* [LTP] [PATCH v3] Add regression test for CVE-2017-17052
@ 2018-01-12 11:59 Michael Moese
2018-01-19 16:03 ` Cyril Hrubis
0 siblings, 1 reply; 5+ messages in thread
From: Michael Moese @ 2018-01-12 11:59 UTC (permalink / raw)
To: ltp
original reproducer can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b7e8665b4ff51c034c55df3cff76518d1a9ee3a
Signed-off-by: Michael Moese <mmoese@suse.de>
---
runtest/cve | 1 +
testcases/cve/.gitignore | 1 +
testcases/cve/Makefile | 2 +
testcases/cve/cve-2017-17052.c | 129 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 133 insertions(+)
create mode 100644 testcases/cve/cve-2017-17052.c
diff --git a/runtest/cve b/runtest/cve
index 5d124083e..529d832a9 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -27,3 +27,4 @@ cve-2017-15537 ptrace07
cve-2017-15951 request_key03 -b cve-2017-15951
cve-2017-1000364 stack_clash
cve-2017-5754 meltdown
+cve-2017-17052 cve-2017-17052
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 2566dbd18..42f32e825 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -10,3 +10,4 @@ cve-2017-6951
cve-2017-5669
meltdown
stack_clash
+cve-2017-17052
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index a7df1e43c..38ce27c93 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -36,4 +36,6 @@ ifneq (,$(filter $(HOST_CPU),x86 x86_64))
meltdown: CFLAGS += -msse2
endif
+cve-2017-17052: CFLAGS += -pthread
+
include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c
new file mode 100644
index 000000000..f0406e0a9
--- /dev/null
+++ b/testcases/cve/cve-2017-17052.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (c) 2018 Michael Moese <mmoese@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2017-17052, original reproducer can be found here:
+ * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b7e8665b4ff51c034c55df3cff76518d1a9ee3a
+ *
+ * CAUTION!!
+ * This test will crash unpatched kernels!
+ * Use at your own risk!
+ *
+ */
+
+#include <unistd.h>
+#include <pthread.h>
+#include <sys/wait.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+
+#include "tst_test.h"
+#include "tst_safe_pthread.h"
+#include "lapi/syscalls.h"
+
+#define RUNS 4
+#define EXEC_USEC 400000
+
+struct my_shm_data {
+ int exit;
+};
+static struct my_shm_data *shm;
+
+static void setup(void)
+{
+ shm = SAFE_MMAP(NULL, sizeof(struct my_shm_data), PROT_READ|PROT_WRITE,
+ MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+
+ shm->exit = 0;
+}
+
+static void cleanup(void)
+{
+ SAFE_MUNMAP(shm, sizeof(struct my_shm_data));
+}
+
+static void *mmap_thread(void *_arg)
+{
+ for (;;) {
+ SAFE_MMAP(NULL, 0x1000000, PROT_READ,
+ MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+ if (shm->exit)
+ exit(0);
+ }
+}
+
+static void *fork_thread(void *_arg)
+{
+ if (shm->exit)
+ exit(0);
+
+ usleep(rand() % 10000);
+ SAFE_FORK();
+}
+
+static void do_test_fork(void)
+{
+ int status;
+
+ SAFE_FORK();
+ SAFE_FORK();
+ SAFE_FORK();
+
+ for(;;) {
+ if (SAFE_FORK() == 0) {
+ pthread_t t;
+
+ SAFE_PTHREAD_CREATE(&t, NULL, mmap_thread, NULL);
+ SAFE_PTHREAD_CREATE(&t, NULL, fork_thread, NULL);
+ usleep(rand() % 10000);
+ syscall(__NR_exit_group, 0);
+ }
+ SAFE_WAIT(&status);
+ if (shm->exit)
+ exit(0);
+ }
+}
+
+static void run(void)
+{
+ pid_t pid;
+ volatile int run = 0;
+
+ while (run < RUNS) {
+ pid = SAFE_FORK();
+
+ if (pid == 0) {
+ do_test_fork();
+ } else {
+ usleep(EXEC_USEC);
+ shm->exit = 1;
+ }
+ tst_res(TINFO, "run %d passed\n", run);
+ run++;
+ }
+
+ if (run == RUNS)
+ tst_res(TPASS, "kernel survived %d runs", run);
+ else
+ tst_res(TBROK, "something strange happened");
+}
+
+static struct tst_test test = {
+ .forks_child = 1,
+ .cleanup = cleanup,
+ .setup = setup,
+ .test_all = run,
+};
--
2.13.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [LTP] [PATCH v3] Add regression test for CVE-2017-17052
2018-01-12 11:59 [LTP] [PATCH v3] Add regression test for CVE-2017-17052 Michael Moese
@ 2018-01-19 16:03 ` Cyril Hrubis
2018-01-19 17:54 ` Cyril Hrubis
2018-01-20 11:32 ` Michael Moese
0 siblings, 2 replies; 5+ messages in thread
From: Cyril Hrubis @ 2018-01-19 16:03 UTC (permalink / raw)
To: ltp
Hi!
