[LTP] [PATCH 1/2] cve-2015-3290: Fail on unexpected signal

[LTP] [PATCH 1/2] cve-2015-3290: Fail on unexpected signal

[Martin Doucha]

The test expects the child process to either be killed by SIGSEGV,
or cleanly exit. If the child gets killed by unexpected signal,
the parent process will fail to report any result. Fix the rare
corner case.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2015-3290.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index a2a8fcedd..0aad26d74 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -454,10 +454,14 @@ static void run(void)
 	}
 
 	SAFE_WAITPID(pid, &status, 0);
-	if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV)
+	if (WIFSIGNALED(status) && WTERMSIG(status) == SIGSEGV) {
 		tst_res(TFAIL, "corrupted NMI stack");
-	else if (WIFEXITED(status) && WEXITSTATUS(status) != 0)
+	} else if (WIFSIGNALED(status)) {
+		tst_res(TFAIL, "Child killed by unexpected signal %s",
+			tst_strsig(WTERMSIG(status)));
+	} else if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
 		tst_res(WEXITSTATUS(status), "Propogate child status");
+	}
 }
 
 static struct tst_test test = {
-- 
2.44.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/2] cve-2015-3290: Check for mishandled modify_ldt() return value

[Martin Doucha]

The kernel intentionally prevents modify_ldt() return value sign
extension to 64bit long. Some libc versions return the value as is
instead of correctly setting errno. Check for incorrect return value
handling and rectify the problem if needed.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2015-3290.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 0aad26d74..171667d4a 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -195,13 +195,26 @@ static void set_ldt(void)
 		.useable	 = 0
 	};
 
-	TEST((int)tst_syscall(__NR_modify_ldt, 1, &data_desc,
-		sizeof(data_desc)));
-	if (TST_RET == -EINVAL) {
-		tst_brk(TCONF | TRERRNO,
+	TEST(tst_syscall(__NR_modify_ldt, 1, &data_desc, sizeof(data_desc)));
+
+	/*
+	 * The kernel intentionally casts modify_ldt() return value
+	 * to unsigned int to prevent sign extension to 64 bits. This may
+	 * result in syscall() returning the value as is instead of setting
+	 * errno and returning -1.
+	 */
+	if (TST_RET > 0 && ((int)TST_RET) < 0) {
+		tst_res(TINFO,
+			"WARNING: Libc mishandled modify_ldt() return value");
+		TST_ERR = -(int)TST_RET;
+		TST_RET = -1;
+	}
+
+	if (TST_RET == -1 && TST_ERR == EINVAL) {
+		tst_brk(TCONF | TTERRNO,
 			"modify_ldt: 16-bit data segments are probably disabled");
 	} else if (TST_RET != 0) {
-		tst_brk(TBROK | TRERRNO, "modify_ldt");
+		tst_brk(TBROK | TTERRNO, "modify_ldt");
 	}
 }
 
-- 
2.44.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/2] cve-2015-3290: Fail on unexpected signal

[Petr Vorel]

Hi Martin,

>  		tst_res(WEXITSTATUS(status), "Propogate child status");
Patchset merged, thanks! I dared to fix Propogate typo before merge.

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp