[v3] ltp: fix cve-2017-5669 test case

Message ID 1528788854-29279-1-git-send-email-naresh.kamboju@linaro.org
State Accepted
Commit e356cb7e7bfb407c2f3a1bd0f28b5f14beaff882
Headers show
Series
  • [v3] ltp: fix cve-2017-5669 test case
Related show

Commit Message

Naresh Kamboju June 12, 2018, 7:34 a.m.
Adding cve-2017-5669 test fix patch which is accepted upstream in LTP repo.

Ref:
cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs
https://github.com/linux-test-project/ltp/pull/324

Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
CVE: cve-2017-5669
Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>

---
 ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 ++++++++++++++++++++++
 meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch

-- 
2.7.4

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Saul Wold June 13, 2018, 5:40 p.m. | #1
Can this be backported to both Rocko and Sumo?

Or is this a case to update LTP in those older releases?


Sau!


On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
> Adding cve-2017-5669 test fix patch which is accepted upstream in LTP repo.

>

> Ref:

> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail with REMAPs

> https://github.com/linux-test-project/ltp/pull/324

>

> Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]

> CVE: cve-2017-5669

> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>

> ---

>   ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 ++++++++++++++++++++++

>   meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +

>   2 files changed, 98 insertions(+)

>   create mode 100644 meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch

>

> diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch

> new file mode 100644

> index 0000000..2a47785

> --- /dev/null

> +++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch

> @@ -0,0 +1,97 @@

> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001

> +From: Rafael David Tinoco <rafael.tinoco@canonical.com>

> +Date: Wed, 30 May 2018 09:14:34 -0300

> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has

> + to fail with REMAPs

> +

> +Fixes: https://github.com/linux-test-project/ltp/issues/319

> +

> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),

> +cve-2017-5669 needs to address the "new" way of handling nil addresses

> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.

> +

> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)

> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses

> +

> +Addresses Davidlohr Bueso's comments/changes:

> +

> +commit 8f89c007b6de

> +Author: Davidlohr Bueso <dave@stgolabs.net>

> +Date:   Fri May 25 14:47:30 2018 -0700

> +

> +    ipc/shm: fix shmat() nil address after round-down when remapping

> +

> +commit a73ab244f0da

> +Author: Davidlohr Bueso <dave@stgolabs.net>

> +Date:   Fri May 25 14:47:27 2018 -0700

> +

> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"

> +

> +For previously test, and now broken, made based on:

> +

> +commit 95e91b831f87

> +Author: Davidlohr Bueso <dave@stgolabs.net>

> +Date:   Mon Feb 27 14:28:24 2017 -0800

> +

> +    ipc/shm: Fix shmat mmap nil-page protection

> +

> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>

> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>

> +Reviewed-by: Jan Stancek <jstancek@redhat.com>

> +

> +Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]

> +CVE: cve-2017-5669

> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>

> +---

> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-

> + 1 file changed, 19 insertions(+), 1 deletion(-)

> +

> +diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c

> +index 1ca5983..0834626 100644

> +--- a/testcases/cve/cve-2017-5669.c

> ++++ b/testcases/cve/cve-2017-5669.c

> +@@ -28,7 +28,20 @@

> +  * is just to see if we get an access error or some other unexpected behaviour.

> +  *

> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)

> ++ *

> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and

> ++ * that broke userland for cases like Xorg. New behavior disallows REMAPs to

> ++ * lower addresses (0<=PAGESIZE).

> ++ *

> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)

> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)

> ++ * See https://github.com/linux-test-project/ltp/issues/319

> ++ *

> ++ * This test needs root permissions or else security_mmap_addr(), from

> ++ * get_unmapped_area(), will cause permission errors when trying to mmap lower

> ++ * addresses.

