1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
From: Rafael David Tinoco <rafael.tinoco@canonical.com>
Date: Wed, 30 May 2018 09:14:34 -0300
Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has
to fail with REMAPs
Fixes: https://github.com/linux-test-project/ltp/issues/319
According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
cve-2017-5669 needs to address the "new" way of handling nil addresses
for shmat() when used with MAP_FIXED or SHM_REMAP flags.
- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)
- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
Addresses Davidlohr Bueso's comments/changes:
commit 8f89c007b6de
Author: Davidlohr Bueso <dave@stgolabs.net>
Date: Fri May 25 14:47:30 2018 -0700
ipc/shm: fix shmat() nil address after round-down when remapping
commit a73ab244f0da
Author: Davidlohr Bueso <dave@stgolabs.net>
Date: Fri May 25 14:47:27 2018 -0700
Revert "ipc/shm: Fix shmat mmap nil-page protection"
For previously test, and now broken, made based on:
commit 95e91b831f87
Author: Davidlohr Bueso <dave@stgolabs.net>
Date: Mon Feb 27 14:28:24 2017 -0800
ipc/shm: Fix shmat mmap nil-page protection
Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Reviewed-by: Jan Stancek <jstancek@redhat.com>
Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
CVE: CVE-2017-5669
Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
---
testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
index 1ca5983..0834626 100644
--- a/testcases/cve/cve-2017-5669.c
+++ b/testcases/cve/cve-2017-5669.c
@@ -28,7 +28,20 @@
* is just to see if we get an access error or some other unexpected behaviour.
*
* See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
+ *
+ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
+ * that broke userland for cases like Xorg. New behavior disallows REMAPs to
+ * lower addresses (0<=PAGESIZE).
+ *
+ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
+ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
+ * See https://github.com/linux-test-project/ltp/issues/319
+ *
+ * This test needs root permissions or else security_mmap_addr(), from
+ * get_unmapped_area(), will cause permission errors when trying to mmap lower
+ * addresses.
*/
+
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>
@@ -60,7 +73,11 @@ static void cleanup(void)
static void run(void)
{
tst_res(TINFO, "Attempting to attach shared memory to null page");
- shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
+ /*
+ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
+ * https://github.com/linux-test-project/ltp/issues/319
+ */
+ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
if (shm_addr == (void *)-1) {
shm_addr = NULL;
if (errno == EINVAL) {
@@ -89,6 +106,7 @@ static void run(void)
}
static struct tst_test test = {
+ .needs_root = 1,
.setup = setup,
.cleanup = cleanup,
.test_all = run,
--
2.7.4
|
