[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[Michael Moese]

Add a regression test for CVE-2017-17053. This testcase is depending
on some new library functions included in this series.

This patch series consists of reworked patches according to previous
review comments, as well as a small new library wrapper function
SAFE_SIGACTION() to install a signal handler.

Michael Moese (3):
  Add library support for /proc/sys/kernel/tainted
  Add a library wrapper for sigaction()
  Add regression test for CVE-2017-17053

 doc/test-writing-guidelines.txt |  42 ++++++++++
 include/tst_safe_macros.h       |  20 +++++
 include/tst_taint.h             | 104 +++++++++++++++++++++++++
 lib/tst_taint.c                 | 106 +++++++++++++++++++++++++
 runtest/cve                     |   1 +
 testcases/cve/.gitignore        |   1 +
 testcases/cve/Makefile          |   2 +
 testcases/cve/cve-2017-17053.c  | 166 ++++++++++++++++++++++++++++++++++++++++
 8 files changed, 442 insertions(+)
 create mode 100644 include/tst_taint.h
 create mode 100644 lib/tst_taint.c
 create mode 100644 testcases/cve/cve-2017-17053.c

-- 
2.13.6

[LTP] [PATCH v6 1/3] Add library support for /proc/sys/kernel/tainted

[Michael Moese]

Sometimes, it is important to detect if the kernel has issued a
warning, died, or is tainted in another way. Linux provides this
information in /proc/sys/kernel/tainted in the form of a bitfield.
This patch provides library functions for testcases to detect, if
it has tainted the kernel.

The following functions will be introduced:

- int tst_taint_init(unsigned int mask)
  check if the flags supplied as mask are supported by the running
  kernel, and if so, if they are not yet set.

- int tst_taint_check()
  check if one or more of the bits specified in the mask provided
  to tst_taint_init() before are set.
  Returns 0 if those flags are not set, or the bitmask of set flags

These can be used in the following way:

First, during testcase setup:

void setup(void)
{
	...
	tst_taint_init(TST_TAINT_W | TST_TAINT_D);
}

Second, check if the test triggered a bug:

void run(void)
{
	...
	. test code here
	...
	if (tst_taint_check() != 0)
		tst_res(TFAIL, "kernel has issues");
	 else
		tst_res(TPASS, "kernel seems to be fine");
}

Signed-off-by: Michael Moese <mmoese@suse.de>
---
 doc/test-writing-guidelines.txt |  42 ++++++++++++++++
 include/tst_taint.h             | 104 +++++++++++++++++++++++++++++++++++++++
 lib/tst_taint.c                 | 106 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 252 insertions(+)
 create mode 100644 include/tst_taint.h
 create mode 100644 lib/tst_taint.c

diff --git a/doc/test-writing-guidelines.txt b/doc/test-writing-guidelines.txt
index 4c60cd66b..5082a07be 100644
--- a/doc/test-writing-guidelines.txt
+++ b/doc/test-writing-guidelines.txt
@@ -1320,6 +1320,48 @@ common.h:9: FAIL: check failed
 test.c:8: INFO: do_action(arg) failed
 -------------------------------------------------------------------------------
 
