From patchwork Tue Jun 12 07:34:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Naresh Kamboju X-Patchwork-Id: 138298 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp5016025lji; Tue, 12 Jun 2018 00:34:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKt+aW5b24s5MDN+hHHztr8E8Duf/Ju7/ggw5A2Sff40XxyVW0G47K6tQt6QVo1YTjwYI/V X-Received: by 2002:a63:304:: with SMTP id 4-v6mr2157267pgd.290.1528788867908; Tue, 12 Jun 2018 00:34:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528788867; cv=none; d=google.com; s=arc-20160816; b=xYSCYJDWSuJkwa9eEN1vKKzhMSLCwOzQX/YxdB0VPSuTcUFZwVBQeF7UvGdRKcMOfQ Eun5kvl0D6qcLkWBpfblubp+ubBqaHnVt5S7I4bbifsNkvfcmO22EigU05ZD0elZOaZe 4VBxnIqfhCm0qAsfN23fm5CPiLl0IUG4YQGsr07Iypvtz/6b4L/r/RTQxFgpO3gmNGqo dIUIF1E8AVcM8uVGQkSIs/q055IufYRT1zavWl6HAkGW3m3tYMMSiyGcRxq5xpHtHhyA iOPmN0XYb2B1Mtyk5+CBLx3AF9aRNqBShSnDFE3GQYdWd8qSjK0jsEqIiSvtKYCAsvfa +j7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=R21XDhTZNbs+x2onS4pUUDvhcESoBIIV1bjLePKMnPY=; b=0MnRLhCocU3D2xIP3HaN+gqvj1QXuhKNfAkqOt90ENSYrmYCR5ieUXGk54kud+ysW3 ox1N+eg6/C+QpUp0M2osEsuwpBaCtIfYWi6gwIitwZcDWMB59VwID3LOWlMPf7cfhzzd /nrDvLjAv2Vw3030qrl+Z0I7B0t4E+S4UtsqLctwiXkf1AmjoFeSLuQY+DNPuDbSVgqo ITnh5CO4vlx6wWqivubISSxwOtPO11AfIVkoNr8Oxqhr2EnFQBUVzUOeyt8YTA6l7iuN j9SULbTOM4cey+0uMsZENZopy/hgxTaYo3bmIwKgU28K8MQBsucxSLUwV+H3G7cTKLa8 cWng== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=Zh71LEst; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i186-v6si279947pfb.90.2018.06.12.00.34.27; Tue, 12 Jun 2018 00:34:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=Zh71LEst; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from layers.openembedded.org (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 3A51A78E03; Tue, 12 Jun 2018 07:34:24 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pl0-f50.google.com (mail-pl0-f50.google.com [209.85.160.50]) by mail.openembedded.org (Postfix) with ESMTP id B7BBB78DB3 for ; Tue, 12 Jun 2018 07:34:22 +0000 (UTC) Received: by mail-pl0-f50.google.com with SMTP id z9-v6so13860348plk.11 for ; Tue, 12 Jun 2018 00:34:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=OmNMXTikRRo1rTZnSsNRDB0tEIigeiBGiClMAz9ZsgM=; b=Zh71LEstDXMIM9GGAN+HBPxWR5s5MLgkys1rCMswFiazUR8HzR25aodpiqKRzQDt/N llbBa4l9WnaRQj9Ic41yYD8q4IO6DQhsKodz+y8P11YRzhE3ygsLjImbKTe2CEKYsBO2 zP4xaEG9JK5m7xTW/JYshcPpEiaq/bvYgS1zA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OmNMXTikRRo1rTZnSsNRDB0tEIigeiBGiClMAz9ZsgM=; b=CgX/rg8+SWQ5+yeSNXoFoPicyHKwcV91rPyXOJuZoJZpCxgxQjLRd6G3/Any7N2bk2 Nq2GXU3GO2AQb5Grr6SYkxj5T6mOsHt+Hgya64hbTBRKw69wETNfkJ/TzYhrgIWWa2Dv YQJAg0ydtnt6JZ2vxYFAVOfZlhxy3xuF/L8BxAnhBAYa9+x3Oft5TdjwESYF3h+Tbpyg ITp3ZHYwPetlauTmt4OrRcZIrRLCM9+OzfINexVpqQSdZD052j5P7VSlVPt/6OEZwqGX ROyEMMiU8hXRHnqvUm58vmQ+0N6QYqLBb2B6WPuE7mWZcknR1lmZfOPv/oXK20ieTYh2 FPPQ== X-Gm-Message-State: APt69E13OwdOvpt1nszyCxvbHqa67tDFiEDTSwqk5SOANxtF193lFmRl vi+Dj+zfqiRFS4/9GAsgMxOqypgojZc= X-Received: by 2002:a17:902:44a4:: with SMTP id l33-v6mr2810507pld.134.1528788863214; Tue, 12 Jun 2018 00:34:23 -0700 (PDT) Received: from localhost.localdomain ([2405:204:6487:b39:1483:44d3:2d1f:ed8b]) by smtp.gmail.com with ESMTPSA id c17-v6sm520208pgw.11.2018.06.12.00.34.