> +  */

> ++

> + #include <sys/types.h>

> + #include <sys/ipc.h>

> + #include <sys/shm.h>

> +@@ -60,7 +73,11 @@ static void cleanup(void)

> + static void run(void)

> + {

> + 	tst_res(TINFO, "Attempting to attach shared memory to null page");

> +-	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);

> ++	/*

> ++	 * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs

> ++	 * https://github.com/linux-test-project/ltp/issues/319

> ++	 */

> ++	shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);

> + 	if (shm_addr == (void *)-1) {

> + 		shm_addr = NULL;

> + 		if (errno == EINVAL) {

> +@@ -89,6 +106,7 @@ static void run(void)

> + }

> +

> + static struct tst_test test = {

> ++	.needs_root = 1,

> + 	.setup = setup,

> + 	.cleanup = cleanup,

> + 	.test_all = run,

> +--

> +2.7.4

> +

> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb

> index b07c1b9..48739f1 100644

> --- a/meta/recipes-extended/ltp/ltp_20180515.bb

> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb

> @@ -41,6 +41,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \

>              file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \

>              file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \

>              file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \

> +           file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \

>              "

>   

>   S = "${WORKDIR}/git"


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Naresh Kamboju June 14, 2018, 1:25 p.m. | #2
On 13 June 2018 at 23:10, Saul Wold <sgw@linux.intel.com> wrote:
> Can this be backported to both Rocko and Sumo?


This can be backported to both Rocko and not sure about Sumo
(I did not work on Sumo branch).

>

> Or is this a case to update LTP in those older releases?


Latest LTP + this fix patch (upstream accepted).

- Naresh
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Saul Wold June 18, 2018, 4:58 p.m. | #3
Armin

Is there any chance of getting this into Sumo and Rocko?


Sau!


On 06/13/2018 10:40 AM, Saul Wold wrote:
> Can this be backported to both Rocko and Sumo?
>
> Or is this a case to update LTP in those older releases?
>
>
> Sau!
>
>
> On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
>> Adding cve-2017-5669 test fix patch which is accepted upstream in LTP 
>> repo.
>>
>> Ref:
>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to fail 
>> with REMAPs
>> https://github.com/linux-test-project/ltp/pull/324
>>
>> Upstream-Status: Accepted 
>> [https://github.com/linux-test-project/ltp/pull/324]
>> CVE: cve-2017-5669
>> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>> ---
>>   ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 
>> ++++++++++++++++++++++
>>   meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
>>   2 files changed, 98 insertions(+)
>>   create mode 100644 
>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>
>> diff --git 
>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch 
>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch 
>>
>> new file mode 100644
>> index 0000000..2a47785
>> --- /dev/null
>> +++ 
>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>> @@ -0,0 +1,97 @@
>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
>> +From: Rafael David Tinoco <rafael.tinoco@canonical.com>
>> +Date: Wed, 30 May 2018 09:14:34 -0300
>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND 
>> flag) has
>> + to fail with REMAPs
>> +
>> +Fixes: https://github.com/linux-test-project/ltp/issues/319
>> +
>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
>> +cve-2017-5669 needs to address the "new" way of handling nil addresses
>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.
>> +
>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else 