+2.2.24 Tainted kernels
+^^^^^^^^^^^^^^^^^^^^^^
+
+If you need to detect, if a testcase triggers a kernel warning, bug or oops,
+the following can be used to detect TAINT_W or TAINT_D:
+
+[source,c]
+-------------------------------------------------------------------------------
+#include "tst_test.h"
+#include "tst_taint.h"
+
+void setup(void)
+{
+	...
+	tst_taint_init(TST_TAINT_W | TST_TAINT_D);
+	...
+}
+...
+void run(void)
+{
+	...
+	if (tst_taint_check() == 0)
+		tst_res(TPASS, "kernel is not tainted");
+	else
+		tst_res(TFAIL, "kernel is tainted");
+}
+-------------------------------------------------------------------------------
+
+You have to call tst_taint_init() with non-zero flags first, preferably during
+setup(). The function will generate a TCONF if the requested flags are not
+fully supported on the running kernel, and TBROK if either a zero mask was
+supplied or if the kernel is already tainted before executing the test.
+
+Then you can call tst_taint_check() during run(), which returns 0 or the 
+tainted flags set in /proc/sys/kernel/tainted as specified earlier.
+
+Depending on your kernel version, not all tainted-flags will be supported.
+
+For reference to tainted kernels, see kernel documentation:
+Documentation/admin-guide/tainted-kernels.rst or
+https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+
 2.3 Writing a testcase in shell
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/include/tst_taint.h b/include/tst_taint.h
new file mode 100644
index 000000000..1039e2ddc
--- /dev/null
+++ b/include/tst_taint.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* Usage example
+ *
+ * ...
+ * #include "tst_test.h"
+ * #include "tst_taint.h"
+ * ..
+ * void setup(void)
+ * {
+ *	...
+ *	tst_taint_init(TST_TAINT_W | TST_TAINT_D));
+ *	...
+ * }
+ *
+ * void run(void)
+ * {
+ *	...
+ *	. test code here
+ *	...
+ *	if (tst_taint_check() != 0)
+ *		tst_res(TFAIL, "kernel has issues");
+ *	else
+ *		tst_res(TPASS, "kernel seems to be fine");
+ * }
+ *
+ *
+ *
+ * The above code checks, if the kernel issued a warning (TST_TAINT_W)
+ * or even died (TST_TAINT_D) during test execution.
+ * If these are set after running a test case, we most likely
+ * triggered a kernel bug.
+ */
+
+#ifndef TST_TAINTED_H__
+#define TST_TAINTED_H__
+
+/*
+ * This are all 17 flags that are present in kernel 4.15
+ * see kernel/panic.c in kernel sources
+ *
+ * Not all of them are valid in all kernel versions.
+ */
+#define TST_TAINT_G     (1 <<  0) /* a module with non-GPL license loaded */
+#define TST_TAINT_F     (1 <<  1) /* a module was force-loaded */
+#define TST_TAINT_S     (1 <<  2) /* SMP with Non-SMP kernel */
+#define TST_TAINT_R     (1 <<  3) /* module force unloaded */
+#define TST_TAINT_M     (1 <<  4) /* machine check error occurred */
+#define TST_TAINT_B     (1 <<  5) /* page-release function found bad page */
+#define TST_TAINT_U     (1 <<  6) /* user requested taint flag */
+#define TST_TAINT_D     (1 <<  7) /* kernel died recently - OOPS or BUG */
+#define TST_TAINT_A     (1 <<  8) /* ACPI table has been overwritten */
+#define TST_TAINT_W     (1 <<  9) /* a warning has been issued by kernel */
+#define TST_TAINT_C     (1 << 10) /* driver from drivers/staging was loaded */
+#define TST_TAINT_I     (1 << 11) /* working around BIOS/Firmware bug */
+#define TST_TAINT_O     (1 << 12) /* out of tree module loaded */
