110 lines
2.8 KiB
C
110 lines
2.8 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
|
|
* Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>)
|
|
*/
|
|
/*
|
|
* Originated as a test for CVE-2017-5669 but as it turns out the CVE was bogus
|
|
* to begin with and the test was changed into a regression test for commit:
|
|
*
|
|
* commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc
|
|
* Author: Davidlohr Bueso <dave@stgolabs.net>
|
|
* Date: Fri May 25 14:47:30 2018 -0700
|
|
*
|
|
* ipc/shm: fix shmat() nil address after round-down when remapping
|
|
*
|
|
* Which makes sure that SHM_REMAP forbids NULL address consistently for
|
|
* SHM_RND as well.
|
|
*
|
|
* The timeline went as:
|
|
*
|
|
* 95e91b831f87 (ipc/shm: Fix shmat mmap nil-page protection)
|
|
* a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
|
|
* 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
|
|
*
|
|
* The original commit disallowed SHM_RND maps to zero (and rounded) entirely
|
|
* and that broke userland for cases like Xorg.
|
|
*
|
|
* See also https://github.com/linux-test-project/ltp/issues/319
|
|
*
|
|
* This test needs root permissions or else security_mmap_addr(), from
|
|
* get_unmapped_area(), will cause permission errors when trying to mmap lower
|
|
* addresses.
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/ipc.h>
|
|
#include <sys/shm.h>
|
|
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
|
|
#include "tst_test.h"
|
|
#include "tst_safe_sysv_ipc.h"
|
|
|
|
static int shm_id;
|
|
static void *shm_addr;
|
|
|
|
static void setup(void)
|
|
{
|
|
shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
|
|
}
|
|
|
|
static void cleanup(void)
|
|
{
|
|
if (shm_addr)
|
|
SAFE_SHMDT(shm_addr);
|
|
|
|
if (shm_id)
|
|
SAFE_SHMCTL(shm_id, IPC_RMID, 0);
|
|
}
|
|
|
|
static void run(void)
|
|
{
|
|
tst_res(TINFO, "Attempting to attach shared memory to null page");
|
|
/*
|
|
* shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
|
|
* https://github.com/linux-test-project/ltp/issues/319
|
|
*/
|
|
shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
|
|
if (shm_addr == (void *)-1) {
|
|
shm_addr = NULL;
|
|
if (errno == EINVAL) {
|
|
tst_res(TPASS, "shmat returned EINVAL");
|
|
return;
|
|
}
|
|
tst_brk(TBROK | TERRNO,
|
|
"The bug was not triggered, but the shmat error is unexpected");
|
|
}
|
|
|
|
tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
|
|
|
|
if (!((size_t)shm_addr & (~0U << 16)))
|
|
tst_res(TFAIL,
|
|
"We have mapped a VM address within the first 64Kb");
|
|
else
|
|
tst_res(TPASS,
|
|
"The kernel assigned a different VM address");
|
|
|
|
tst_res(TINFO,
|
|
"Touching shared memory to see if anything strange happens");
|
|
((char *)shm_addr)[0] = 'P';
|
|
|
|
SAFE_SHMDT(shm_addr);
|
|
shm_addr = NULL;
|
|
}
|
|
|
|
static struct tst_test test = {
|
|
.needs_root = 1,
|
|
.setup = setup,
|
|
.cleanup = cleanup,
|
|
.test_all = run,
|
|
.tags = (const struct tst_tag[]) {
|
|
{"linux-git", "95e91b831f87"},
|
|
{"linux-git", "a73ab244f0da"},
|
|
{"linux-git", "8f89c007b6de"},
|
|
{}
|
|
}
|
|
};
|