| Message ID | 80595ab205ea7b3f633bf4228bb43ee999aef3a1.1687247273.git.souta.kawahara@miraclelinux.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v1,1/1] runtest/cve: Add some existing CVE tests to runtest file | expand |
Hi Souta and Cyril, On Tue, Jun 20, 2023 at 4:13 PM Souta Kawahara < souta.kawahara@miraclelinux.com> wrote: > Signed-off-by: Souta Kawahara <souta.kawahara@miraclelinux.com> > --- > runtest/cve | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/runtest/cve b/runtest/cve > index f9a449fe7..aa10093c0 100644 > --- a/runtest/cve > +++ b/runtest/cve > @@ -19,11 +19,13 @@ cve-2016-10044 cve-2016-10044 > cve-2017-2618 cve-2017-2618 > cve-2017-2636 pty05 > cve-2017-2671 cve-2017-2671 > +cve-2017-5669 shmat03 > This one looks like being dropped from the CVE list purposely, according to: commit 2588dafd4651706ed7ae34ae3b744b0ee8cd6384 Author: Cyril Hrubis <chrubis@suse.cz> Date: Wed Aug 14 14:13:28 2019 +0200 syscalls/shmat03: Remove it from runtest/cve The original POC[1] and CVE-2017-5669 are not tested by this test anymore as it turned out that the CVE was bogus. See: https://marc.info/?l=linux-mm&m=152510978123755&w=2 And the test became regression test for: commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc Author: Davidlohr Bueso <dave@stgolabs.net> Date: Fri May 25 14:47:30 2018 -0700 ipc/shm: fix shmat() nil address after round-down when remapping Hence we will keep the test but remove it from the CVE runtest file and adjust the top level comment in the test code. [1] https://bugzilla.kernel.org/attachment.cgi?id=252511 from https://bugzilla.kernel.org/show_bug.cgi?id=192931 cve-2017-5754 meltdown > cve-2017-6951 request_key05 > cve-2017-7308 setsockopt02 > cve-2017-7472 keyctl04 > cve-2017-7616 set_mempolicy05 > +cve-2017-8890 accept02 > cve-2017-10661 timerfd_settime02 > cve-2017-12192 keyctl07 > cve-2017-12193 add_key04 > @@ -41,16 +43,19 @@ cve-2017-17805 af_alg02 > cve-2017-17806 af_alg01 > cve-2017-17807 request_key04 > cve-2017-18075 pcrypt_aead01 > +cve-2017-18344 timer_create03 > cve-2017-1000111 setsockopt07 > cve-2017-1000112 setsockopt05 > cve-2017-1000364 stack_clash > cve-2017-1000380 snd_timer01 > cve-2017-1000405 thp04 > cve-2018-5803 sctp_big_chunk > +cve-2018-6927 futex_cmp_requeue02 > cve-2018-7566 snd_seq01 > cve-2018-8897 ptrace09 > cve-2018-9568 connect02 > cve-2018-10124 kill13 > +cve-2018-11508 adjtimex03 > cve-2018-12896 timer_settime03 > cve-2018-13405 creat09 > cve-2018-18445 bpf_prog04 > @@ -66,15 +71,23 @@ cve-2020-14386 sendto03 > cve-2020-14416 pty03 > cve-2020-25705 icmp_rate_limit01 > cve-2020-29373 io_uring02 > +cve-2020-36557 pty06 > cve-2021-3444 bpf_prog05 > cve-2021-3609 can_bcm01 > +cve-2021-3653 kvm_svm01 > +cve-2021-3656 kvm_svm02 > cve-2021-4034 execve06 > +cve-2021-4197_1 cgroup_core01 > +cve-2021-4197_2 cgroup_core02 > +cve-2021-4204 bpf_prog06 > cve-2021-22555 setsockopt08 -i 100 > cve-2021-26708 vsock01 > cve-2021-22600 setsockopt09 > +cve-2021-38198 kvm_pagefault01 > cve-2021-38604 mq_notify03 > cve-2022-0847 dirtypipe > cve-2022-2590 dirtyc0w_shmem > +cve-2022-23222 bpf_prog07 > # Tests below may cause kernel memory leak > cve-2020-25704 perf_event_open03 > cve-2022-0185 fsconfig03 > -- > 2.31.1 > The rest part looks good.