+#define TST_TAINT_E     (1 << 13) /* unsigned module was loaded */
+#define TST_TAINT_L     (1 << 14) /* A soft lock-up has previously occurred */
+#define TST_TAINT_K     (1 << 15) /* kernel has been live-patched */
+#define TST_TAINT_X	(1 << 16) /* auxiliary taint, for distro's use */
+
+/*
+ * Initialize and prepare support for checking tainted kernel.
+ *
+ * supply the mask of TAINT-flags you want to check, for example
+ * (TST_TAINT_W | TST_TAINT_D) when you want to check if the kernel issued
+ * a warning or even reported it died.
+ *
+ * This function tests if the requested flags are supported on the
+ * locally running kernel. In case the tainted-flags are already set by
+ * the kernel, there is no reason to continue and TCONF is generated.
+ *
+ * The mask must not be zero.
+ */
+void tst_taint_init(unsigned int mask);
+
+
+/*
+ * check if the tainted flags handed to tst_taint_init() are still not set
+ * during or after running the test.
+ * Calling this function is only allowed after tst_taint_init() was called,
+ * otherwise TBROK will be generated.
+ *
+ * returns 0 or a bitmask of the flags that currently tainted the kernel.
+ */
+unsigned int tst_taint_check(void);
+
+
+#endif /* TST_TAINTED_H__ */
diff --git a/lib/tst_taint.c b/lib/tst_taint.c
new file mode 100644
index 000000000..8d7a37b47
--- /dev/null
+++ b/lib/tst_taint.c
@@ -0,0 +1,106 @@
+#define TST_NO_DEFAULT_MAIN
+
+#include "tst_test.h"
+#include "tst_taint.h"
+#include "tst_safe_stdio.h"
+
+#define TAINT_FILE "/proc/sys/kernel/tainted"
+
+static unsigned int taint_mask = -1;
+
+static unsigned int tst_taint_read(void)
+{
+	unsigned int val;
+
+	if (taint_mask == (unsigned int) -1)
+		tst_brk(TBROK, "need to call tst_taint_init() first");
+
+	SAFE_FILE_SCANF(TAINT_FILE, "%u", &val);
+
+	return val;
+}
+
+static int tst_taint_check_kver(unsigned int mask)
+{
+	int r1;
+	int r2;
+	int r3 = 0;
+
+	if (mask & TST_TAINT_X) {
+		r1 = 4;
+		r2 = 15;
+	} else if (mask & TST_TAINT_K) {
+		r1 = 4;
+		r2 = 0;
+	} else if (mask & TST_TAINT_L) {
+		r1 = 3;
+		r2 = 17;
+	} else if (mask & TST_TAINT_E) {
+		r1 = 3;
+		r2 = 15;
+	} else if (mask & TST_TAINT_O) {
+		r1 = 3;
+		r2 = 2;
+	} else if (mask & TST_TAINT_I) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 35;
+	} else if (mask & TST_TAINT_C) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 28;
+	} else if (mask & TST_TAINT_W) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 26;
+	} else if (mask & TST_TAINT_A) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 25;
+	} else if (mask & TST_TAINT_D) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 23;
+	} else if (mask & TST_TAINT_U) {
+		r1 = 2;
+		r2 = 6;
+		r3 = 21;
+	} else {
+		r1 = 2;
+		r2 = 6;
+		r3 = 16;
+	}
+
+	return tst_kvercmp(r1, r2, r3);
+}
+
+void tst_taint_init(unsigned int mask)
+{
+	unsigned int taint = -1;
+
+	if (mask == 0)
+		tst_brk(TBROK, "mask is not allowed to be 0");
+
+	if (tst_taint_check_kver(mask) < 0)
+		tst_res(TCONF, "Kernel is too old for requested mask");
+
+	taint_mask = mask;
+
+	taint = tst_taint_read();
+	if ((taint & mask) != 0)
+		tst_brk(TBROK, "Kernel is already tainted: %u", taint);
+}
+
+
+unsigned int tst_taint_check(void)
+{
+	unsigned int taint = -1;
+
+	if (taint_mask == (unsigned int) -1)
+		tst_brk(TBROK, "need to call tst_taint_init() first");
+
+	taint = tst_taint_read();
+
+	return (taint & taint_mask);
+}
+
-- 
2.13.6