> +#include <unistd.h>
> +#include <pthread.h>
> +#include <sys/wait.h>
> +#include <sys/syscall.h>
> +#include <sys/types.h>
> +
> +#include "tst_test.h"
> +#include "tst_safe_pthread.h"
> +#include "lapi/syscalls.h"
> +
> +#define RUNS 4
> +#define EXEC_USEC 400000
> +
> +struct my_shm_data {
> + int exit;
> +};
> +static struct my_shm_data *shm;
There is no need to pack the the exit into a structure like that, we can
simply do:
static volatile int *do_exit;
...
do_exit = SAFE_MMAP(...);
And it should be volatile as well, so that it's not optimized-out of the
loops by the compiler.
> +static void setup(void)
> +{
> + shm = SAFE_MMAP(NULL, sizeof(struct my_shm_data), PROT_READ|PROT_WRITE,
^
The system aligns the length to be a
multiple of pagesize, so we may as well
pass result of getpagesize() here.
> + MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> +
> + shm->exit = 0;
> +}
> +
> +static void cleanup(void)
> +{
> + SAFE_MUNMAP(shm, sizeof(struct my_shm_data));
^
Here we must pass length that is multiple of
pagesize, at least manual pages says so.
> +}
> +
> +static void *mmap_thread(void *_arg)
Identifiers starting with underscore are reserved for system i.e. libc
we should avoid using these here.
> +{
> + for (;;) {
> + SAFE_MMAP(NULL, 0x1000000, PROT_READ,
> + MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
> + if (shm->exit)
> + exit(0);
> + }
We may as well do:
return arg;
Which is a nice trick to avoid unused warnings.
Also you are supposed to include stdlib.h for exit(3).
> +}
> +
> +static void *fork_thread(void *_arg)
> +{
> + if (shm->exit)
> + exit(0);
> +
> + usleep(rand() % 10000);
> + SAFE_FORK();
> +}
Here as well, the arg should not start with underscore and we should add
return to avoid the warnings as well.
Sorry for not pointing these in the previous review, also no need to
respin the patch, I can fix the minor problems before commiting.
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 5+ messages in thread
* [LTP] [PATCH v3] Add regression test for CVE-2017-17052
2018-01-19 16:03 ` Cyril Hrubis
@ 2018-01-19 17:54 ` Cyril Hrubis
2018-01-20 11:32 ` Michael Moese
1 sibling, 0 replies; 5+ messages in thread
From: Cyril Hrubis @ 2018-01-19 17:54 UTC (permalink / raw)
To: ltp
Hi!
> > +static void setup(void)
> > +{
> > + shm = SAFE_MMAP(NULL, sizeof(struct my_shm_data), PROT_READ|PROT_WRITE,
> ^
> The system aligns the length to be a
> multiple of pagesize, so we may as well
> pass result of getpagesize() here.
> > + MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> > +
> > + shm->exit = 0;
> > +}
> > +
> > +static void cleanup(void)
> > +{
> > + SAFE_MUNMAP(shm, sizeof(struct my_shm_data));
> ^
> Here we must pass length that is multiple of
> pagesize, at least manual pages says so.
Sorry, I've misread the manual page, that applies only for huge page
mappings, so passing sizeof(*shm) to mmap() and munmap() should work
just fine, it would still allocate whole page though.
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 5+ messages in thread
* [LTP] [PATCH v3] Add regression test for CVE-2017-17052
2018-01-19 16:03 ` Cyril Hrubis
2018-01-19 17:54 ` Cyril Hrubis
@ 2018-01-20 11:32 ` Michael Moese
2018-01-22 15:48 ` Cyril Hrubis
1 sibling, 1 reply; 5+ messages in thread
From: Michael Moese @ 2018-01-20 11:32 UTC (permalink / raw)
To: ltp
Hi again,
I totally agree with your remarks.
> Sorry for not pointing these in the previous review, also no need to
> respin the patch, I can fix the minor problems before commiting.
If you want me to resend the patch, just tell me - I'll do that on monday.
Have a nice weekend,
Michael
--
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [LTP] [PATCH v3] Add regression test for CVE-2017-17052
2018-01-20 11:32 ` Michael Moese
@ 2018-01-22 15:48 ` Cyril Hrubis
0 siblings, 0 replies; 5+ messages in thread
From: Cyril Hrubis @ 2018-01-22 15:48 UTC (permalink / raw)
To: ltp
Hi!
> > Sorry for not pointing these in the previous review, also no need to
> > respin the patch, I can fix the minor problems before commiting.
> If you want me to resend the patch, just tell me - I'll do that on monday.
I've amended the changes locally, along with removing newline from one
of the tst_res() messages and pushed, thanks.
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-01-22 15:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-12 11:59 [LTP] [PATCH v3] Add regression test for CVE-2017-17052 Michael Moese
2018-01-19 16:03 ` Cyril Hrubis
2018-01-19 17:54 ` Cyril Hrubis
2018-01-20 11:32 ` Michael Moese
2018-01-22 15:48 ` Cyril Hrubis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.