_wordv[0], *num);
            TEST_COMPARE_STRING (w.we_wordv[1], NULL);
            wordfree (&w);
          }
        else
          /* Otherwise, the test must fail with a syntax error.  */
          TEST_COMPARE (ret, WRDE_SYNTAX);

        /* In both cases, command execution is not permitted.  */
        if (pid_tests_supported)
          TEST_COMPARE (expected_pid++, next_pid ());
      }
  }

  /* (Lack of) command execution tests.  */

  expect_failure ("$(ls)", WRDE_CMDSUB);

  /* Test for CVE-2014-7817. We test 3 combinations of command
     substitution inside an arithmetic expression to make sure that
     no commands are executed and error is returned.  */
  expect_failure ("$((`echo 1`))", WRDE_CMDSUB);
  expect_failure ("$((1+`echo 1`))", WRDE_CMDSUB);
  expect_failure ("$((1+$((`echo 1`))))", WRDE_CMDSUB);

  expect_failure ("$[1/0]", WRDE_SYNTAX); /* BZ 18100.  */
}

static void
subprocess (void *closure)
{
  expected_pid = 2;
  if (pid_tests_supported)
    TEST_COMPARE (expected_pid++, next_pid ());

  /* Check that triggering command execution via wordexp results in a
     PID increase.  */
  if (pid_tests_supported)
    {
      wordexp_t w;
      TEST_COMPARE (wordexp ("$(echo Test)", &w, 0), 0);
      TEST_COMPARE (w.we_wordc, 1);
      TEST_COMPARE_STRING (w.we_wordv[0], "Test");
      TEST_COMPARE_STRING (w.we_wordv[1], NULL);
      wordfree (&w);

      pid_t n = next_pid ();
      printf ("info: self-test resulted in PID %d (processes created: %d)\n",
              (int) n, (int) (n - expected_pid));
      TEST_VERIFY (n > expected_pid);
      expected_pid = n + 1;
  }

  puts ("info: testing without IFS");
  unsetenv ("IFS");
  run_tests ();

  puts ("info: testing with IFS");
  TEST_COMPARE (setenv ("IFS", " \t\n", 1), 0);
  run_tests ();
}

static int
do_test (void)
{
  support_become_root ();

#ifdef CLONE_NEWPID
  if (unshare (CLONE_NEWPID) != 0)
    printf ("warning: unshare (CLONE_NEWPID) failed: %m\n"
            "warning: This leads to reduced test coverage.\n");
  else
    pid_tests_supported = true;
#else
  printf ("warning: CLONE_NEWPID not available.\n"
          "warning: This leads to reduced test coverage.\n");
#endif

  /* CLONE_NEWPID only has an effect after fork.  */
  support_isolate_in_subprocess (subprocess, NULL);

  return 0;
}

#include <support/test-driver.c>