[LTP] [PATCH v6 2/3] Add a library wrapper for sigaction()

[Michael Moese]

In a multithreaded program, using signal() results in unspecified
behavior. In this case, sigaction() has to be used to install a
signal handler.
Therefore, SAFE_SIGACTION() is added.

Signed-off-by: Michael Moese <mmoese@suse.de>
---
 include/tst_safe_macros.h | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h
index 06bff13c7..bf12e0719 100644
--- a/include/tst_safe_macros.h
+++ b/include/tst_safe_macros.h
@@ -397,6 +397,26 @@ static inline sighandler_t safe_signal(const char *file, const int lineno,
 #define SAFE_SIGNAL(signum, handler) \
 	safe_signal(__FILE__, __LINE__, (signum), (handler))
 
+
+
+static inline int safe_sigaction(const char *file, const int lineno,
+				 int signum, const struct sigaction *act,
+				 struct sigaction *oldact)
+{
+	int rval;
+
+	rval = sigaction(signum, act, oldact);
+
+	if (rval == -1) {
+		tst_brk_(file, lineno, TBROK | TERRNO,
+			"sigaction(%d, %p, %p) failed", signum, act, oldact);
+	}
+
+	return rval;
+}
+#define SAFE_SIGACTION(signum, act, oldact) \
+	safe_sigaction(__FILE__, __LINE__, (signum), (act), (oldact))
+
 #define SAFE_EXECLP(file, arg, ...) do {                   \
 	execlp((file), (arg), ##__VA_ARGS__);              \
 	tst_brk_(__FILE__, __LINE__, TBROK | TERRNO,       \
-- 
2.13.6

[LTP] [PATCH v6 3/3] Add regression test for CVE-2017-17053

[Michael Moese]

This patch adds a regression test for CVE-2017-17053, based on the
reproducer in the message of this commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccd5b3235180eef3cfec337df1c8554ab151b5cc

Be warned, if the running kernel is vulnerable to this CVE, it will die in
most cases.

Signed-off-by: Michael Moese <mmoese@suse.de>
---
 runtest/cve                    |   1 +
 testcases/cve/.gitignore       |   1 +
 testcases/cve/Makefile         |   2 +
 testcases/cve/cve-2017-17053.c | 166 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 170 insertions(+)
 create mode 100644 testcases/cve/cve-2017-17053.c

diff --git a/runtest/cve b/runtest/cve
index 0c385c670..8c68ab496 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -30,3 +30,4 @@ cve-2017-17807 request_key04
 cve-2017-1000364 stack_clash
 cve-2017-5754 meltdown
 cve-2017-17052 cve-2017-17052
+cve-2017-17053 cve-2017-17053
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index c878069f1..c1ac83e3a 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-5669
 meltdown
 stack_clash
 cve-2017-17052
+cve-2017-17053
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index 86100dbf2..3a05dd4fe 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -37,6 +37,8 @@ meltdown: CFLAGS += -msse2
 endif
 
