[OE-core] [PATCH v3] ltp: fix cve-2017-5669 test case

Tue Jun 19 04:48:40 UTC 2018

On 06/18/2018 09:25 PM, akuster808 wrote:
>
> On 06/18/2018 09:58 AM, Saul Wold wrote:
>> Armin
>>
>> Is there any chance of getting this into Sumo and Rocko?
> Is there a chance we can have  a beer the next time I am in Eugene?
Of course!  I did not know that you made it in to this area!  Either 
homebrew or local brew is very available!
> The CVE framework for LTP appears to be in the Rocko version so a little
> backporting  is in order.. I will poke at it to see how straight forward
> it might be. If i can, you will see patches.
Thanks do much.

Sau!

>
> - Armin
>>
>> Sau!
>>
>>
>> On 06/13/2018 10:40 AM, Saul Wold wrote:
>>> Can this be backported to both Rocko and Sumo?
>>>
>>> Or is this a case to update LTP in those older releases?
>>>
>>>
>>> Sau!
>>>
>>>
>>> On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
>>>> Adding cve-2017-5669 test fix patch which is accepted upstream in
>>>> LTP repo.
>>>>
>>>> Ref:
>>>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to
>>>> fail with REMAPs
>>>> https://github.com/linux-test-project/ltp/pull/324
>>>>
>>>> Upstream-Status: Accepted
>>>> [https://github.com/linux-test-project/ltp/pull/324]
>>>> CVE: cve-2017-5669
>>>> Signed-off-by: Naresh Kamboju <naresh.kamboju at linaro.org>
>>>> ---
>>>>    ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97
>>>> ++++++++++++++++++++++
>>>>    meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
>>>>    2 files changed, 98 insertions(+)
>>>>    create mode 100644
>>>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>>
>>>> diff --git
>>>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>>
>>>> new file mode 100644
>>>> index 0000000..2a47785
>>>> --- /dev/null
>>>> +++
>>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> @@ -0,0 +1,97 @@
>>>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
>>>> +From: Rafael David Tinoco <rafael.tinoco at canonical.com>
>>>> +Date: Wed, 30 May 2018 09:14:34 -0300
>>>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with
>>>> RND flag) has
>>>> + to fail with REMAPs
>>>> +
>>>> +Fixes: https://github.com/linux-test-project/ltp/issues/319
>>>> +
>>>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
>>>> +cve-2017-5669 needs to address the "new" way of handling nil addresses
>>>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.
>>>> +
>>>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else
>>>> X11 is broken)
>>>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
>>>> +
>>>> +Addresses Davidlohr Bueso's comments/changes:
>>>> +
>>>> +commit 8f89c007b6de
>>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>>> +Date:   Fri May 25 14:47:30 2018 -0700
>>>> +
>>>> +    ipc/shm: fix shmat() nil address after round-down when remapping
>>>> +
>>>> +commit a73ab244f0da
>>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>>> +Date:   Fri May 25 14:47:27 2018 -0700
>>>> +
>>>> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"
>>>> +
>>>> +For previously test, and now broken, made based on:
>>>> +
>>>> +commit 95e91b831f87
>>>> +Author: Davidlohr Bueso <dave at stgolabs.net>
>>>> +Date:   Mon Feb 27 14:28:24 2017 -0800
>>>> +
>>>> +    ipc/shm: Fix shmat mmap nil-page protection
>>>> +
>>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco at linaro.org>
>>>> +Tested-by: Naresh Kamboju <naresh.kamboju at linaro.org>
>>>> +Reviewed-by: Jan Stancek <jstancek at redhat.com>
>>>> +
>>>> +Upstream-Status: Accepted
>>>> [https://github.com/linux-test-project/ltp/pull/324]
>>>> +CVE: cve-2017-5669
>>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco at linaro.org>
>>>> +---
>>>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
>>>> + 1 file changed, 19 insertions(+), 1 deletion(-)
>>>> +
>>>> +diff --git a/testcases/cve/cve-2017-5669.c
>>>> b/testcases/cve/cve-2017-5669.c
>>>> +index 1ca5983..0834626 100644
>>>> +--- a/testcases/cve/cve-2017-5669.c
>>>> ++++ b/testcases/cve/cve-2017-5669.c
>>>> +@@ -28,7 +28,20 @@
>>>> +  * is just to see if we get an access error or some other
>>>> unexpected behaviour.
>>>> +  *
>>>> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page
>>>> protection)
>>>> ++ *
>>>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded)
>>>> entirely and
>>>> ++ * that broke userland for cases like Xorg. New behavior disallows
>>>> REMAPs to
>>>> ++ * lower addresses (0<=PAGESIZE).
>>>> ++ *
>>>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap
>>>> nil-page protect...)
>>>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after
>>>> round-dow...)
>>>> ++ * See https://github.com/linux-test-project/ltp/issues/319
>>>> ++ *
>>>> ++ * This test needs root permissions or else security_mmap_addr(),
>>>> from
>>>> ++ * get_unmapped_area(), will cause permission errors when trying
>>>> to mmap lower
>>>> ++ * addresses.
>>>> +  */
>>>> ++
>>>> + #include <sys/types.h>
>>>> + #include <sys/ipc.h>
>>>> + #include <sys/shm.h>
>>>> +@@ -60,7 +73,11 @@ static void cleanup(void)
>>>> + static void run(void)
>>>> + {
>>>> +     tst_res(TINFO, "Attempting to attach shared memory to null
>>>> page");
>>>> +-    shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>>>> ++    /*
>>>> ++     * shmat() for 0 (or < PAGESIZE with RND flag) has to fail
>>>> with REMAPs
>>>> ++     * https://github.com/linux-test-project/ltp/issues/319
>>>> ++     */
>>>> ++    shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
>>>> +     if (shm_addr == (void *)-1) {
>>>> +         shm_addr = NULL;
>>>> +         if (errno == EINVAL) {
>>>> +@@ -89,6 +106,7 @@ static void run(void)
>>>> + }
>>>> +
>>>> + static struct tst_test test = {
>>>> ++    .needs_root = 1,
>>>> +     .setup = setup,
>>>> +     .cleanup = cleanup,
>>>> +     .test_all = run,
>>>> +--
>>>> +2.7.4
>>>> +
>>>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> b/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> index b07c1b9..48739f1 100644
>>>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> @@ -41,6 +41,7 @@ SRC_URI =
>>>> "git://github.com/linux-test-project/ltp.git \
>>>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch
>>>> \
>>>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
>>>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch
>>>> \
>>>> +
>>>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> \
>>>>               "
>>>>      S = "${WORKDIR}/git"