summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaresh Kamboju <naresh.kamboju@linaro.org>2018-06-12 13:04:14 +0530
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-06-15 17:56:24 +0100
commit951fa62bab7f65828916e6d7682fbe5f13b03ea6 (patch)
tree34b853790390d9e5d12e36ee9d78cba851a7511b
parent5b0a32a5a778ebcd01adb8d925f8443b213436dc (diff)
downloadpoky-951fa62bab7f65828916e6d7682fbe5f13b03ea6.tar.gz
ltp: fix CVE-2017-5669 test case
Adding CVE-2017-5669 test fix patch which is accepted upstream in LTP repo. Ref: cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs https://github.com/linux-test-project/ltp/pull/324 Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] (From OE-Core rev: e356cb7e7bfb407c2f3a1bd0f28b5f14beaff882) Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch97
-rw-r--r--meta/recipes-extended/ltp/ltp_20180515.bb1
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
new file mode 100644
index 0000000000..0d2d2cbce4
--- /dev/null
+++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
@@ -0,0 +1,97 @@
1From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
2From: Rafael David Tinoco <rafael.tinoco@canonical.com>
3Date: Wed, 30 May 2018 09:14:34 -0300
4Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has
5 to fail with REMAPs
6
7Fixes: https://github.com/linux-test-project/ltp/issues/319
8
9According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
10cve-2017-5669 needs to address the "new" way of handling nil addresses
11for shmat() when used with MAP_FIXED or SHM_REMAP flags.
12
13- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)
14- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
15
16Addresses Davidlohr Bueso's comments/changes:
17
18commit 8f89c007b6de
19Author: Davidlohr Bueso <dave@stgolabs.net>
20Date: Fri May 25 14:47:30 2018 -0700
21
22 ipc/shm: fix shmat() nil address after round-down when remapping
23
24commit a73ab244f0da
25Author: Davidlohr Bueso <dave@stgolabs.net>
26Date: Fri May 25 14:47:27 2018 -0700
27
28 Revert "ipc/shm: Fix shmat mmap nil-page protection"
29
30For previously test, and now broken, made based on:
31
32commit 95e91b831f87
33Author: Davidlohr Bueso <dave@stgolabs.net>
34Date: Mon Feb 27 14:28:24 2017 -0800
35
36 ipc/shm: Fix shmat mmap nil-page protection
37
38Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
39Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
40Reviewed-by: Jan Stancek <jstancek@redhat.com>
41
42Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
43CVE: CVE-2017-5669
44Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
45---
46 testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
47 1 file changed, 19 insertions(+), 1 deletion(-)
48
49diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
50index 1ca5983..0834626 100644
51--- a/testcases/cve/cve-2017-5669.c
52+++ b/testcases/cve/cve-2017-5669.c
53@@ -28,7 +28,20 @@
54 * is just to see if we get an access error or some other unexpected behaviour.
55 *
56 * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
57+ *
58+ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
59+ * that broke userland for cases like Xorg. New behavior disallows REMAPs to
60+ * lower addresses (0<=PAGESIZE).
61+ *
62+ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
63+ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
64+ * See https://github.com/linux-test-project/ltp/issues/319
65+ *
66+ * This test needs root permissions or else security_mmap_addr(), from
67+ * get_unmapped_area(), will cause permission errors when trying to mmap lower
68+ * addresses.
69 */
70+
71 #include <sys/types.h>
72 #include <sys/ipc.h>
73 #include <sys/shm.h>
74@@ -60,7 +73,11 @@ static void cleanup(void)
75 static void run(void)
76 {
77 tst_res(TINFO, "Attempting to attach shared memory to null page");
78- shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
79+ /*
80+ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
81+ * https://github.com/linux-test-project/ltp/issues/319
82+ */
83+ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
84 if (shm_addr == (void *)-1) {
85 shm_addr = NULL;
86 if (errno == EINVAL) {
87@@ -89,6 +106,7 @@ static void run(void)
88 }
89
90 static struct tst_test test = {
91+ .needs_root = 1,
92 .setup = setup,
93 .cleanup = cleanup,
94 .test_all = run,
95--
962.7.4
97
diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb
index 21ff49830a..8f64d7b64a 100644
--- a/meta/recipes-extended/ltp/ltp_20180515.bb
+++ b/meta/recipes-extended/ltp/ltp_20180515.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
48 file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \ 48 file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \
49 file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ 49 file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
50 file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \ 50 file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \
51 file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \
51 " 52 "
52 53
53S = "${WORKDIR}/git" 54S = "${WORKDIR}/git"