From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xiao Yang Date: Thu, 22 Mar 2018 15:21:39 +0800 Subject: [LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053 In-Reply-To: <20180309124418.30271-1-mmoese@suse.de> References: <20180309124418.30271-1-mmoese@suse.de> Message-ID: <5AB35983.6060900@cn.fujitsu.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: ltp@lists.linux.it Hi Michael, Sorry to bother you. tst_taint_init() always got TBROK before verifying CVE-2017-17053 on my enviorment, as below: ----------------------------------------------------------------- [root@RHEL7U5RC_Intel64 cve]# ./cve-2017-17053 tst_test.c:987: INFO: Timeout per run is 0h 05m 00s tst_taint.c:88: BROK: Kernel is already tainted: 512 ...... ----------------------------------------------------------------- On my enviorment, __ioremap_caller() displayed the warning message and set /proc/sys/kernel/tainted to TST_TAINT_W(512) when too high physical address wasn't handled. Is this a usual case? should we break and skip CVE-2017-17053 due to this existed TST_TAINT_W? Please see the the following warning message: ----------------------------------------------------------------- [ 0.059261] ioremap: invalid physical address fffffffffff90000 [ 0.059263] ------------[ cut here ]------------ [ 0.059268] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:103 __ioremap_caller+0x2f2/0x340 [ 0.059269] Modules linked in: [ 0.059272] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.10.0-860.el7.x86_64 #1 [ 0.059273] Hardware name: LENOVO QiTianM7150/To be filled by O.E.M., BIOS 90KT20CUS 09/14/2010 [ 0.059275] Call Trace: [ 0.059281] [] dump_stack+0x19/0x1b [ 0.059284] [] __warn+0xd8/0x100 [ 0.059286] [] warn_slowpath_null+0x1d/0x20 [ 0.059288] [] __ioremap_caller+0x2f2/0x340 [ 0.059290] [] ? acpi_os_map_memory+0xfd/0x155 [ 0.059293] [] ? kmem_cache_alloc_trace+0x1d6/0x200 [ 0.059295] [] ioremap_cache+0x14/0x20 [ 0.059297] [] acpi_os_map_memory+0xfd/0x155 [ 0.059301] [] acpi_ex_system_memory_space_handler+0xdd/0x1ca [ 0.059304] [] acpi_ev_address_space_dispatch+0x1c5/0x231 [ 0.059306] [] acpi_ex_access_region+0x20e/0x2a2 [ 0.059309] [] ? acpi_os_release_lock+0xe/0x10 [ 0.059312] [] ? acpi_ut_update_ref_count+0x99/0x2bf [ 0.059314] [] acpi_ex_field_datum_io+0x105/0x196 [ 0.059316] [] acpi_ex_extract_from_field+0x98/0x228 [ 0.059318] [] ? acpi_ut_create_internal_object_dbg+0x23/0x8a [ 0.059321] [] acpi_ex_read_data_from_field+0x13c/0x178 [ 0.059323] [] acpi_ex_resolve_node_to_value+0x1a3/0x245 [ 0.059325] [] acpi_ex_resolve_to_value+0x21d/0x23a [ 0.059327] [] acpi_ds_evaluate_name_path+0x8d/0x11b [ 0.059329] [] acpi_ds_exec_end_op+0x98/0x3f3 [ 0.059332] [] acpi_ps_parse_loop+0x526/0x583 [ 0.059335] [] ? acpi_ut_create_generic_state+0x37/0x54 [ 0.059337] [] acpi_ps_parse_aml+0x98/0x289 [ 0.059339] [] acpi_ps_execute_method+0x1c7/0x272 [ 0.059341] [] acpi_ns_evaluate+0x1c1/0x258 [ 0.059343] [] acpi_evaluate_object+0x135/0x252 [ 0.059346] [] acpi_evaluate_integer+0x52/0x84 [ 0.059348] [] ? acpi_os_signal_semaphore+0x21/0x2d [ 0.059350] [] acpi_bus_get_status_handle+0x1e/0x39 [ 0.059353] [] acpi_bus_check_add+0x81/0x1c2 [ 0.059355] [] ? up+0x32/0x50 [ 0.059358] [] acpi_ns_walk_namespace+0xcb/0x184 [ 0.059360] [] ? acpi_add_single_object+0x4f9/0x4f9 [ 0.059362] [] ? acpi_add_single_object+0x4f9/0x4f9 [ 0.059364] [] acpi_walk_namespace+0x95/0xc5 [ 0.059367] [] ? acpi_sleep_proc_init+0x2a/0x2a [ 0.059369] [] acpi_bus_scan+0x5c/0x90 [ 0.059371] [] acpi_scan_init+0x89/0x1d8 [ 0.059373] [] acpi_init+0x2a3/0x2bd [ 0.059376] [] do_one_initcall+0xba/0x240 [ 0.059379] [] kernel_init_freeable+0x180/0x21f [ 0.059381] [] ? initcall_blacklist+0xb0/0xb0 [ 0.059383] [] ? rest_init+0x80/0x80 [ 0.059385] [] kernel_init+0xe/0xf0 [ 0.059388] [] ret_from_fork_nospec_begin+0x21/0x21 [ 0.059390] [] ? rest_init+0x80/0x80 [ 0.059393] ---[ end trace a7b32a0fce036eb7 ]--- ----------------------------------------------------------------- Please let me know if more information is needed, thanks. Thanks, Xiao Yang On 2018/03/09 20:44, Michael Moese wrote: > Add a regression test for CVE-2017-17053. This testcase is depending > on some new library functions included in this series. > > This patch series consists of reworked patches according to previous > review comments, as well as a small new library wrapper function > SAFE_SIGACTION() to install a signal handler. > > Michael Moese (3): > Add library support for /proc/sys/kernel/tainted > Add a library wrapper for sigaction() > Add regression test for CVE-2017-17053 > > doc/test-writing-guidelines.txt | 42 ++++++++++ > include/tst_safe_macros.h | 20 +++++ > include/tst_taint.h | 104 +++++++++++++++++++++++++ > lib/tst_taint.c | 106 +++++++++++++++++++++++++ > runtest/cve | 1 + > testcases/cve/.gitignore | 1 + > testcases/cve/Makefile | 2 + > testcases/cve/cve-2017-17053.c | 166 ++++++++++++++++++++++++++++++++++++++++ > 8 files changed, 442 insertions(+) > create mode 100644 include/tst_taint.h > create mode 100644 lib/tst_taint.c > create mode 100644 testcases/cve/cve-2017-17053.c >