Hi Li, all, ... > > +cve-2017-5669 shmat03 > This one looks like being dropped from the CVE list purposely, > according to: > commit 2588dafd4651706ed7ae34ae3b744b0ee8cd6384 > Author: Cyril Hrubis <chrubis@suse.cz> > Date: Wed Aug 14 14:13:28 2019 +0200 > syscalls/shmat03: Remove it from runtest/cve > The original POC[1] and CVE-2017-5669 are not tested by this test > anymore as it turned out that the CVE was bogus. See: > https://marc.info/?l=linux-mm&m=152510978123755&w=2 > And the test became regression test for: > commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc > Author: Davidlohr Bueso <dave@stgolabs.net> > Date: Fri May 25 14:47:30 2018 -0700 > ipc/shm: fix shmat() nil address after round-down when remapping > Hence we will keep the test but remove it from the CVE runtest file and Good catch, Li. I'm for merging this without "cve-2017-5669 shmat03" line. With this change: Reviewed-by: Petr Vorel <pvorel@suse.cz> > adjust > the top level comment in the test code. Do you plan to do this? Kind regards, Petr
Hi all. Thankyou for all your review! 2023年6月21日(水) 6:08 Petr Vorel <pvorel@suse.cz>: > > Hi Li, all, > > ... > > > +cve-2017-5669 shmat03 > > > This one looks like being dropped from the CVE list purposely, > > according to: > > > commit 2588dafd4651706ed7ae34ae3b744b0ee8cd6384 > > Author: Cyril Hrubis <chrubis@suse.cz> > > Date: Wed Aug 14 14:13:28 2019 +0200 > > > syscalls/shmat03: Remove it from runtest/cve > > > The original POC[1] and CVE-2017-5669 are not tested by this test > > anymore as it turned out that the CVE was bogus. See: > > > https://marc.info/?l=linux-mm&m=152510978123755&w=2 > > > And the test became regression test for: > > > commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc > > Author: Davidlohr Bueso <dave@stgolabs.net> > > Date: Fri May 25 14:47:30 2018 -0700 > > > ipc/shm: fix shmat() nil address after round-down when remapping > > > Hence we will keep the test but remove it from the CVE runtest file and > > Good catch, Li. I'm for merging this without "cve-2017-5669 shmat03" line. > With this change: > Reviewed-by: Petr Vorel <pvorel@suse.cz> > > > adjust > > the top level comment in the test code. > Do you plan to do this? This seems to have already been done. according to the diff part of "2588dafd4651706ed7ae34ae3b744b0ee8cd6384": diff --git a/testcases/kernel/syscalls/ipc/shmat/shmat03.c b/testcases/kernel/syscalls/ipc/shmat/shmat03.c index 13ea39c63..18d3db028 100644 --- a/testcases/kernel/syscalls/ipc/shmat/shmat03.c +++ b/testcases/kernel/syscalls/ipc/shmat/shmat03.c @@ -4,26 +4,28 @@ * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>) */ /* - * Test for CVE-2017-5669 which allows us to map the nil page using shmat. + * Originated as a test for CVE-2017-5669 but as it turns out the CVE was bogus + * to begin with and the test was changed into a regression test for commit: * Regards, Souta Kawahara <souta.kawahara@miraclelinux.com>
diff --git a/runtest/cve b/runtest/cve index f9a449fe7..aa10093c0 100644 --- a/runtest/cve +++ b/runtest/cve @@ -19,11 +19,13 @@ cve-2016-10044 cve-2016-10044 cve-2017-2618 cve-2017-2618 cve-2017-2636 pty05 cve-2017-2671 cve-2017-2671 +cve-2017-5669 shmat03 cve-2017-5754 meltdown cve-2017-6951 request_key05 cve-2017-7308 setsockopt02 cve-2017-7472 keyctl04 cve-2017-7616 set_mempolicy05 +cve-2017-8890 accept02 cve-2017-10661 timerfd_settime02 cve-2017-12192 keyctl07 cve-2017-12193 add_key04 @@ -41,16 +43,19 @@ cve-2017-17805 af_alg02 cve-2017-17806 af_alg01 cve-2017-17807 request_key04 cve-2017-18075 pcrypt_aead01 +cve-2017-18344 timer_create03 cve-2017-1000111 setsockopt07 cve-2017-1000112 setsockopt05 cve-2017-1000364 stack_clash cve-2017-1000380 snd_timer01 cve-2017-1000405 thp04 cve-2018-5803 sctp_big_chunk +cve-2018-6927 futex_cmp_requeue02 cve-2018-7566 snd_seq01 cve-2018-8897 ptrace09 cve-2018-9568 connect02 cve-2018-10124 kill13 +cve-2018-11508 adjtimex03 cve-2018-12896 timer_settime03 cve-2018-13405 creat09 cve-2018-18445 bpf_prog04 @@ -66,15 +71,23 @@ cve-2020-14386 sendto03 cve-2020-14416 pty03 cve-2020-25705 icmp_rate_limit01 cve-2020-29373 io_uring02 +cve-2020-36557 pty06 cve-2021-3444 bpf_prog05 cve-2021-3609 can_bcm01 +cve-2021-3653 kvm_svm01 +cve-2021-3656 kvm_svm02 cve-2021-4034 execve06 +cve-2021-4197_1 cgroup_core01 +cve-2021-4197_2 cgroup_core02 +cve-2021-4204 bpf_prog06 cve-2021-22555 setsockopt08 -i 100 cve-2021-26708 vsock01 cve-2021-22600 setsockopt09 +cve-2021-38198 kvm_pagefault01 cve-2021-38604 mq_notify03 cve-2022-0847 dirtypipe cve-2022-2590 dirtyc0w_shmem +cve-2022-23222 bpf_prog07 # Tests below may cause kernel memory leak cve-2020-25704 perf_event_open03 cve-2022-0185 fsconfig03
Signed-off-by: Souta Kawahara <souta.kawahara@miraclelinux.com> --- runtest/cve | 13 +++++++++++++ 1 file changed, 13 insertions(+)