 cve-2017-17052:	CFLAGS += -pthread
+cve-2017-17053:	CFLAGS += -pthread
+
 cve-2015-3290:	CFLAGS += -pthread
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2017-17053.c b/testcases/cve/cve-2017-17053.c
new file mode 100644
index 000000000..523ee53c3
--- /dev/null
+++ b/testcases/cve/cve-2017-17053.c
@@ -0,0 +1,166 @@
+/*
+ * Copyright (c) 2018 Michael Moese <mmoese@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* Regression test for CVE-2017-17053, original reproducer can be found
+ * here:
+ * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccd5b3235180eef3cfec337df1c8554ab151b5cc
+ *
+ * Be careful! This test may crash your kernel!
+ */
+
+#include <asm/ldt.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#include "tst_test.h"
+#include "tst_taint.h"
+#include "lapi/syscalls.h"
+
+#define EXEC_USEC   5000000
+
+/* this is basically identical to SAFE_PTHREAD_CREATE(), but is tolerating the
+ * call to fail whenn the error is EAGAIN or EWOULDBLOCK */
+static void try_pthread_create(pthread_t *thread_id, const pthread_attr_t *attr,
+			       void *(*thread_fn)(void *), void *arg)
+{
+	int rval;
+
+	rval = pthread_create(thread_id, attr, thread_fn, arg);
+
+	if (rval && rval != EAGAIN && rval != EWOULDBLOCK)
+		tst_brk(TBROK, "pthread_create(%p,%p,%p,%p) failed: %s",
+			thread_id, attr, thread_fn, arg, tst_strerrno(rval));
+}
+
+/* this is basically identical to SAFE_FORK(), but is tolerating the
+ * call to fail whenn the error is EAGAIN or EWOULDBLOCK */
+static int try_fork(void)
+{
+	pid_t pid;
+
+	tst_flush();
+
+	pid = fork();
+	if (pid < 0 && errno != EAGAIN && errno == EWOULDBLOCK)
+		tst_brk(TBROK | TERRNO, "fork() failed");
+
+	return pid;
+}
+
+
+
+struct shm_data {
+	volatile sig_atomic_t do_exit;
+	volatile sig_atomic_t segfaulted;
+};
+static struct shm_data *shm;
+
+static void handler(int sig)
+{
+	(void)sig;
+
+	shm->segfaulted = 1;
+	shm->do_exit = 1;
+}
+
+static void install_sighandler(void)
+{
+	struct sigaction sa;
+
+	sa.sa_flags = SA_SIGINFO;
+	sigemptyset(&sa.sa_mask);
+	sa.sa_handler = handler;
+
+	SAFE_SIGACTION(SIGSEGV, &sa, NULL);
+}
+
+static void setup(void)
+{
+	tst_taint_init(TST_TAINT_W | TST_TAINT_D);
+
+	shm = SAFE_MMAP(NULL, sizeof(struct shm_data),
+			PROT_READ | PROT_WRITE,
+			MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+}
+
+static void cleanup(void)
+{
+	SAFE_MUNMAP(shm, sizeof(struct shm_data));
+}
+
+static void *fork_thread(void *arg)
+{
+	try_fork();
+	return arg;
+}
+
+void run_test(void)
+{
+	struct user_desc desc = { .entry_number = 8191 };
+
+	install_sighandler();
+	syscall(__NR_modify_ldt, 1, &desc, sizeof(desc));
+
+	for (;;) {
+		if (shm->do_exit)
+			exit(0);
+
+		if (try_fork() == 0) {
+			pthread_t t;
+
+			srand(getpid());
+			try_pthread_create(&t, NULL, fork_thread, NULL);
+			usleep(rand() % 10000);
+			syscall(__NR_exit_group, 0);
+		}
+	}
+}
+
+void run(void)
+{
+	int status;
+	pid_t pid;
+
+	shm->do_exit = 0;
+	shm->segfaulted = 0;
+
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		run_test();
+	} else {
+		usleep(EXEC_USEC);
+		shm->do_exit = 1;
+	}
+
+	SAFE_WAIT(&status);
+
+	if (WIFEXITED(status) && shm->segfaulted == 0 && tst_taint_check() == 0)
+		tst_res(TPASS, "kernel survived");
+	else
+		tst_res(TFAIL, "kernel is vulnerable");
+}
+
+static struct tst_test test = {
+	.forks_child = 1,
+	.setup = setup,
+	.cleanup = cleanup,
+	.test_all = run,
+};
-- 
2.13.6

[LTP] [PATCH v6 1/3] Add library support for /proc/sys/kernel/tainted

[Cyril Hrubis]

Hi!
> +static unsigned int tst_taint_read(void)
> +{
> +	unsigned int val;
> +
> +	if (taint_mask == (unsigned int) -1)
> +		tst_brk(TBROK, "need to call tst_taint_init() first");

I've removed this check, since all the entry points that could call
this function either set the taint_mask or checks that it has been set.

And finally pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v6 2/3] Add a library wrapper for sigaction()

[Cyril Hrubis]

Hi!
> +static inline int safe_sigaction(const char *file, const int lineno,
> +				 int signum, const struct sigaction *act,
> +				 struct sigaction *oldact)
> +{
> +	int rval;
> +
> +	rval = sigaction(signum, act, oldact);
> +
> +	if (rval == -1) {
> +		tst_brk_(file, lineno, TBROK | TERRNO,
> +			"sigaction(%d, %p, %p) failed", signum, act, oldact);
                                   ^
				   I've added tst_strsig() here as well
				   to get better error messages.

And I had to move the function the C source to avoid tst_strsig()
redefinition warnings...

And pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v6 3/3] Add regression test for CVE-2017-17053

[Cyril Hrubis]

Hi!
Pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[Xiao Yang]

Hi Michael,

Sorry to bother you.

tst_taint_init() always got TBROK before verifying CVE-2017-17053 on my enviorment, as below:
-----------------------------------------------------------------
[root@RHEL7U5RC_Intel64 cve]# ./cve-2017-17053
tst_test.c:987: INFO: Timeout per run is 0h 05m 00s
tst_taint.c:88: BROK: Kernel is already tainted: 512
......
-----------------------------------------------------------------

On my enviorment, __ioremap_caller() displayed the warning message and set /proc/sys/kernel/tainted to
TST_TAINT_W(512) when too high physical address wasn't handled.  Is this a usual case?  should we break
and skip CVE-2017-17053 due to this existed TST_TAINT_W?