>> X11 is broken)
>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
>> +
>> +Addresses Davidlohr Bueso's comments/changes:
>> +
>> +commit 8f89c007b6de
>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>> +Date:   Fri May 25 14:47:30 2018 -0700
>> +
>> +    ipc/shm: fix shmat() nil address after round-down when remapping
>> +
>> +commit a73ab244f0da
>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>> +Date:   Fri May 25 14:47:27 2018 -0700
>> +
>> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"
>> +
>> +For previously test, and now broken, made based on:
>> +
>> +commit 95e91b831f87
>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>> +Date:   Mon Feb 27 14:28:24 2017 -0800
>> +
>> +    ipc/shm: Fix shmat mmap nil-page protection
>> +
>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>> +Reviewed-by: Jan Stancek <jstancek@redhat.com>
>> +
>> +Upstream-Status: Accepted 
>> [https://github.com/linux-test-project/ltp/pull/324]
>> +CVE: cve-2017-5669
>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>> +---
>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
>> + 1 file changed, 19 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/testcases/cve/cve-2017-5669.c 
>> b/testcases/cve/cve-2017-5669.c
>> +index 1ca5983..0834626 100644
>> +--- a/testcases/cve/cve-2017-5669.c
>> ++++ b/testcases/cve/cve-2017-5669.c
>> +@@ -28,7 +28,20 @@
>> +  * is just to see if we get an access error or some other 
>> unexpected behaviour.
>> +  *
>> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
>> ++ *
>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) 
>> entirely and
>> ++ * that broke userland for cases like Xorg. New behavior disallows 
>> REMAPs to
>> ++ * lower addresses (0<=PAGESIZE).
>> ++ *
>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap 
>> nil-page protect...)
>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after 
>> round-dow...)
>> ++ * See https://github.com/linux-test-project/ltp/issues/319
>> ++ *
>> ++ * This test needs root permissions or else security_mmap_addr(), from
>> ++ * get_unmapped_area(), will cause permission errors when trying to 
>> mmap lower
>> ++ * addresses.
>> +  */
>> ++
>> + #include <sys/types.h>
>> + #include <sys/ipc.h>
>> + #include <sys/shm.h>
>> +@@ -60,7 +73,11 @@ static void cleanup(void)
>> + static void run(void)
>> + {
>> +     tst_res(TINFO, "Attempting to attach shared memory to null page");
>> +-    shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>> ++    /*
>> ++     * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with 
>> REMAPs
>> ++     * https://github.com/linux-test-project/ltp/issues/319
>> ++     */
>> ++    shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
>> +     if (shm_addr == (void *)-1) {
>> +         shm_addr = NULL;
>> +         if (errno == EINVAL) {
>> +@@ -89,6 +106,7 @@ static void run(void)
>> + }
>> +
>> + static struct tst_test test = {
>> ++    .needs_root = 1,
>> +     .setup = setup,
>> +     .cleanup = cleanup,
>> +     .test_all = run,
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb 
>> b/meta/recipes-extended/ltp/ltp_20180515.bb
>> index b07c1b9..48739f1 100644
>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb
>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
>> @@ -41,6 +41,7 @@ SRC_URI = 
>> "git://github.com/linux-test-project/ltp.git \
>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \
>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \
>> + 
>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \
>>              "
>>     S = "${WORKDIR}/git"
>
akuster808 June 19, 2018, 4:25 a.m. | #4
On 06/18/2018 09:58 AM, Saul Wold wrote:
> Armin
>
> Is there any chance of getting this into Sumo and Rocko?
Is there a chance we can have  a beer the next time I am in Eugene?

