1 /*
2 * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
3 * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>)
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18 /*
19 * Test for CVE-2017-5669 which allows us to map the nil page using shmat.
20 *
21 * When the bug is present shmat(..., (void *)1, SHM_RND) will round address
22 * 0x1 down to zero and give us the (nil/null) page. With the current bug fix
23 * in place, shmat it will return EINVAL instead. We also check to see if the
24 * returned address is outside the nil page in case an alternative fix has
25 * been applied.
26 *
27 * In any case we manage to map some memory we also try to write to it. This
28 * is just to see if we get an access error or some other unexpected behaviour.
29 *
30 * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
31 *
32 * The commit above disallowed SHM_RND maps to zero (and rounded) entirely and
33 * that broke userland for cases like Xorg. New behavior disallows REMAPs to
34 * lower addresses (0<=PAGESIZE).
35 *
36 * See commit a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
37 * See commit 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
38 * See https://github.com/linux-test-project/ltp/issues/319
39 *
40 * This test needs root permissions or else security_mmap_addr(), from
41 * get_unmapped_area(), will cause permission errors when trying to mmap lower
42 * addresses.
43 */
44
45 #include <sys/types.h>
46 #include <sys/ipc.h>
47 #include <sys/shm.h>
48
49 #include <stdio.h>
50 #include <errno.h>
51 #include <string.h>
52
53 #include "tst_test.h"
54 #include "tst_safe_sysv_ipc.h"
55
56 static int shm_id;
57 static void *shm_addr;
58
setup(void)59 static void setup(void)
60 {
61 shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
62 }
63
cleanup(void)64 static void cleanup(void)
65 {
66 if (shm_addr)
67 SAFE_SHMDT(shm_addr);
68
69 if (shm_id)
70 SAFE_SHMCTL(shm_id, IPC_RMID, 0);
71 }
72
run(void)73 static void run(void)
74 {
75 tst_res(TINFO, "Attempting to attach shared memory to null page");
76 /*
77 * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
78 * https://github.com/linux-test-project/ltp/issues/319
79 */
80 shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
81 if (shm_addr == (void *)-1) {
82 shm_addr = NULL;
83 if (errno == EINVAL) {
84 tst_res(TPASS, "shmat returned EINVAL");
85 return;
86 }
87 tst_brk(TBROK | TERRNO,
88 "The bug was not triggered, but the shmat error is unexpected");
89 }
90
91 tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
92
93 if (!((size_t)shm_addr & (~0U << 16)))
94 tst_res(TFAIL,
95 "We have mapped a VM address within the first 64Kb");
96 else
97 tst_res(TPASS,
98 "The kernel assigned a different VM address");
99
100 tst_res(TINFO,
101 "Touching shared memory to see if anything strange happens");
102 ((char *)shm_addr)[0] = 'P';
103
104 SAFE_SHMDT(shm_addr);
105 shm_addr = NULL;
106 }
107
108 static struct tst_test test = {
109 .needs_root = 1,
110 .setup = setup,
111 .cleanup = cleanup,
112 .test_all = run,
113 };
114