1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com> 4f08c3bdfSopenharmony_ci * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>) 5f08c3bdfSopenharmony_ci */ 6f08c3bdfSopenharmony_ci/* 7f08c3bdfSopenharmony_ci * Originated as a test for CVE-2017-5669 but as it turns out the CVE was bogus 8f08c3bdfSopenharmony_ci * to begin with and the test was changed into a regression test for commit: 9f08c3bdfSopenharmony_ci * 10f08c3bdfSopenharmony_ci * commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc 11f08c3bdfSopenharmony_ci * Author: Davidlohr Bueso <dave@stgolabs.net> 12f08c3bdfSopenharmony_ci * Date: Fri May 25 14:47:30 2018 -0700 13f08c3bdfSopenharmony_ci * 14f08c3bdfSopenharmony_ci * ipc/shm: fix shmat() nil address after round-down when remapping 15f08c3bdfSopenharmony_ci * 16f08c3bdfSopenharmony_ci * Which makes sure that SHM_REMAP forbids NULL address consistently for 17f08c3bdfSopenharmony_ci * SHM_RND as well. 18f08c3bdfSopenharmony_ci * 19f08c3bdfSopenharmony_ci * The timeline went as: 20f08c3bdfSopenharmony_ci * 21f08c3bdfSopenharmony_ci * 95e91b831f87 (ipc/shm: Fix shmat mmap nil-page protection) 22f08c3bdfSopenharmony_ci * a73ab244f0da (Revert "ipc/shm: Fix shmat mmap nil-page protect...) 23f08c3bdfSopenharmony_ci * 8f89c007b6de (ipc/shm: fix shmat() nil address after round-dow...) 24f08c3bdfSopenharmony_ci * 25f08c3bdfSopenharmony_ci * The original commit disallowed SHM_RND maps to zero (and rounded) entirely 26f08c3bdfSopenharmony_ci * and that broke userland for cases like Xorg. 27f08c3bdfSopenharmony_ci * 28f08c3bdfSopenharmony_ci * See also https://github.com/linux-test-project/ltp/issues/319 29f08c3bdfSopenharmony_ci * 30f08c3bdfSopenharmony_ci * This test needs root permissions or else security_mmap_addr(), from 31f08c3bdfSopenharmony_ci * get_unmapped_area(), will cause permission errors when trying to mmap lower 32f08c3bdfSopenharmony_ci * addresses. 33f08c3bdfSopenharmony_ci */ 34f08c3bdfSopenharmony_ci 35f08c3bdfSopenharmony_ci#include <sys/types.h> 36f08c3bdfSopenharmony_ci#include <sys/ipc.h> 37f08c3bdfSopenharmony_ci#include <sys/shm.h> 38f08c3bdfSopenharmony_ci 39f08c3bdfSopenharmony_ci#include <stdio.h> 40f08c3bdfSopenharmony_ci#include <errno.h> 41f08c3bdfSopenharmony_ci#include <string.h> 42f08c3bdfSopenharmony_ci 43f08c3bdfSopenharmony_ci#include "tst_test.h" 44f08c3bdfSopenharmony_ci#include "tst_safe_sysv_ipc.h" 45f08c3bdfSopenharmony_ci 46f08c3bdfSopenharmony_cistatic int shm_id; 47f08c3bdfSopenharmony_cistatic void *shm_addr; 48f08c3bdfSopenharmony_ci 49f08c3bdfSopenharmony_cistatic void setup(void) 50f08c3bdfSopenharmony_ci{ 51f08c3bdfSopenharmony_ci shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777); 52f08c3bdfSopenharmony_ci} 53f08c3bdfSopenharmony_ci 54f08c3bdfSopenharmony_cistatic void cleanup(void) 55f08c3bdfSopenharmony_ci{ 56f08c3bdfSopenharmony_ci if (shm_addr) 57f08c3bdfSopenharmony_ci SAFE_SHMDT(shm_addr); 58f08c3bdfSopenharmony_ci 59f08c3bdfSopenharmony_ci if (shm_id) 60f08c3bdfSopenharmony_ci SAFE_SHMCTL(shm_id, IPC_RMID, 0); 61f08c3bdfSopenharmony_ci} 62f08c3bdfSopenharmony_ci 63f08c3bdfSopenharmony_cistatic void run(void) 64f08c3bdfSopenharmony_ci{ 65f08c3bdfSopenharmony_ci tst_res(TINFO, "Attempting to attach shared memory to null page"); 66f08c3bdfSopenharmony_ci /* 67f08c3bdfSopenharmony_ci * shmat() for 0 (or < PAGESIZE with RND flag) has to fail with REMAPs 68f08c3bdfSopenharmony_ci * https://github.com/linux-test-project/ltp/issues/319 69f08c3bdfSopenharmony_ci */ 70f08c3bdfSopenharmony_ci shm_addr = shmat(shm_id, ((void *)1), SHM_RND | SHM_REMAP); 71f08c3bdfSopenharmony_ci if (shm_addr == (void *)-1) { 72f08c3bdfSopenharmony_ci shm_addr = NULL; 73f08c3bdfSopenharmony_ci if (errno == EINVAL) { 74f08c3bdfSopenharmony_ci tst_res(TPASS, "shmat returned EINVAL"); 75f08c3bdfSopenharmony_ci return; 76f08c3bdfSopenharmony_ci } 77f08c3bdfSopenharmony_ci tst_brk(TBROK | TERRNO, 78f08c3bdfSopenharmony_ci "The bug was not triggered, but the shmat error is unexpected"); 79f08c3bdfSopenharmony_ci } 80f08c3bdfSopenharmony_ci 81f08c3bdfSopenharmony_ci tst_res(TINFO, "Mapped shared memory to %p", shm_addr); 82f08c3bdfSopenharmony_ci 83f08c3bdfSopenharmony_ci if (!((size_t)shm_addr & (~0U << 16))) 84f08c3bdfSopenharmony_ci tst_res(TFAIL, 85f08c3bdfSopenharmony_ci "We have mapped a VM address within the first 64Kb"); 86f08c3bdfSopenharmony_ci else 87f08c3bdfSopenharmony_ci tst_res(TPASS, 88f08c3bdfSopenharmony_ci "The kernel assigned a different VM address"); 89f08c3bdfSopenharmony_ci 90f08c3bdfSopenharmony_ci tst_res(TINFO, 91f08c3bdfSopenharmony_ci "Touching shared memory to see if anything strange happens"); 92f08c3bdfSopenharmony_ci ((char *)shm_addr)[0] = 'P'; 93f08c3bdfSopenharmony_ci 94f08c3bdfSopenharmony_ci SAFE_SHMDT(shm_addr); 95f08c3bdfSopenharmony_ci shm_addr = NULL; 96f08c3bdfSopenharmony_ci} 97f08c3bdfSopenharmony_ci 98f08c3bdfSopenharmony_cistatic struct tst_test test = { 99f08c3bdfSopenharmony_ci .needs_root = 1, 100f08c3bdfSopenharmony_ci .setup = setup, 101f08c3bdfSopenharmony_ci .cleanup = cleanup, 102f08c3bdfSopenharmony_ci .test_all = run, 103f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 104f08c3bdfSopenharmony_ci {"linux-git", "95e91b831f87"}, 105f08c3bdfSopenharmony_ci {"linux-git", "a73ab244f0da"}, 106f08c3bdfSopenharmony_ci {"linux-git", "8f89c007b6de"}, 107f08c3bdfSopenharmony_ci {} 108f08c3bdfSopenharmony_ci } 109f08c3bdfSopenharmony_ci}; 110