The CVE framework for LTP appears to be in the Rocko version so a little
backporting  is in order.. I will poke at it to see how straight forward
it might be. If i can, you will see patches.


- Armin
>
>
> Sau!
>
>
> On 06/13/2018 10:40 AM, Saul Wold wrote:
>> Can this be backported to both Rocko and Sumo?
>>
>> Or is this a case to update LTP in those older releases?
>>
>>
>> Sau!
>>
>>
>> On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
>>> Adding cve-2017-5669 test fix patch which is accepted upstream in
>>> LTP repo.
>>>
>>> Ref:
>>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to
>>> fail with REMAPs
>>> https://github.com/linux-test-project/ltp/pull/324
>>>
>>> Upstream-Status: Accepted
>>> [https://github.com/linux-test-project/ltp/pull/324]
>>> CVE: cve-2017-5669
>>> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>>> ---
>>>   ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97
>>> ++++++++++++++++++++++
>>>   meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
>>>   2 files changed, 98 insertions(+)
>>>   create mode 100644
>>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>
>>> diff --git
>>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>
>>> new file mode 100644
>>> index 0000000..2a47785
>>> --- /dev/null
>>> +++
>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> @@ -0,0 +1,97 @@
>>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
>>> +From: Rafael David Tinoco <rafael.tinoco@canonical.com>
>>> +Date: Wed, 30 May 2018 09:14:34 -0300
>>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with
>>> RND flag) has
>>> + to fail with REMAPs
>>> +
>>> +Fixes: https://github.com/linux-test-project/ltp/issues/319
>>> +
>>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
>>> +cve-2017-5669 needs to address the "new" way of handling nil addresses
>>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.
>>> +
>>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else
>>> X11 is broken)
>>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
>>> +
>>> +Addresses Davidlohr Bueso's comments/changes:
>>> +
>>> +commit 8f89c007b6de
>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>> +Date:   Fri May 25 14:47:30 2018 -0700
>>> +
>>> +    ipc/shm: fix shmat() nil address after round-down when remapping
>>> +
>>> +commit a73ab244f0da
>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>> +Date:   Fri May 25 14:47:27 2018 -0700
>>> +
>>> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"
>>> +
>>> +For previously test, and now broken, made based on:
>>> +
>>> +commit 95e91b831f87
>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>> +Date:   Mon Feb 27 14:28:24 2017 -0800
>>> +
>>> +    ipc/shm: Fix shmat mmap nil-page protection
>>> +
>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>>> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>>> +Reviewed-by: Jan Stancek <jstancek@redhat.com>
>>> +
>>> +Upstream-Status: Accepted
>>> [https://github.com/linux-test-project/ltp/pull/324]
>>> +CVE: cve-2017-5669
>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>>> +---
>>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
>>> + 1 file changed, 19 insertions(+), 1 deletion(-)
>>> +
>>> +diff --git a/testcases/cve/cve-2017-5669.c
>>> b/testcases/cve/cve-2017-5669.c
>>> +index 1ca5983..0834626 100644
>>> +--- a/testcases/cve/cve-2017-5669.c
>>> ++++ b/testcases/cve/cve-2017-5669.c
>>> +@@ -28,7 +28,20 @@
>>> +  * is just to see if we get an access error or some other
>>> unexpected behaviour.
>>> +  *
>>> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page
>>> protection)
>>> ++ *
>>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded)
>>> entirely and
>>> ++ * that broke userland for cases like Xorg. New behavior disallows
>>> REMAPs to
>>> ++ * lower addresses (0<=PAGESIZE).
>>> ++ *
>>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap
>>> nil-page protect...)
>>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after
>>> round-dow...)
>>> ++ * See https://github.com/linux-test-project/ltp/issues/319
>>> ++ *
>>> ++ * This test needs root permissions or else security_mmap_addr(),
>>> from
>>> ++ * get_unmapped_area(), will cause permission errors when trying
>>> to mmap lower
>>> ++ * addresses.
>>> +  */
>>> ++
>>> + #include <sys/types.h>
>>> + #include <sys/ipc.h>
>>> + #include <sys/shm.h>
>>> +@@ -60,7 +73,11 @@ static void cleanup(void)
>>> + static void run(void)
>>> + {
>>> +     tst_res(TINFO, "Attempting to attach shared memory to null
>>> page");
>>> +-    shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>>> ++    /*
>>> ++     * shmat() for 0 (or < PAGESIZE with RND flag) has to fail
>>> with REMAPs
>>> ++     * https://github.com/linux-test-project/ltp/issues/319
>>> ++     */
>>> ++    shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
>>> +     if (shm_addr == (void *)-1) {
>>> +         shm_addr = NULL;
>>> +         if (errno == EINVAL) {
>>> +@@ -89,6 +106,7 @@ static void run(void)
>>> + }
>>> +
>>> + static struct tst_test test = {
>>> ++    .needs_root = 1,
>>> +     .setup = setup,
>>> +     .cleanup = cleanup,
>>> +     .test_all = run,
>>> +--
>>> +2.7.4
>>> +
>>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb
>>> b/meta/recipes-extended/ltp/ltp_20180515.bb
>>> index b07c1b9..48739f1 100644
>>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb
>>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
>>> @@ -41,6 +41,7 @@ SRC_URI =
>>> "git://github.com/linux-test-project/ltp.git \
>>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch
>>> \
>>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
>>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch
>>> \
>>> +
>>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>> \
>>>              "
>>>     S = "${WORKDIR}/git"
>>
>
Saul Wold June 19, 2018, 4:48 a.m. | #5
On 06/18/2018 09:25 PM, akuster808 wrote:
>
> On 06/18/2018 09:58 AM, Saul Wold wrote:
>> Armin
>>
>> Is there any chance of getting this into Sumo and Rocko?
> Is there a chance we can have  a beer the next time I am in Eugene?
Of course!  I did not know that you made it in to this area!  Either 
homebrew or local brew is very available!
> The CVE framework for LTP appears to be in the Rocko version so a little
> backporting  is in order.. I will poke at it to see how straight forward
> it might be. If i can, you will see patches.
Thanks do much.

Sau!

>
> - Armin
>>
>> Sau!
>>
>>
>> On 06/13/2018 10:40 AM, Saul Wold wrote:
>>> Can this be backported to both Rocko and Sumo?
>>>
>>> Or is this a case to update LTP in those older releases?
>>>
>>>
>>> Sau!
>>>
>>>
>>> On 06/12/2018 12:34 AM, Naresh Kamboju wrote:
>>>> Adding cve-2017-5669 test fix patch which is accepted upstream in
>>>> LTP repo.
>>>>
>>>> Ref:
>>>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to
>>>> fail with REMAPs
>>>> https://github.com/linux-test-project/ltp/pull/324
>>>>
>>>> Upstream-Status: Accepted
>>>> [https://github.com/linux-test-project/ltp/pull/324]
>>>> CVE: cve-2017-5669
>>>> Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>>>> ---
>>>>    ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97
>>>> ++++++++++++++++++++++
>>>>    meta/recipes-extended/ltp/ltp_20180515.bb          |  1 +
>>>>    2 files changed, 98 insertions(+)
>>>>    create mode 100644
>>>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>>
>>>> diff --git
>>>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>>
>>>> new file mode 100644
>>>> index 0000000..2a47785
>>>> --- /dev/null
>>>> +++
>>>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> @@ -0,0 +1,97 @@
>>>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
>>>> +From: Rafael David Tinoco <rafael.tinoco@canonical.com>
>>>> +Date: Wed, 30 May 2018 09:14:34 -0300
>>>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with
>>>> RND flag) has
>>>> + to fail with REMAPs
>>>> +
>>>> +Fixes: https://github.com/linux-test-project/ltp/issues/319
>>>> +
>>>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
>>>> +cve-2017-5669 needs to address the "new" way of handling nil addresses
>>>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags.
>>>> +
>>>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else
>>>> X11 is broken)
>>>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
>>>> +
>>>> +Addresses Davidlohr Bueso's comments/changes:
>>>> +
>>>> +commit 8f89c007b6de
>>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>>> +Date:   Fri May 25 14:47:30 2018 -0700
>>>> +
>>>> +    ipc/shm: fix shmat() nil address after round-down when remapping
>>>> +
>>>> +commit a73ab244f0da
>>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>>> +Date:   Fri May 25 14:47:27 2018 -0700
>>>> +
>>>> +    Revert "ipc/shm: Fix shmat mmap nil-page protection"
>>>> +
>>>> +For previously test, and now broken, made based on:
>>>> +
>>>> +commit 95e91b831f87
>>>> +Author: Davidlohr Bueso <dave@stgolabs.net>
>>>> +Date:   Mon Feb 27 14:28:24 2017 -0800
>>>> +
>>>> +    ipc/shm: Fix shmat mmap nil-page protection
>>>> +
>>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>>>> +Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>>>> +Reviewed-by: Jan Stancek <jstancek@redhat.com>
>>>> +
>>>> +Upstream-Status: Accepted
>>>> [https://github.com/linux-test-project/ltp/pull/324]
>>>> +CVE: cve-2017-5669
>>>> +Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
>>>> +---
>>>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
>>>> + 1 file changed, 19 insertions(+), 1 deletion(-)
>>>> +
>>>> +diff --git a/testcases/cve/cve-2017-5669.c
>>>> b/testcases/cve/cve-2017-5669.c
>>>> +index 1ca5983..0834626 100644
>>>> +--- a/testcases/cve/cve-2017-5669.c
>>>> ++++ b/testcases/cve/cve-2017-5669.c
>>>> +@@ -28,7 +28,20 @@
>>>> +  * is just to see if we get an access error or some other
>>>> unexpected behaviour.
>>>> +  *
>>>> +  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page
>>>> protection)
>>>> ++ *
>>>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded)
>>>> entirely and
>>>> ++ * that broke userland for cases like Xorg. New behavior disallows
>>>> REMAPs to
>>>> ++ * lower addresses (0<=PAGESIZE).
>>>> ++ *
>>>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap
>>>> nil-page protect...)
>>>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after
>>>> round-dow...)
>>>> ++ * See https://github.com/linux-test-project/ltp/issues/319
>>>> ++ *
>>>> ++ * This test needs root permissions or else security_mmap_addr(),
>>>> from
>>>> ++ * get_unmapped_area(), will cause permission errors when trying
>>>> to mmap lower
>>>> ++ * addresses.
>>>> +  */
>>>> ++
>>>> + #include <sys/types.h>
>>>> + #include <sys/ipc.h>
>>>> + #include <sys/shm.h>
>>>> +@@ -60,7 +73,11 @@ static void cleanup(void)
>>>> + static void run(void)
>>>> + {
>>>> +     tst_res(TINFO, "Attempting to attach shared memory to null
>>>> page");
>>>> +-    shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>>>> ++    /*
>>>> ++     * shmat() for 0 (or < PAGESIZE with RND flag) has to fail
>>>> with REMAPs
>>>> ++     * https://github.com/linux-test-project/ltp/issues/319
>>>> ++     */
>>>> ++    shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
>>>> +     if (shm_addr == (void *)-1) {
>>>> +         shm_addr = NULL;
>>>> +         if (errno == EINVAL) {
>>>> +@@ -89,6 +106,7 @@ static void run(void)
>>>> + }
>>>> +
>>>> + static struct tst_test test = {
>>>> ++    .needs_root = 1,
>>>> +     .setup = setup,
>>>> +     .cleanup = cleanup,
>>>> +     .test_all = run,
>>>> +--
>>>> +2.7.4
>>>> +
>>>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> b/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> index b07c1b9..48739f1 100644
>>>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb
>>>> @@ -41,6 +41,7 @@ SRC_URI =
>>>> "git://github.com/linux-test-project/ltp.git \
>>>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch
>>>> \
>>>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
>>>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch
>>>> \
>>>> +
>>>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
>>>> \
>>>>               "
>>>>      S = "${WORKDIR}/git"

Patch

diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
new file mode 100644
index 0000000..2a47785
--- /dev/null
+++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch
@@ -0,0 +1,97 @@ 
+From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001
+From: Rafael David Tinoco <rafael.tinoco@canonical.com>
+Date: Wed, 30 May 2018 09:14:34 -0300
+Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has
+ to fail with REMAPs
+
+Fixes: https://github.com/linux-test-project/ltp/issues/319
+
+According to upstream thread (https://lkml.org/lkml/2018/5/28/2056),
+cve-2017-5669 needs to address the "new" way of handling nil addresses
+for shmat() when used with MAP_FIXED or SHM_REMAP flags.
+
+- mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken)
+- mapping nil-page is NOT OK with SHM_REMAP on lower addresses
+
+Addresses Davidlohr Bueso's comments/changes:
+
+commit 8f89c007b6de
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Fri May 25 14:47:30 2018 -0700
+
+    ipc/shm: fix shmat() nil address after round-down when remapping
+
+commit a73ab244f0da
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Fri May 25 14:47:27 2018 -0700
+
+    Revert "ipc/shm: Fix shmat mmap nil-page protection"
+
+For previously test, and now broken, made based on:
+
+commit 95e91b831f87
+Author: Davidlohr Bueso <dave@stgolabs.net>
+Date:   Mon Feb 27 14:28:24 2017 -0800
+
+    ipc/shm: Fix shmat mmap nil-page protection
+
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reviewed-by: Jan Stancek <jstancek@redhat.com>
+
+Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324]
+CVE: cve-2017-5669
+Signed-off-by: Rafael David Tinoco <rafael.tinoco@linaro.org>
+---
+ testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
+index 1ca5983..0834626 100644
+--- a/testcases/cve/cve-2017-5669.c
++++ b/testcases/cve/cve-2017-5669.c
+@@ -28,7 +28,20 @@
+  * is just to see if we get an access error or some other unexpected behaviour.
+  *
+  * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
++ *
++ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
++ * that broke userland for cases like Xorg. New behavior disallows REMAPs to
++ * lower addresses (0<=PAGESIZE).
++ *
++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
++ * See https://github.com/linux-test-project/ltp/issues/319
++ *
++ * This test needs root permissions or else security_mmap_addr(), from
++ * get_unmapped_area(), will cause permission errors when trying to mmap lower
++ * addresses.
+  */
++
+ #include <sys/types.h>
+ #include <sys/ipc.h>
+ #include <sys/shm.h>
+@@ -60,7 +73,11 @@ static void cleanup(void)
+ static void run(void)
+ {
+ 	tst_res(TINFO, "Attempting to attach shared memory to null page");
+-	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
++	/*
++	 * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
++	 * https://github.com/linux-test-project/ltp/issues/319
++	 */
++	shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
+ 	if (shm_addr == (void *)-1) {
+ 		shm_addr = NULL;
+ 		if (errno == EINVAL) {
+@@ -89,6 +106,7 @@ static void run(void)
+ }
+ 
+ static struct tst_test test = {
++	.needs_root = 1,
+ 	.setup = setup,
+ 	.cleanup = cleanup,
+ 	.test_all = run,
+-- 
+2.7.4
+
diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb
index b07c1b9..48739f1 100644
--- a/meta/recipes-extended/ltp/ltp_20180515.bb
+++ b/meta/recipes-extended/ltp/ltp_20180515.bb
@@ -41,6 +41,7 @@  SRC_URI = "git://github.com/linux-test-project/ltp.git \
            file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \
            file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \
            file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \
+           file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \
            "
 
 S = "${WORKDIR}/git"