ltp: fix CVE-2017-5669 test case

Adding CVE-2017-5669 test fix patch which is accepted upstream in LTP repo. Ref: cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs https://github.com/linux-test-project/ltp/pull/324 Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] (From OE-Core rev: e356cb7e7bfb407c2f3a1bd0f28b5f14beaff882) Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Naresh Kamboju <naresh.kamboju@linaro.org> 2018-06-12 13:04:14 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-06-15 17:56:24 +0100
commit: 951fa62bab7f65828916e6d7682fbe5f13b03ea6 (patch)
tree: 34b853790390d9e5d12e36ee9d78cba851a7511b
parent: 5b0a32a5a778ebcd01adb8d925f8443b213436dc (diff)
download: poky-951fa62bab7f65828916e6d7682fbe5f13b03ea6.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
new file mode 100644
index 0000000000..0d2d2cbce4
--- /dev/null
+++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
@@ -0,0 +1,97 @@
+From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Date: Wed, 30 May 2018 09:14:34 -0300
+Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has
+ to fail with REMAPs
+Fixes: https://github.com/linux-test-project/ltp/issues/319
+According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
+cve-2017-5669 needs to address the "new" way of handling nil addresses
+for shmat() when used with MAP_FIXED or SHM_REMAP flags.
+- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)
+- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
+Addresses Davidlohr Bueso's comments/changes:
+commit 8f89c007b6de
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Fri May 25 14:47:30 2018 -0700
+    ipc/shm: fix shmat() nil address after round-down when remapping
+commit a73ab244f0da
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Fri May 25 14:47:27 2018 -0700
+    Revert "ipc/shm: Fix shmat mmap nil-page protection"
+For previously test, and now broken, made based on:
+commit 95e91b831f87
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Mon Feb 27 14:28:24 2017 -0800
+    ipc/shm: Fix shmat mmap nil-page protection
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reviewed-by: Jan Stancek <jstancek@redhat.com>
+Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
+CVE: CVE-2017-5669
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+---
+ testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
+index 1ca5983..0834626 100644
+--- a/testcases/cve/cve-2017-5669.c
+++ b/testcases/cve/cve-2017-5669.c
+@@ -28,7 +28,20 @@
+  * is just to see if we get an access error or some other unexpected behaviour.
+  *
+  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
+ *
+ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
+ * that broke userland for cases like Xorg. New behavior disallows REMAPs to
+ * lower addresses (0<=PAGESIZE).
+ *
+ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
+ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
+ * See https://github.com/linux-test-project/ltp/issues/319
+ *
+ * This test needs root permissions or else security_mmap_addr(), from
+ * get_unmapped_area(), will cause permission errors when trying to mmap lower
+ * addresses.
+  */
+
+ #include <sys/types.h>
+ #include <sys/ipc.h>
+ #include <sys/shm.h>
+@@ -60,7 +73,11 @@ static void cleanup(void)
+ static void run(void)
+ {
+        tst_res(TINFO, "Attempting to attach shared memory to null page");
+-       shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
+       /*
+        * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
+        * https://github.com/linux-test-project/ltp/issues/319
+        */
+       shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
+        if (shm_addr == (void *)-1) {
+                shm_addr = NULL;
+                if (errno == EINVAL) {
+@@ -89,6 +106,7 @@ static void run(void)
+ }
+ 
+ static struct tst_test test = {
+       .needs_root = 1,
+        .setup = setup,
+        .cleanup = cleanup,
+        .test_all = run,
+-- 
+2.7.4
diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb
index 21ff49830a..8f64d7b64a 100644
--- a/meta/recipes-extended/ltp/ltp_20180515.bb
+++ b/meta/recipes-extended/ltp/ltp_20180515.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
           file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \
           file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
           file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \
+           file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \
           "
 S = "${WORKDIR}/git"
author	Naresh Kamboju <naresh.kamboju@linaro.org>	2018-06-12 13:04:14 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-06-15 17:56:24 +0100
commit	951fa62bab7f65828916e6d7682fbe5f13b03ea6 (patch)
tree	34b853790390d9e5d12e36ee9d78cba851a7511b
parent	5b0a32a5a778ebcd01adb8d925f8443b213436dc (diff)
download	poky-951fa62bab7f65828916e6d7682fbe5f13b03ea6.tar.gz

diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch new file mode 100644 index 0000000000..0d2d2cbce4 --- /dev/null +++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
@@ -0,0 +1,97 @@
		1	From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
		2	From: Rafael David Tinoco <rafael.tinoco@canonical.com>
		3	Date: Wed, 30 May 2018 09:14:34 -0300
		4	Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has
		5	to fail with REMAPs
		6
		7	Fixes: https://github.com/linux-test-project/ltp/issues/319
		8
		9	According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
		10	cve-2017-5669 needs to address the "new" way of handling nil addresses
		11	for shmat() when used with MAP_FIXED or SHM_REMAP flags.
		12
		13	- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)
		14	- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
		15
		16	Addresses Davidlohr Bueso's comments/changes:
		17
		18	commit 8f89c007b6de
		19	Author: Davidlohr Bueso <dave@stgolabs.net>
		20	Date: Fri May 25 14:47:30 2018 -0700
		21
		22	ipc/shm: fix shmat() nil address after round-down when remapping
		23
		24	commit a73ab244f0da
		25	Author: Davidlohr Bueso <dave@stgolabs.net>
		26	Date: Fri May 25 14:47:27 2018 -0700
		27
		28	Revert "ipc/shm: Fix shmat mmap nil-page protection"
		29
		30	For previously test, and now broken, made based on:
		31
		32	commit 95e91b831f87
		33	Author: Davidlohr Bueso <dave@stgolabs.net>
		34	Date: Mon Feb 27 14:28:24 2017 -0800
		35
		36	ipc/shm: Fix shmat mmap nil-page protection
		37
		38	Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
		39	Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
		40	Reviewed-by: Jan Stancek <jstancek@redhat.com>
		41
		42	Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
		43	CVE: CVE-2017-5669
		44	Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
		45	---
		46	testcases/cve/cve-2017-5669.c \| 20 +++++++++++++++++++-
		47	1 file changed, 19 insertions(+), 1 deletion(-)
		48
		49	diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
		50	index 1ca5983..0834626 100644
		51	--- a/testcases/cve/cve-2017-5669.c
		52	+++ b/testcases/cve/cve-2017-5669.c
		53	@@ -28,7 +28,20 @@
		54	* is just to see if we get an access error or some other unexpected behaviour.
		55	*
		56	* See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
		57	+ *
		58	+ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
		59	+ * that broke userland for cases like Xorg. New behavior disallows REMAPs to
		60	+ * lower addresses (0<=PAGESIZE).
		61	+ *
		62	+ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
		63	+ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
		64	+ * See https://github.com/linux-test-project/ltp/issues/319
		65	+ *
		66	+ * This test needs root permissions or else security_mmap_addr(), from
		67	+ * get_unmapped_area(), will cause permission errors when trying to mmap lower
		68	+ * addresses.
		69	*/
		70	+
		71	#include <sys/types.h>
		72	#include <sys/ipc.h>
		73	#include <sys/shm.h>
		74	@@ -60,7 +73,11 @@ static void cleanup(void)
		75	static void run(void)
		76	{
		77	tst_res(TINFO, "Attempting to attach shared memory to null page");
		78	- shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
		79	+ /*
		80	+ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
		81	+ * https://github.com/linux-test-project/ltp/issues/319
		82	+ */
		83	+ shm_addr = shmat(shm_id, ((void *)1), SHM_RND \| SHM_REMAP);
		84	if (shm_addr == (void *)-1) {
		85	shm_addr = NULL;
		86	if (errno == EINVAL) {
		87	@@ -89,6 +106,7 @@ static void run(void)
		88	}
		89
		90	static struct tst_test test = {
		91	+ .needs_root = 1,
		92	.setup = setup,
		93	.cleanup = cleanup,
		94	.test_all = run,
		95	--
		96	2.7.4
		97


diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb index 21ff49830a..8f64d7b64a 100644 --- a/meta/recipes-extended/ltp/ltp_20180515.bb +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
@@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \
48	file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \	48	file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \
49	file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \	49	file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
50	file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \	50	file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \
		51	file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \
51	"	52	"
52		53
53	S = "${WORKDIR}/git"	54	S = "${WORKDIR}/git"