On 06/18/2018 09:58 AM, Saul Wold wrote: > Armin > > Is there any chance of getting this into Sumo and Rocko? Is there a chance we can have a beer the next time I am in Eugene?
The CVE framework for LTP appears to be in the Rocko version so a little backporting is in order.. I will poke at it to see how straight forward it might be. If i can, you will see patches. - Armin > > > Sau! > > > On 06/13/2018 10:40 AM, Saul Wold wrote: >> Can this be backported to both Rocko and Sumo? >> >> Or is this a case to update LTP in those older releases? >> >> >> Sau! >> >> >> On 06/12/2018 12:34 AM, Naresh Kamboju wrote: >>> Adding cve-2017-5669 test fix patch which is accepted upstream in >>> LTP repo. >>> >>> Ref: >>> cve-2017-5669: shmat() for 0 (or <PAGESIZE with RND flag) has to >>> fail with REMAPs >>> https://github.com/linux-test-project/ltp/pull/324 >>> >>> Upstream-Status: Accepted >>> [https://github.com/linux-test-project/ltp/pull/324] >>> CVE: cve-2017-5669 >>> Signed-off-by: Naresh Kamboju <naresh.kamb...@linaro.org> >>> --- >>> ...69-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch | 97 >>> ++++++++++++++++++++++ >>> meta/recipes-extended/ltp/ltp_20180515.bb | 1 + >>> 2 files changed, 98 insertions(+) >>> create mode 100644 >>> meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> >>> diff --git >>> a/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> >>> new file mode 100644 >>> index 0000000..2a47785 >>> --- /dev/null >>> +++ >>> b/meta/recipes-extended/ltp/ltp/0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> @@ -0,0 +1,97 @@ >>> +From b767b73ef027ba8d35f297c7d3659265ac80425b Mon Sep 17 00:00:00 2001 >>> +From: Rafael David Tinoco <rafael.tin...@canonical.com> >>> +Date: Wed, 30 May 2018 09:14:34 -0300 >>> +Subject: [PATCH] cve-2017-5669: shmat() for 0 (or <PAGESIZE with >>> RND flag) has >>> + to fail with REMAPs >>> + >>> +Fixes: https://github.com/linux-test-project/ltp/issues/319 >>> + >>> +According to upstream thread (https://lkml.org/lkml/2018/5/28/2056), >>> +cve-2017-5669 needs to address the "new" way of handling nil addresses >>> +for shmat() when used with MAP_FIXED or SHM_REMAP flags. >>> + >>> +- mapping nil-page is OK on lower addresses with MAP_FIXED (or else >>> X11 is broken) >>> +- mapping nil-page is NOT OK with SHM_REMAP on lower addresses >>> + >>> +Addresses Davidlohr Bueso's comments/changes: >>> + >>> +commit 8f89c007b6de >>> +Author: Davidlohr Bueso <d...@stgolabs.net> >>> +Date: Fri May 25 14:47:30 2018 -0700 >>> + >>> + ipc/shm: fix shmat() nil address after round-down when remapping >>> + >>> +commit a73ab244f0da >>> +Author: Davidlohr Bueso <d...@stgolabs.net> >>> +Date: Fri May 25 14:47:27 2018 -0700 >>> + >>> + Revert "ipc/shm: Fix shmat mmap nil-page protection" >>> + >>> +For previously test, and now broken, made based on: >>> + >>> +commit 95e91b831f87 >>> +Author: Davidlohr Bueso <d...@stgolabs.net> >>> +Date: Mon Feb 27 14:28:24 2017 -0800 >>> + >>> + ipc/shm: Fix shmat mmap nil-page protection >>> + >>> +Signed-off-by: Rafael David Tinoco <rafael.tin...@linaro.org> >>> +Tested-by: Naresh Kamboju <naresh.kamb...@linaro.org> >>> +Reviewed-by: Jan Stancek <jstan...@redhat.com> >>> + >>> +Upstream-Status: Accepted >>> [https://github.com/linux-test-project/ltp/pull/324] >>> +CVE: cve-2017-5669 >>> +Signed-off-by: Rafael David Tinoco <rafael.tin...@linaro.org> >>> +--- >>> + testcases/cve/cve-2017-5669.c | 20 +++++++++++++++++++- >>> + 1 file changed, 19 insertions(+), 1 deletion(-) >>> + >>> +diff --git a/testcases/cve/cve-2017-5669.c >>> b/testcases/cve/cve-2017-5669.c >>> +index 1ca5983..0834626 100644 >>> +--- a/testcases/cve/cve-2017-5669.c >>> ++++ b/testcases/cve/cve-2017-5669.c >>> +@@ -28,7 +28,20 @@ >>> + * is just to see if we get an access error or some other >>> unexpected behaviour. >>> + * >>> + * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page >>> protection) >>> ++ * >>> ++ * The commit above disallowed SHM_RND maps to zero (and rounded) >>> entirely and >>> ++ * that broke userland for cases like Xorg. New behavior disallows >>> REMAPs to >>> ++ * lower addresses (0<=PAGESIZE). >>> ++ * >>> ++ * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap >>> nil-page protect...) >>> ++ * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after >>> round-dow...) >>> ++ * See https://github.com/linux-test-project/ltp/issues/319 >>> ++ * >>> ++ * This test needs root permissions or else security_mmap_addr(), >>> from >>> ++ * get_unmapped_area(), will cause permission errors when trying >>> to mmap lower >>> ++ * addresses. >>> + */ >>> ++ >>> + #include <sys/types.h> >>> + #include <sys/ipc.h> >>> + #include <sys/shm.h> >>> +@@ -60,7 +73,11 @@ static void cleanup(void) >>> + static void run(void) >>> + { >>> + tst_res(TINFO, "Attempting to attach shared memory to null >>> page"); >>> +- shm_addr = shmat(shm_id, ((void *)1), SHM_RND); >>> ++ /* >>> ++ * shmat() for 0 (or < PAGESIZE with RND flag) has to fail >>> with REMAPs >>> ++ * https://github.com/linux-test-project/ltp/issues/319 >>> ++ */ >>> ++ shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); >>> + if (shm_addr == (void *)-1) { >>> + shm_addr = NULL; >>> + if (errno == EINVAL) { >>> +@@ -89,6 +106,7 @@ static void run(void) >>> + } >>> + >>> + static struct tst_test test = { >>> ++ .needs_root = 1, >>> + .setup = setup, >>> + .cleanup = cleanup, >>> + .test_all = run, >>> +-- >>> +2.7.4 >>> + >>> diff --git a/meta/recipes-extended/ltp/ltp_20180515.bb >>> b/meta/recipes-extended/ltp/ltp_20180515.bb >>> index b07c1b9..48739f1 100644 >>> --- a/meta/recipes-extended/ltp/ltp_20180515.bb >>> +++ b/meta/recipes-extended/ltp/ltp_20180515.bb >>> @@ -41,6 +41,7 @@ SRC_URI = >>> "git://github.com/linux-test-project/ltp.git \ >>> file://0036-testcases-network-nfsv4-acl-acl1.c-Security-fix-on-s.patch >>> \ >>> file://0039-commands-ar01-Fix-for-test-in-deterministic-mode.patch \ >>> file://0040-read_all-Define-FNM_EXTMATCH-if-not-already-like-und.patch >>> \ >>> + >>> file://0041-cve-2017-5669-shmat-for-0-or-PAGESIZE-with-RND-flag-.patch >>> \ >>> " >>> S = "${WORKDIR}/git" >> > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core