From patchwork Wed May 30 15:40:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rafael David Tinoco X-Patchwork-Id: 922862 X-Patchwork-Delegate: jan.stancek@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="VVK9VRk6"; dkim-atps=neutral Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40wvvK1DPqz9s01 for ; Thu, 31 May 2018 01:40:58 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 095C83E7412 for ; Wed, 30 May 2018 17:40:54 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) by picard.linux.it (Postfix) with ESMTP id B729F3E6C23 for ; Wed, 30 May 2018 17:40:51 +0200 (CEST) Received: from mail-qt0-x244.google.com (mail-qt0-x244.google.com [IPv6:2607:f8b0:400d:c0d::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 7DEB91400755 for ; Wed, 30 May 2018 17:40:50 +0200 (CEST) Received: by mail-qt0-x244.google.com with SMTP id h5-v6so15780158qtm.13 for ; Wed, 30 May 2018 08:40:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=B0dXF9WECDKQuLboqJJNBhJXOuGc9scL5W0NZ+Vpzvo=; b=VVK9VRk6E2odOeRsdCNY5ACBoAMLKFZZfVpUrFJcGwA5GpepOn+GhgwRQT0yJZ+Zpn c8SCIj/4D7sYw3n+mzxBM75+a4Xmu0RA7daGz64EciUasJB5i1d+f3qAcyG4I/OlTbyp /QWwEa+4mggy3zgyQ/C8s2Tp59+98/Ky3oDCE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=B0dXF9WECDKQuLboqJJNBhJXOuGc9scL5W0NZ+Vpzvo=; b=uY2DWLRFYYk26/0Wcf/G/A25j5rOHk8yE1hdnfiD6ezkR4ggdBY3tk6FkhRdRH2/u8 /E7tyaFmL20Q+V/FUP6SzhMJ5H8zoER6pUMs3w1xE3LMaAsXzceHD74THQpzjMoh59Tu 52NSCUyHHF270icA/+DmcejEs1qKsG091r3iqZBO/9VkdKXXzmJu0zVJuIot0WVdWVtC suKjSUWUm+gh72W7DdzkuZyo8WXdPAl8DxTlE2lGEd4YKS++aFJQ3IrJ2fKx3ZKl7HC1 vHBBCfyXCuFqluDU5EUw4ym59v5LUfk5lFgvcNEmzKcQk+t+5xYTd7aJkZvHHOI71Yws lMEQ== X-Gm-Message-State: APt69E0naw3DCScEY2NDxxhzja4/iifFKQUgiwoSusAABG183I9Wvixv oFxErvf9LMgEVyqtQG+ZGYOzToLlW78= X-Google-Smtp-Source: ADUXVKJZiQQHfv3XoR6b/gJW70T1rrYaZYbk38olobJawAEIe1SWaf+ARCvxu+BDKXhjDLJZRr/93g== X-Received: by 2002:ac8:39f:: with SMTP id t31-v6mr3002876qtg.259.1527694849115; Wed, 30 May 2018 08:40:49 -0700 (PDT) Received: from workstation.celeiro.br ([138.204.25.57]) by smtp.gmail.com with ESMTPSA id e96-v6sm14556652qtb.69.2018.05.30.08.40.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 May 2018 08:40:48 -0700 (PDT) From: Rafael David Tinoco To: ltp@lists.linux.it Date: Wed, 30 May 2018 12:40:45 -0300 Message-Id: <20180530154045.17803-1-rafael.tinoco@linaro.org> X-Mailer: git-send-email 2.17.1 X-Virus-Scanned: clamav-milter 0.99.2 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH] shmat() for 0 (or List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" From: Rafael David Tinoco Fixes: https://github.com/linux-test-project/ltp/issues/319 According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), cve-2017-5669 needs to address the "new" way of handling nil addresses for shmat() when used with MAP_FIXED or SHM_REMAP flags. - mapping nil-page is OK on lower addresses with MAP_FIXED (or else X11 is broken) - mapping nil-page is NOT OK with SHM_REMAP on lower addresses Addresses Davidlohr Bueso's comments/changes: commit 8f89c007b6de Author: Davidlohr Bueso Date: Fri May 25 14:47:30 2018 -0700 ipc/shm: fix shmat() nil address after round-down when remapping commit a73ab244f0da Author: Davidlohr Bueso Date: Fri May 25 14:47:27 2018 -0700 Revert "ipc/shm: Fix shmat mmap nil-page protection" For previously test made based on: commit 95e91b831f87 Author: Davidlohr Bueso Date: Mon Feb 27 14:28:24 2017 -0800 ipc/shm: Fix shmat mmap nil-page protection Signed-off-by: Rafael David Tinoco --- testcases/cve/cve-2017-5669.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c index 1ca598326..16e4d80be 100644 --- a/testcases/cve/cve-2017-5669.c +++ b/testcases/cve/cve-2017-5669.c @@ -28,6 +28,9 @@ * is just to see if we get an access error or some other unexpected behaviour. * * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection) + * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...) + * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...) + * See https://github.com/linux-test-project/ltp/issues/319 */ #include #include @@ -60,7 +63,11 @@ static void cleanup(void) static void run(void) { tst_res(TINFO, "Attempting to attach shared memory to null page"); - shm_addr = shmat(shm_id, ((void *)1), SHM_RND); + /* + * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs + * https://github.com/linux-test-project/ltp/issues/319 + */ + shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); if (shm_addr == (void *)-1) { shm_addr = NULL; if (errno == EINVAL) {