| Message ID | 1528788854-29279-1-git-send-email-naresh.kamboju@linaro.org |
|---|---|
| State | Accepted |
| Commit | e356cb7e7bfb407c2f3a1bd0f28b5f14beaff882 |
| Headers | show |
| Series | [v3] ltp: fix cve-2017-5669 test case | expand |
Can this be backported to both Rocko and Sumo? Or is this a case to update LTP in those older releases? Sau! On 06/12/2018 12:34 AM, Naresh Kamboju wrote: > Adding cve-2017-5669 test fix patch which is accepted upstream in LTP repo. > > Ref: > cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs > https://github.com/linux-test-project/ltp/pull/324 > > Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] > CVE: cve-2017-5669 > Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> > --- > ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 ++++++++++++++++++++++ > meta/recipes-extended/ltp/ltp_20180515.bb | 1 + > 2 files changed, 98 insertions(+) > create mode 100644 meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch > > diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch > new file mode 100644 > index 0000000..2a47785 > --- /dev/null > +++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch > @@ -0,0 +1,97 @@ > +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 > +From: Rafael David Tinoco <rafael.tinoco@canonical.com> > +Date: Wed, 30 May 2018 09:14:34 -0300 > +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has > + to fail with REMAPs > + > +Fixes: https://github.com/linux-test-project/ltp/issues/319 > + > +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), > +cve-2017-5669 needs to address the "new" way of handling nil addresses > +for shmat() when used with MAP_FIXED or SHM_REMAP flags. > + > +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken) > +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses > + > +Addresses Davidlohr Bueso's comments/changes: > + > +commit 8f89c007b6de > +Author: Davidlohr Bueso <dave@stgolabs.net> > +Date: Fri May 25 14:47:30 2018 -0700 > + > + ipc/shm: fix shmat() nil address after round-down when remapping > + > +commit a73ab244f0da > +Author: Davidlohr Bueso <dave@stgolabs.net> > +Date: Fri May 25 14:47:27 2018 -0700 > + > + Revert "ipc/shm: Fix shmat mmap nil-page protection" > + > +For previously test, and now broken, made based on: > + > +commit 95e91b831f87 > +Author: Davidlohr Bueso <dave@stgolabs.net> > +Date: Mon Feb 27 14:28:24 2017 -0800 > + > + ipc/shm: Fix shmat mmap nil-page protection > + > +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> > +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> > +Reviewed-by: Jan Stancek <jstancek@redhat.com> > + > +Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] > +CVE: cve-2017-5669 > +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> > +--- > + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- > + 1 file changed, 19 insertions(+), 1 deletion(-) > + > +diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c > +index 1ca5983..0834626 100644 > +--- a/testcases/cve/cve-2017-5669.c > ++++ b/testcases/cve/cve-2017-5669.c > +@@ -28,7 +28,20 @@ > + * is just to see if we get an access error or some other unexpected behaviour. > + * > + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection) > ++ * > ++ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and > ++ * that broke userland for cases like Xorg. New behavior disallows REMAPs to > ++ * lower addresses (0<=PAGESIZE). > ++ * > ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...) > ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...) > ++ * See https://github.com/linux-test-project/ltp/issues/319 > ++ * > ++ * This test needs root permissions or else security_mmap_addr(), from > ++ * get_unmapped_area(), will cause permission errors when trying to mmap lower > ++ * addresses. > + */ > ++ > + #include <sys/types.h> > + #include <sys/ipc.h> > + #include <sys/shm.h> > +@@ -60,7 +73,11 @@ static void cleanup(void) > + static void run(void) > + { > + tst_res(TINFO, "Attempting to attach shared memory to null page"); > +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); > ++ /* > ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs > ++ * https://github.com/linux-test-project/ltp/issues/319 > ++ */ > ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); > + if (shm_addr == (void *)-1) { > + shm_addr = NULL; > + if (errno == EINVAL) { > +@@ -89,6 +106,7 @@ static void run(void) > + } > + > + static struct tst_test test = { > ++ .needs_root = 1, > + .setup = setup, > + .cleanup = cleanup, > + .test_all = run, > +-- > +2.7.4 > + > diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb > index b07c1b9..48739f1 100644 > --- a/meta/recipes-extended/ltp/ltp_20180515.bb > +++ b/meta/recipes-extended/ltp/ltp_20180515.bb > @@ -41,6 +41,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ > file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \ > file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ > file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \ > + file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \ > " > > S = "${WORKDIR}/git" -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On 13 June 2018 at 23:10, Saul Wold <sgw@linux.intel.com> wrote: > Can this be backported to both Rocko and Sumo? This can be backported to both Rocko and not sure about Sumo (I did not work on Sumo branch). > > Or is this a case to update LTP in those older releases? Latest LTP + this fix patch (upstream accepted). - Naresh -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Armin Is there any chance of getting this into Sumo and Rocko? Sau! On 06/13/2018 10:40 AM, Saul Wold wrote: > Can this be backported to both Rocko and Sumo? > > Or is this a case to update LTP in those older releases? > > > Sau! > > > On 06/12/2018 12:34 AM, Naresh Kamboju wrote: >> Adding cve-2017-5669 test fix patch which is accepted upstream in LTP >> repo. >> >> Ref: >> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail >> with REMAPs >> https://github.com/linux-test-project/ltp/pull/324 >> >> Upstream-Status: Accepted >> [https://github.com/linux-test-project/ltp/pull/324] >> CVE: cve-2017-5669 >> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> >> --- >> ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 >> ++++++++++++++++++++++ >> meta/recipes-extended/ltp/ltp_20180515.bb | 1 + >> 2 files changed, 98 insertions(+) >> create mode 100644 >> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >> >> diff --git >> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >> >> new file mode 100644 >> index 0000000..2a47785 >> --- /dev/null >> +++ >> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >> @@ -0,0 +1,97 @@ >> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 >> +From: Rafael David Tinoco <rafael.tinoco@canonical.com> >> +Date: Wed, 30 May 2018 09:14:34 -0300 >> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND >> flag) has >> + to fail with REMAPs >> + >> +Fixes: https://github.com/linux-test-project/ltp/issues/319 >> + >> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), >> +cve-2017-5669 needs to address the "new" way of handling nil addresses >> +for shmat() when used with MAP_FIXED or SHM_REMAP flags. >> + >> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else >> X11 is broken) >> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses >> + >> +Addresses Davidlohr Bueso's comments/changes: >> + >> +commit 8f89c007b6de >> +Author: Davidlohr Bueso <dave@stgolabs.net> >> +Date: Fri May 25 14:47:30 2018 -0700 >> + >> + ipc/shm: fix shmat() nil address after round-down when remapping >> + >> +commit a73ab244f0da >> +Author: Davidlohr Bueso <dave@stgolabs.net> >> +Date: Fri May 25 14:47:27 2018 -0700 >> + >> + Revert "ipc/shm: Fix shmat mmap nil-page protection" >> + >> +For previously test, and now broken, made based on: >> + >> +commit 95e91b831f87 >> +Author: Davidlohr Bueso <dave@stgolabs.net> >> +Date: Mon Feb 27 14:28:24 2017 -0800 >> + >> + ipc/shm: Fix shmat mmap nil-page protection >> + >> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> >> +Reviewed-by: Jan Stancek <jstancek@redhat.com> >> + >> +Upstream-Status: Accepted >> [https://github.com/linux-test-project/ltp/pull/324] >> +CVE: cve-2017-5669 >> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >> +--- >> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- >> + 1 file changed, 19 insertions(+), 1 deletion(-) >> + >> +diff --git a/testcases/cve/cve-2017-5669.c >> b/testcases/cve/cve-2017-5669.c >> +index 1ca5983..0834626 100644 >> +--- a/testcases/cve/cve-2017-5669.c >> ++++ b/testcases/cve/cve-2017-5669.c >> +@@ -28,7 +28,20 @@ >> + * is just to see if we get an access error or some other >> unexpected behaviour. >> + * >> + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection) >> ++ * >> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) >> entirely and >> ++ * that broke userland for cases like Xorg. New behavior disallows >> REMAPs to >> ++ * lower addresses (0<=PAGESIZE). >> ++ * >> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap >> nil-page protect...) >> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after >> round-dow...) >> ++ * See https://github.com/linux-test-project/ltp/issues/319 >> ++ * >> ++ * This test needs root permissions or else security_mmap_addr(), from >> ++ * get_unmapped_area(), will cause permission errors when trying to >> mmap lower >> ++ * addresses. >> + */ >> ++ >> + #include <sys/types.h> >> + #include <sys/ipc.h> >> + #include <sys/shm.h> >> +@@ -60,7 +73,11 @@ static void cleanup(void) >> + static void run(void) >> + { >> + tst_res(TINFO, "Attempting to attach shared memory to null page"); >> +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); >> ++ /* >> ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with >> REMAPs >> ++ * https://github.com/linux-test-project/ltp/issues/319 >> ++ */ >> ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); >> + if (shm_addr == (void *)-1) { >> + shm_addr = NULL; >> + if (errno == EINVAL) { >> +@@ -89,6 +106,7 @@ static void run(void) >> + } >> + >> + static struct tst_test test = { >> ++ .needs_root = 1, >> + .setup = setup, >> + .cleanup = cleanup, >> + .test_all = run, >> +-- >> +2.7.4 >> + >> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb >> b/meta/recipes-extended/ltp/ltp_20180515.bb >> index b07c1b9..48739f1 100644 >> --- a/meta/recipes-extended/ltp/ltp_20180515.bb >> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb >> @@ -41,6 +41,7 @@ SRC_URI = >> "git://github.com/linux-test-project/ltp.git \ >> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \ >> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ >> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \ >> + >> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \ >> " >> S = "${WORKDIR}/git" >
On 06/18/2018 09:58 AM, Saul Wold wrote: > Armin > > Is there any chance of getting this into Sumo and Rocko? Is there a chance we can have a beer the next time I am in Eugene? The CVE framework for LTP appears to be in the Rocko version so a little backporting is in order.. I will poke at it to see how straight forward it might be. If i can, you will see patches. - Armin > > > Sau! > > > On 06/13/2018 10:40 AM, Saul Wold wrote: >> Can this be backported to both Rocko and Sumo? >> >> Or is this a case to update LTP in those older releases? >> >> >> Sau! >> >> >> On 06/12/2018 12:34 AM, Naresh Kamboju wrote: >>> Adding cve-2017-5669 test fix patch which is accepted upstream in >>> LTP repo. >>> >>> Ref: >>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to >>> fail with REMAPs >>> https://github.com/linux-test-project/ltp/pull/324 >>> >>> Upstream-Status: Accepted >>> [https://github.com/linux-test-project/ltp/pull/324] >>> CVE: cve-2017-5669 >>> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> >>> --- >>> ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 >>> ++++++++++++++++++++++ >>> meta/recipes-extended/ltp/ltp_20180515.bb | 1 + >>> 2 files changed, 98 insertions(+) >>> create mode 100644 >>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> >>> diff --git >>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> >>> new file mode 100644 >>> index 0000000..2a47785 >>> --- /dev/null >>> +++ >>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> @@ -0,0 +1,97 @@ >>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 >>> +From: Rafael David Tinoco <rafael.tinoco@canonical.com> >>> +Date: Wed, 30 May 2018 09:14:34 -0300 >>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with >>> RND flag) has >>> + to fail with REMAPs >>> + >>> +Fixes: https://github.com/linux-test-project/ltp/issues/319 >>> + >>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), >>> +cve-2017-5669 needs to address the "new" way of handling nil addresses >>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags. >>> + >>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else >>> X11 is broken) >>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses >>> + >>> +Addresses Davidlohr Bueso's comments/changes: >>> + >>> +commit 8f89c007b6de >>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>> +Date: Fri May 25 14:47:30 2018 -0700 >>> + >>> + ipc/shm: fix shmat() nil address after round-down when remapping >>> + >>> +commit a73ab244f0da >>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>> +Date: Fri May 25 14:47:27 2018 -0700 >>> + >>> + Revert "ipc/shm: Fix shmat mmap nil-page protection" >>> + >>> +For previously test, and now broken, made