1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
4 * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>)
5 */
6 /*
7 * Originated as a test for CVE-2017-5669 but as it turns out the CVE was bogus
8 * to begin with and the test was changed into a regression test for commit:
9 *
10 * commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc
11 * Author: Davidlohr Bueso <dave@stgolabs.net>
12 * Date: Fri May 25 14:47:30 2018 -0700
13 *
14 * ipc/shm: fix shmat() nil address after round-down when remapping
15 *
16 * Which makes sure that SHM_REMAP forbids NULL address consistently for
17 * SHM_RND as well.
18 *
19 * The timeline went as:
20 *
21 * 95e91b831f87 (ipc/shm: Fix shmat mmap nil-page protection)
22 * a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...)
23 * 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...)
24 *
25 * The original commit disallowed SHM_RND maps to zero (and rounded) entirely
26 * and that broke userland for cases like Xorg.
27 *
28 * See also https://github.com/linux-test-project/ltp/issues/319
29 *
30 * This test needs root permissions or else security_mmap_addr(), from
31 * get_unmapped_area(), will cause permission errors when trying to mmap lower
32 * addresses.
33 */
34
35 #include <sys/types.h>
36 #include <sys/ipc.h>
37 #include <sys/shm.h>
38
39 #include <stdio.h>
40 #include <errno.h>
41 #include <string.h>
42
43 #include "tst_test.h"
44 #include "tst_safe_sysv_ipc.h"
45
46 static int shm_id;
47 static void *shm_addr;
48
setup(void)49 static void setup(void)
50 {
51 shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
52 }
53
cleanup(void)54 static void cleanup(void)
55 {
56 if (shm_addr)
57 SAFE_SHMDT(shm_addr);
58
59 if (shm_id)
60 SAFE_SHMCTL(shm_id, IPC_RMID, 0);
61 }
62
run(void)63 static void run(void)
64 {
65 tst_res(TINFO, "Attempting to attach shared memory to null page");
66 /*
67 * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs
68 * https://github.com/linux-test-project/ltp/issues/319
69 */
70 shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP);
71 if (shm_addr == (void *)-1) {
72 shm_addr = NULL;
73 if (errno == EINVAL) {
74 tst_res(TPASS, "shmat returned EINVAL");
75 return;
76 }
77 tst_brk(TBROK | TERRNO,
78 "The bug was not triggered, but the shmat error is unexpected");
79 }
80
81 tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
82
83 if (!((size_t)shm_addr & (~0U << 16)))
84 tst_res(TFAIL,
85 "We have mapped a VM address within the first 64Kb");
86 else
87 tst_res(TPASS,
88 "The kernel assigned a different VM address");
89
90 tst_res(TINFO,
91 "Touching shared memory to see if anything strange happens");
92 ((char *)shm_addr)[0] = 'P';
93
94 SAFE_SHMDT(shm_addr);
95 shm_addr = NULL;
96 }
97
98 static struct tst_test test = {
99 .needs_root = 1,
100 .setup = setup,
101 .cleanup = cleanup,
102 .test_all = run,
103 .tags = (const struct tst_tag[]) {
104 {"linux-git", "95e91b831f87"},
105 {"linux-git", "a73ab244f0da"},
106 {"linux-git", "8f89c007b6de"},
107 {}
108 }
109 };
110