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 12 Jun 2018 00:34:21 -0700 (PDT) From: Naresh Kamboju To: openembedded-core@lists.openembedded.org Date: Tue, 12 Jun 2018 13:04:14 +0530 Message-Id: <1528788854-29279-1-git-send-email-naresh.kamboju@linaro.org> X-Mailer: git-send-email 2.7.4 Subject: [OE-core] [PATCH v3] ltp: fix cve-2017-5669 test case X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org Adding cve-2017-5669 test fix patch which is accepted upstream in LTP repo. Ref: cve-2017-5669: shmat() for 0 (or --- ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 ++++++++++++++++++++++ meta/recipes-extended/ltp/ltp_20180515.bb | 1 + 2 files changed, 98 insertions(+) create mode 100644 meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch new file mode 100644 index 0000000..2a47785 --- /dev/null +++ b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch @@ -0,0 +1,97 @@ +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 +From: Rafael David Tinoco +Date: Wed, 30 May 2018 09:14:34 -0300 +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or +Date: Fri May 25 14:47:30 2018 -0700 + + ipc/shm: fix shmat() nil address after round-down when remapping + +commit a73ab244f0da +Author: Davidlohr Bueso +Date: Fri May 25 14:47:27 2018 -0700 + + Revert "ipc/shm: Fix shmat mmap nil-page protection" + +For previously test, and now broken, made based on: + +commit 95e91b831f87 +Author: Davidlohr Bueso +Date: Mon Feb 27 14:28:24 2017 -0800 + + ipc/shm: Fix shmat mmap nil-page protection + +Signed-off-by: Rafael David Tinoco +Tested-by: Naresh Kamboju +Reviewed-by: Jan Stancek + +Upstream-Status: Accepted [https://github.com/linux-test-project/ltp/pull/324] +CVE: cve-2017-5669 +Signed-off-by: Rafael David Tinoco +--- + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c +index 1ca5983..0834626 100644 +--- a/testcases/cve/cve-2017-5669.c ++++ b/testcases/cve/cve-2017-5669.c +@@ -28,7 +28,20 @@ + * is just to see if we get an access error or some other unexpected behaviour. + * + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection) ++ * ++ * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and ++ * that broke userland for cases like Xorg. New behavior disallows REMAPs to ++ * lower addresses (0<=PAGESIZE). ++ * ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...) ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...) ++ * See https://github.com/linux-test-project/ltp/issues/319 ++ * ++ * This test needs root permissions or else security_mmap_addr(), from ++ * get_unmapped_area(), will cause permission errors when trying to mmap lower ++ * addresses. + */ ++ + #include + #include + #include +@@ -60,7 +73,11 @@ static void cleanup(void) + static void run(void) + { + tst_res(TINFO, "Attempting to attach shared memory to null page"); +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); ++ /* ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs ++ * https://github.com/linux-test-project/ltp/issues/319 ++ */ ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); + if (shm_addr == (void *)-1) { + shm_addr = NULL; + if (errno == EINVAL) { +@@ -89,6 +106,7 @@ static void run(void) + } + + static struct tst_test test = { ++ .needs_root = 1, + .setup = setup, + .cleanup = cleanup, + .test_all = run, +-- +2.7.4 + diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb b/meta/recipes-extended/ltp/ltp_20180515.bb index b07c1b9..48739f1 100644 --- a/meta/recipes-extended/ltp/ltp_20180515.bb +++ b/meta/recipes-extended/ltp/ltp_20180515.bb @@ -41,6 +41,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch \ file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch \ + file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch \ " S = "${WORKDIR}/git"