[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat
Richard Palethorpe
rpalethorpe@suse.de
Wed Jul 19 16:02:39 CEST 2017
Hello Cyril,
Cyril Hrubis writes:
> Hi!
>> +static void cleanup(void)
>> +{
>> + if (shm_addr)
>> + SAFE_SHMDT(shm_addr);
>> + shm_addr = 0;
>> +
>> + if (shm_id)
>> + SAFE_SHMCTL(shm_id, IPC_RMID, 0);
>> + shm_id = 0;
>> +}
>> +
>> +static void run(void)
>> +{
>> + shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
>
> Shouldn't be this done once in the test setup()?
Yes.
>
>> + tst_res(TINFO, "Attempting to attach shared memory to null page");
>> + shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>> + if (shm_addr == (void *)-1) {
>> + if (errno == EINVAL) {
>> + tst_res(TPASS, "shmat returned EINVAL");
>> + shm_addr = 0;
>> + return;
>> + }
>> + tst_brk(TBROK | TERRNO,
>> + "The bug was not triggered, but the shmat error is unexpected");
>> + }
>> +
>> + tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
>> +
>> + if (!((size_t)shm_addr & (~0U << 16)))
>> + tst_res(TFAIL,
>> + "We have mapped a VM address within the first 64Kb");
>> + else
>> + tst_res(TPASS,
>> + "The kernel assigned a different VM address");
>> +
>> + ((char *)shm_addr)[0] = 'P';
>
> Why do we try to write to the addres at all?
>
> We do PASS/FAIL decision based only on the addres returned from
> shmat().
To see if anything interesting happens, like a segfault. I don't think
anything is likely to happen, but it seemed worth leaving in at the
time.
>
> Also we should detach the memory here in case that the test was called
> with -i parameter.
OK.
--
Thank you,
Richard.
More information about the ltp
mailing list