[LTP] [PATCH v3] Add regression test for CVE-2017-17052

Fri Jan 19 17:03:48 CET 2018

Hi!
> +#include <unistd.h>
> +#include <pthread.h>
> +#include <sys/wait.h>
> +#include <sys/syscall.h>
> +#include <sys/types.h>
> +
> +#include "tst_test.h"
> +#include "tst_safe_pthread.h"
> +#include "lapi/syscalls.h"
> +
> +#define RUNS	   4
> +#define EXEC_USEC  400000
> +
> +struct my_shm_data {
> +	int exit;
> +};
> +static struct my_shm_data *shm;

There is no need to pack the the exit into a structure like that, we can
simply do:

static volatile int *do_exit;

...

	do_exit = SAFE_MMAP(...);

And it should be volatile as well, so that it's not optimized-out of the
loops by the compiler.

> +static void setup(void)
> +{
> +	shm = SAFE_MMAP(NULL, sizeof(struct my_shm_data), PROT_READ|PROT_WRITE,
                               ^
			       The system aligns the length to be a
			       multiple of pagesize, so we may as well
			       pass result of getpagesize() here.
> +		    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> +
> +	shm->exit = 0;
> +}
> +
> +static void cleanup(void)
> +{
> +	SAFE_MUNMAP(shm, sizeof(struct my_shm_data));
                          ^
			  Here we must pass length that is multiple of
			  pagesize, at least manual pages says so.

> +}
> +
> +static void *mmap_thread(void *_arg)

Identifiers starting with underscore are reserved for system i.e. libc
we should avoid using these here.

> +{
> +	for (;;) {
> +		SAFE_MMAP(NULL, 0x1000000, PROT_READ,
> +				MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
> +		if (shm->exit)
> +			exit(0);
> +	}

We may as well do:

	return arg;

Which is a nice trick to avoid unused warnings.

Also you are supposed to include stdlib.h for exit(3).

> +}
> +
> +static void *fork_thread(void *_arg)
> +{
> +	if (shm->exit)
> +		exit(0);
> +
> +	usleep(rand() % 10000);
> +	SAFE_FORK();
> +}

Here as well, the arg should not start with underscore and we should add
return to avoid the warnings as well.

Sorry for not pointing these in the previous review, also no need to
respin the patch, I can fix the minor problems before commiting.

-- 
Cyril Hrubis
chrubis@suse.cz