[OE-core] [PATCH v3] ltp: fix cve-2017-5669 test case

akuster808 akuster808 at gmail.com
Tue Jun 19 04:25:55 UTC 2018 


On 06/18/2018 09:58 AM, Saul Wold wrote:
> Armin
>
> Is there any chance of getting this into Sumo and Rocko?
Is there a chance we can have  a beer the next time I am in Eugene?

The CVE framework for LTP appears to be in the Rocko version so a little
backporting  is in order.. I will poke at it to see how straight forward
it might be. If i can, you will see patches.


- Armin
>
>
> Sau!
>
>
> On 06/13/2018 10:40 AM, Saul Wold wrote:
>> Can this be backported to both Rocko and Sumo?
>>
>> Or is this a case to update LTP in those older releases?
>>
>>
>> Sau!
>>
>>
>> On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
>>> Adding cve-2017-5669 test fix patch which is accepted upstream in
>>> LTP repo.
>>>
>>> Ref:
>>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to
>>> fail with REMAPs
>>> https://github.com/linux-test-project/ltp/pull/324
>>>
>>> Upstream-Status: Accepted
>>> [https://github.com/linux-test-project/ltp/pull/324]
>>> CVE: cve-2017-5669
>>> Signed-off-by: Naresh Kamboju <naresh.kamboju at linaro.org>
>>> ---
>>>   ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97
>>> ++++++++++++++++++++++
>>>   meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
>>>   2 files changed, 98 insertions(+)
>>>   create mode 100644
>>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>
>>> diff --git
>>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>
>>> new file mode 100644
>>> index 0000000..2a47785
>>> --- /dev/null
>>> +++
>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> @@ -0,0 +1,97 @@
>>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
>>> +From: Rafael David Tinoco <rafael.tinoco at canonical.com>
>>> +Date: Wed, 30 May 2018 09:14:34 -0300
>>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with
>>> RND flag) has
>>> + to fail with REMAPs
>>> +
>>> +Fixes: https://github.com/linux-test-project/ltp/issues/319
>>> +
>>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
>>> +cve-2017-5669 needs to address the "new" way of handling nil addresses
>>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.
>>> +
>>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else
>>> X11 is broken)
>>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
>>> +
>>> +Addresses Davidlohr Bueso's comments/changes:
>>> +
>>> +commit 8f89c007b6de
>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>> +Date:   Fri May 25 14:47:30 2018 -0700
>>> +
>>> +    ipc/shm: fix shmat() nil address after round-down when remapping
>>> +
>>> +commit a73ab244f0da
>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>> +Date:   Fri May 25 14:47:27 2018 -0700
>>> +
>>> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"
>>> +
>>> +For previously test, and now broken, made based on:
>>> +
>>> +commit 95e91b831f87
>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>> +Date:   Mon Feb 27 14:28:24 2017 -0800
>>> +
>>> +    ipc/shm: Fix shmat mmap nil-page protection
>>> +
>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco at linaro.org>
>>> +Tested-by: Naresh Kamboju <naresh.kamboju at linaro.org>
>>> +Reviewed-by: Jan Stancek <jstancek at redhat.com>
>>> +
>>> +Upstream-Status: Accepted
>>> [https://github.com/linux-test-project/ltp/pull/324]
>>> +CVE: cve-2017-5669
>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco at linaro.org>
>>> +---
>>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
>>> + 1 file changed, 19 insertions(+), 1 deletion(-)
>>> +
>>> +diff --git a/testcases/cve/cve-2017-5669.c
>>> b/testcases/cve/cve-2017-5669.c
>>> +index 1ca5983..0834626 100644
>>> +--- a/testcases/cve/cve-2017-5669.c
>>> ++++ b/testcases/cve/cve-2017-5669.c
>>> +@@ -28,7 +28,20 @@
>>> +  * is just to see if we get an access error or some other
>>> unexpected behaviour.
>>> +  *
>>> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page
>>> protection)
>>> ++ *
>>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded)
>>> entirely and
>>> ++ * that broke userland for cases like Xorg. New behavior disallows
>>> REMAPs to
>>> ++ * lower addresses (0<=PAGESIZE).
>>> ++ *
>>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap
>>> nil-page protect...)
>>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after
>>> round-dow...)
>>> ++ * See https://github.com/linux-test-project/ltp/issues/319
>>> ++ *
>>> ++ * This test needs root permissions or else security_mmap_addr(),
>>> from
>>> ++ * get_unmapped_area(), will cause permission errors when trying
>>> to mmap lower
>>> ++ * addresses.
>>> +  */
>>> ++
>>> + #include <sys/types.h>
>>> + #include <sys/ipc.h>
>>> + #include <sys/shm.h>
>>> +@@ -60,7 +73,11 @@ static void cleanup(void)
>>> + static void run(void)
>>> + {
>>> +     tst_res(TINFO, "Attempting to attach shared memory to null
>>> page");
>>> +-    shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>>> ++    /*
>>> ++     * shmat() for 0 (or < PAGESIZE with RND flag) has to fail
>>> with REMAPs
>>> ++     * https://github.com/linux-test-project/ltp/issues/319
>>> ++     */
>>> ++    shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
>>> +     if (shm_addr == (void *)-1) {
>>> +         shm_addr = NULL;
>>> +         if (errno == EINVAL) {
>>> +@@ -89,6 +106,7 @@ static void run(void)
>>> + }
>>> +
>>> + static struct tst_test test = {
>>> ++    .needs_root = 1,
>>> +     .setup = setup,
>>> +     .cleanup = cleanup,
>>> +     .test_all = run,
>>> +--
>>> +2.7.4
>>> +
>>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb
>>> b/meta/recipes-extended/ltp/ltp_20180515.bb
>>> index b07c1b9..48739f1 100644
>>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb
>>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
>>> @@ -41,6 +41,7 @@ SRC_URI =
>>> "git://github.com/linux-test-project/ltp.git \
>>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch
>>> \
>>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
>>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch
>>> \
>>> +
>>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> \
>>>              "
>>>     S = "${WORKDIR}/git"
>>
>

More information about the Openembedded-core mailing list