[LTP] [PATCH v2] security/dirtyc0w_shmem: Add new test for CVE-2022-2590
David Hildenbrand
david@redhat.com
Fri Nov 25 11:17:45 CET 2022
On 25.11.22 10:53, Martin Doucha wrote:
> Hi,
>
Hi Martin,
> On 23. 11. 22 11:35, David Hildenbrand wrote:
>> + pid = SAFE_FORK();
>> + if (!pid) {
>> + SAFE_SETGID(nobody_gid);
>> + SAFE_SETUID(nobody_uid);
>> + SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
>
> Manpage says that the last argument of execlp() must be (char*)NULL,
> including the explicit typecast.
$ git grep SAFE_EXECLP | grep NULL
testcases/kernel/connectors/pec/event_generator.c: SAFE_EXECLP(prog_name, prog_name, "-e", "exec", "-n", buf, NULL);
testcases/kernel/security/dirtyc0w/dirtyc0w.c: SAFE_EXECLP("dirtyc0w_child", "dirtyc0w_child",NULL);
testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem.c: SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
testcases/kernel/syscalls/pipe2/pipe2_02.c: SAFE_EXECLP(TESTBIN, TESTBIN, buf, NULL);
testcases/kernel/syscalls/setpgid/setpgid03.c: SAFE_EXECLP(TEST_APP, TEST_APP, NULL);
testcases/kernel/syscalls/setrlimit/setrlimit04.c: SAFE_EXECLP("/bin/true", "/bin/true", NULL);
>
>> +#else /* UFFD_FEATURE_MINOR_SHMEM */
>> +#include "tst_test.h"
>> +TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
>> +#endif /* UFFD_FEATURE_MINOR_SHMEM */
>
> When the child exits through this TST_TEST_TCONF(), the
> TST_CHECKPOINT_WAIT() in parent will fail. The parent process should not
> even fork() when UFFD_FEATURE_MINOR_SHMEM is not defined in config.h.
Thanks, you're right, that's the remaining case that doesn't
make the checkpoint happy.
I tried handling TCONF in the parent and it got all very ugly.
The following should do the trick:
From fb13df0ea9e477b8e903d3ef4df317e548200a86 Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@redhat.com>
Date: Fri, 25 Nov 2022 05:12:26 -0500
Subject: [PATCH v1] security/dirtyc0w_shmem: Fix test result when
UFFD_FEATURE_MINOR_SHMEM is missing
We have make the checkpoint happy, otherwise our parent process will run
into a timeout.
Reported-by: Martin Doucha <mdoucha@suse.cz>
Signed-off-by: David Hildenbrand <david@redhat.com>
---
.../security/dirtyc0w_shmem/dirtyc0w_shmem_child.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c b/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
index cb2e9df0c..eac128e5d 100644
--- a/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
+++ b/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
@@ -24,12 +24,12 @@
#include <linux/userfaultfd.h>
#endif
-#ifdef UFFD_FEATURE_MINOR_SHMEM
-
#define TST_NO_DEFAULT_MAIN
#include "tst_test.h"
#include "tst_safe_macros.h"
#include "tst_safe_pthread.h"
+
+#ifdef UFFD_FEATURE_MINOR_SHMEM
#include "lapi/syscalls.h"
#define TMP_DIR "tmp_dirtyc0w_shmem"
@@ -236,6 +236,10 @@ int main(void)
return 0;
}
#else /* UFFD_FEATURE_MINOR_SHMEM */
-#include "tst_test.h"
-TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
+int main(void)
+{
+ tst_reinit();
+ TST_CHECKPOINT_WAKE(0);
+ tst_brk(TCONF, "System does not have userfaultfd minor fault support for shmem");
+}
#endif /* UFFD_FEATURE_MINOR_SHMEM */
--
2.38.1
Which gives me:
# ./dirtyc0w_shmem
tst_test.c:1552: TINFO: Timeout per run is 0h 02m 30s
dirtyc0w_shmem_child.c:243: TCONF: System does not have userfaultfd minor fault support for shmem
dirtyc0w_shmem.c:95: TINFO: Early child process exit
Summary:
passed 0
failed 0
broken 0
skipped 1
warnings 0
--
Thanks,
David / dhildenb
More information about the ltp
mailing list