[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat

Cyril Hrubis chrubis@suse.cz
Wed Jul 19 15:19:53 CEST 2017


Hi!
> +static void cleanup(void)
> +{
> +	if (shm_addr)
> +		SAFE_SHMDT(shm_addr);
> +	shm_addr = 0;
> +
> +	if (shm_id)
> +		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
> +	shm_id = 0;
> +}
> +
> +static void run(void)
> +{
> +	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);

Shouldn't be this done once in the test setup()?

> +	tst_res(TINFO, "Attempting to attach shared memory to null page");
> +	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
> +	if (shm_addr == (void *)-1) {
> +		if (errno == EINVAL) {
> +			tst_res(TPASS, "shmat returned EINVAL");
> +			shm_addr = 0;
> +			return;
> +		}
> +		tst_brk(TBROK | TERRNO,
> +			"The bug was not triggered, but the shmat error is unexpected");
> +	}
> +
> +	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
> +
> +	if (!((size_t)shm_addr & (~0U << 16)))
> +		tst_res(TFAIL,
> +			"We have mapped a VM address within the first 64Kb");
> +	else
> +		tst_res(TPASS,
> +			"The kernel assigned a different VM address");
> +
> +	((char *)shm_addr)[0] = 'P';

Why do we try to write to the addres at all?

We do PASS/FAIL decision based only on the addres returned from shmat().

Also we should detach the memory here in case that the test was called
with -i parameter.

> +}
> +
> +static struct tst_test test = {
> +	.cleanup = cleanup,
> +	.test_all = run,
> +};
> -- 
> 2.12.2
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz


More information about the ltp mailing list