based on: >>> + >>> +commit 95e91b831f87 >>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>> +Date: Mon Feb 27 14:28:24 2017 -0800 >>> + >>> + ipc/shm: Fix shmat mmap nil-page protection >>> + >>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >>> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> >>> +Reviewed-by: Jan Stancek <jstancek@redhat.com> >>> + >>> +Upstream-Status: Accepted >>> [https://github.com/linux-test-project/ltp/pull/324] >>> +CVE: cve-2017-5669 >>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >>> +--- >>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- >>> + 1 file changed, 19 insertions(+), 1 deletion(-) >>> + >>> +diff --git a/testcases/cve/cve-2017-5669.c >>> b/testcases/cve/cve-2017-5669.c >>> +index 1ca5983..0834626 100644 >>> +--- a/testcases/cve/cve-2017-5669.c >>> ++++ b/testcases/cve/cve-2017-5669.c >>> +@@ -28,7 +28,20 @@ >>> + * is just to see if we get an access error or some other >>> unexpected behaviour. >>> + * >>> + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page >>> protection) >>> ++ * >>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) >>> entirely and >>> ++ * that broke userland for cases like Xorg. New behavior disallows >>> REMAPs to >>> ++ * lower addresses (0<=PAGESIZE). >>> ++ * >>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap >>> nil-page protect...) >>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after >>> round-dow...) >>> ++ * See https://github.com/linux-test-project/ltp/issues/319 >>> ++ * >>> ++ * This test needs root permissions or else security_mmap_addr(), >>> from >>> ++ * get_unmapped_area(), will cause permission errors when trying >>> to mmap lower >>> ++ * addresses. >>> + */ >>> ++ >>> + #include <sys/types.h> >>> + #include <sys/ipc.h> >>> + #include <sys/shm.h> >>> +@@ -60,7 +73,11 @@ static void cleanup(void) >>> + static void run(void) >>> + { >>> + tst_res(TINFO, "Attempting to attach shared memory to null >>> page"); >>> +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); >>> ++ /* >>> ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail >>> with REMAPs >>> ++ * https://github.com/linux-test-project/ltp/issues/319 >>> ++ */ >>> ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); >>> + if (shm_addr == (void *)-1) { >>> + shm_addr = NULL; >>> + if (errno == EINVAL) { >>> +@@ -89,6 +106,7 @@ static void run(void) >>> + } >>> + >>> + static struct tst_test test = { >>> ++ .needs_root = 1, >>> + .setup = setup, >>> + .cleanup = cleanup, >>> + .test_all = run, >>> +-- >>> +2.7.4 >>> + >>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb >>> b/meta/recipes-extended/ltp/ltp_20180515.bb >>> index b07c1b9..48739f1 100644 >>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb >>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb >>> @@ -41,6 +41,7 @@ SRC_URI = >>> "git://github.com/linux-test-project/ltp.git \ >>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch >>> \ >>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ >>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch >>> \ >>> + >>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> \ >>> " >>> S = "${WORKDIR}/git" >> >
On 06/18/2018 09:25 PM, akuster808 wrote: > > On 06/18/2018 09:58 AM, Saul Wold wrote: >> Armin >> >> Is there any chance of getting this into Sumo and Rocko? > Is there a chance we can have a beer the next time I am in Eugene? Of course! I did not know that you made it in to this area! Either homebrew or local brew is very available! > The CVE framework for LTP appears to be in the Rocko version so a little > backporting is in order.. I will poke at it to see how straight forward > it might be. If i can, you will see patches. Thanks do much. Sau! > > - Armin >> >> Sau! >> >> >> On 06/13/2018 10:40 AM, Saul Wold wrote: >>> Can this be backported to both Rocko and Sumo? >>> >>> Or is this a case to update LTP in those older releases? >>> >>> >>> Sau! >>> >>> >>> On 06/12/2018 12:34 AM, Naresh Kamboju wrote: >>>> Adding cve-2017-5669 test fix patch which is accepted upstream in >>>> LTP repo. >>>> >>>> Ref: >>>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to >>>> fail with REMAPs >>>> https://github.com/linux-test-project/ltp/pull/324 >>>> >>>> Upstream-Status: Accepted >>>> [https://github.com/linux-test-project/ltp/pull/324] >>>> CVE: cve-2017-5669 >>>> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> >>>> --- >>>> ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 >>>> ++++++++++++++++++++++ >>>> meta/recipes-extended/ltp/ltp_20180515.bb | 1 + >>>> 2 files changed, 98 insertions(+) >>>> create mode 100644 >>>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>>> >>>> diff --git >>>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>>> >>>> new file mode 100644 >>>> index 0000000..2a47785 >>>> --- /dev/null >>>> +++ >>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>>> @@ -0,0 +1,97 @@ >>>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 >>>> +From: Rafael David Tinoco <rafael.tinoco@canonical.com> >>>> +Date: Wed, 30 May 2018 09:14:34 -0300 >>>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with >>>> RND flag) has >>>> + to fail with REMAPs >>>> + >>>> +Fixes: https://github.com/linux-test-project/ltp/issues/319 >>>> + >>>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), >>>> +cve-2017-5669 needs to address the "new" way of handling nil addresses >>>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags. >>>> + >>>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else >>>> X11 is broken) >>>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses >>>> + >>>> +Addresses Davidlohr Bueso's comments/changes: >>>> + >>>> +commit 8f89c007b6de >>>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>>> +Date: Fri May 25 14:47:30 2018 -0700 >>>> + >>>> + ipc/shm: fix shmat() nil address after round-down when remapping >>>> + >>>> +commit a73ab244f0da >>>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>>> +Date: Fri May 25 14:47:27 2018 -0700 >>>> + >>>> + Revert "ipc/shm: Fix shmat mmap nil-page protection" >>>> + >>>> +For previously test, and now broken, made based on: >>>> + >>>> +commit 95e91b831f87 >>>> +Author: Davidlohr Bueso <dave@stgolabs.net> >>>> +Date: Mon Feb 27 14:28:24 2017 -0800 >>>> + >>>> + ipc/shm: Fix shmat mmap nil-page protection >>>> + >>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >>>> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> >>>> +Reviewed-by: Jan Stancek <jstancek@redhat.com> >>>> + >>>> +Upstream-Status: Accepted >>>> [https://github.com/linux-test-project/ltp/pull/324] >>>> +CVE: cve-2017-5669 >>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> >>>> +--- >>>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- >>>> + 1 file changed, 19 insertions(+), 1 deletion(-) >>>> + >>>> +diff --git a/testcases/cve/cve-2017-5669.c >>>> b/testcases/cve/cve-2017-5669.c >>>> +index 1ca5983..0834626 100644 >>>> +--- a/testcases/cve/cve-2017-5669.c >>>> ++++ b/testcases/cve/cve-2017-5669.c >>>> +@@ -28,7 +28,20 @@ >>>> + * is just to see if we get an access error or some other >>>> unexpected behaviour. >>>> + * >>>> + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page >>>> protection) >>>> ++ * >>>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) >>>> entirely and >>>> ++ * that broke userland for cases like Xorg. New behavior disallows >>>> REMAPs to >>>> ++ * lower addresses (0<=PAGESIZE). >>>> ++ * >>>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap >>>> nil-page protect...) >>>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after >>>> round-dow...) >>>> ++ * See https://github.com/linux-test-project/ltp/issues/319 >>>> ++ * >>>> ++ * This test needs root permissions or else security_mmap_addr(), >>>> from >>>> ++ * get_unmapped_area(), will cause permission errors when trying >>>> to mmap lower >>>> ++ * addresses. >>>> + */ >>>> ++ >>>> + #include <sys/types.h> >>>> + #include <sys/ipc.h> >>>> + #include <sys/shm.h> >>>> +@@ -60,7 +73,11 @@ static void cleanup(void) >>>> + static void run(void) >>>> + { >>>> + tst_res(TINFO, "Attempting to attach shared memory to null >>>> page"); >>>> +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); >>>> ++ /* >>>> ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail >>>> with REMAPs >>>> ++ * https://github.com/linux-test-project/ltp/issues/319 >>>> ++ */ >>>> ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); >>>> + if (shm_addr == (void *)-1) { >>>> + shm_addr = NULL; >>>> + if (errno == EINVAL) { >>>> +@@ -89,6 +106,7 @@ static void run(void) >>>> + } >>>> + >>>> + static struct tst_test test = { >>>> ++ .needs_root = 1, >>>> + .setup = setup, >>>> + .cleanup = cleanup, >>>> + .test_all = run, >>>> +-- >>>> +2.7.4 >>>> + >>>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb >>>> b/meta/recipes-extended/ltp/ltp_20180515.bb >>>> index b07c1b9..48739f1 100644 >>>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb >>>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb >>>> @@ -41,6 +41,7 @@ SRC_URI = >>>> "git://github.com/linux-test-project/ltp.git \ >>>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch >>>> \ >>>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ >>>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch >>>> \ >>>> + >>>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>>> \ >>>> " >>>> S = "${WORKDIR}/git"
diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch new file mode 100644 index 0000000..2a47785 --- /dev/null +++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch @@ -0,0 +1,97 @@ +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 +From: Rafael David Tinoco <rafael.tinoco@canonical.com> +Date: Wed, 30 May 2018 09:14:34 -0300 +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has + to fail with REMAPs + +Fixes: https://github.com/linux-test-project/ltp/issues/319 + +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), +cve-2017-5669 needs to address the "new" way of handling nil addresses +for shmat() when used with MAP_FIXED or SHM_REMAP flags. + +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken) +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses + +Addresses Davidlohr Bueso's comments/changes: + +commit 8f89c007b6de +Author: Davidlohr Bueso <dave@stgolabs.net> +Date: Fri May 25 14:47:30 2018 -0700 + + ipc/shm: fix shmat() nil address after round-down when remapping + +commit a73ab244f0da +Author: Davidlohr Bueso <dave@stgolabs.net> +Date: Fri May 25 14:47:27 2018 -0700 + + Revert "ipc/shm: Fix shmat mmap nil-page protection" + +For previously test, and now broken, made based on: + +commit 95e91b831f87 +Author: Davidlohr Bueso <dave@stgolabs.net> +Date: Mon Feb 27 14:28:24 2017 -0800 + + ipc/shm: Fix shmat mmap nil-page protection + +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org> +Reviewed-by: Jan Stancek <jstancek@redhat.com> + +Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] +CVE: cve-2017-5669 +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org> +--- + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c +index 1ca5983..0834626 100644 +--- a/testcases/cve/cve-2017-5669.c ++++ b/testcases/cve/cve-2017-5669.c +@@ -28,7 +28,20 @@ + * is just to see if we get an access error or some other unexpected behaviour. + * + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection) ++ * ++ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and ++ * that broke userland for cases like Xorg. New behavior disallows REMAPs to ++ * lower addresses (0<=PAGESIZE). ++ * ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...) ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...) ++ * See https://github.com/linux-test-project/ltp/issues/319 ++ * ++ * This test needs root permissions or else security_mmap_addr(), from ++ * get_unmapped_area(), will cause permission errors when trying to mmap lower ++ * addresses. + */ ++ + #include <sys/types.h> + #include <sys/ipc.h> + #include <sys/shm.h> +@@ -60,7 +73,11 @@ static void cleanup(void) + static void run(void) + { + tst_res(TINFO, "Attempting to attach shared memory to null page"); +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); ++ /* ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs ++ * https://github.com/linux-test-project/ltp/issues/319 ++ */ ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); + if (shm_addr == (void *)-1) { + shm_addr = NULL; + if (errno == EINVAL) { +@@ -89,6 +106,7 @@ static void run(void) + } + + static struct tst_test test = { ++ .needs_root = 1, + .setup = setup, + .cleanup = cleanup, + .test_all = run, +-- +2.7.4 + diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb index b07c1b9..48739f1 100644 --- a/meta/recipes-extended/ltp/ltp_20180515.bb +++ b/meta/recipes-extended/ltp/ltp_20180515.bb @@ -41,6 +41,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \ file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \ + file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \ " S = "${WORKDIR}/git"
Adding cve-2017-5669 test fix patch which is accepted upstream in LTP repo. Ref: cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs https://github.com/linux-test-project/ltp/pull/324 Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] CVE: cve-2017-5669 Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org> --- ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 ++++++++++++++++++++++ meta/recipes-extended/ltp/ltp_20180515.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core