Please see the the following warning message:
-----------------------------------------------------------------
[    0.059261] ioremap: invalid physical address fffffffffff90000
[    0.059263] ------------[ cut here ]------------
[    0.059268] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:103 __ioremap_caller+0x2f2/0x340
[    0.059269] Modules linked in:
[    0.059272] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.10.0-860.el7.x86_64 #1
[    0.059273] Hardware name: LENOVO QiTianM7150/To be filled by O.E.M., BIOS 90KT20CUS 09/14/2010
[    0.059275] Call Trace:
[    0.059281]  [<ffffffffaed0d768>] dump_stack+0x19/0x1b
[    0.059284]  [<ffffffffae6916d8>] __warn+0xd8/0x100
[    0.059286]  [<ffffffffae69181d>] warn_slowpath_null+0x1d/0x20
[    0.059288]  [<ffffffffae66f442>] __ioremap_caller+0x2f2/0x340
[    0.059290]  [<ffffffffaed0064a>] ? acpi_os_map_memory+0xfd/0x155
[    0.059293]  [<ffffffffae7f7606>] ? kmem_cache_alloc_trace+0x1d6/0x200
[    0.059295]  [<ffffffffae66f4c4>] ioremap_cache+0x14/0x20
[    0.059297]  [<ffffffffaed0064a>] acpi_os_map_memory+0xfd/0x155
[    0.059301]  [<ffffffffae9ec576>] acpi_ex_system_memory_space_handler+0xdd/0x1ca
[    0.059304]  [<ffffffffae9e5fa3>] acpi_ev_address_space_dispatch+0x1c5/0x231
[    0.059306]  [<ffffffffae9e963a>] acpi_ex_access_region+0x20e/0x2a2
[    0.059309]  [<ffffffffae9cf86d>] ? acpi_os_release_lock+0xe/0x10
[    0.059312]  [<ffffffffae9fae9c>] ? acpi_ut_update_ref_count+0x99/0x2bf
[    0.059314]  [<ffffffffae9e99f5>] acpi_ex_field_datum_io+0x105/0x196
[    0.059316]  [<ffffffffae9e9c0e>] acpi_ex_extract_from_field+0x98/0x228
[    0.059318]  [<ffffffffae9fca3a>] ? acpi_ut_create_internal_object_dbg+0x23/0x8a
[    0.059321]  [<ffffffffae9e91bd>] acpi_ex_read_data_from_field+0x13c/0x178
[    0.059323]  [<ffffffffae9ec8fc>] acpi_ex_resolve_node_to_value+0x1a3/0x245
[    0.059325]  [<ffffffffae9ecbbb>] acpi_ex_resolve_to_value+0x21d/0x23a
[    0.059327]  [<ffffffffae9e26c3>] acpi_ds_evaluate_name_path+0x8d/0x11b
[    0.059329]  [<ffffffffae9e2aaa>] acpi_ds_exec_end_op+0x98/0x3f3
[    0.059332]  [<ffffffffae9f4fb8>] acpi_ps_parse_loop+0x526/0x583
[    0.059335]  [<ffffffffae9fd618>] ? acpi_ut_create_generic_state+0x37/0x54
[    0.059337]  [<ffffffffae9f5ac0>] acpi_ps_parse_aml+0x98/0x289
[    0.059339]  [<ffffffffae9f6313>] acpi_ps_execute_method+0x1c7/0x272
[    0.059341]  [<ffffffffae9f0a40>] acpi_ns_evaluate+0x1c1/0x258
[    0.059343]  [<ffffffffae9f3387>] acpi_evaluate_object+0x135/0x252
[    0.059346]  [<ffffffffae9cfc7e>] acpi_evaluate_integer+0x52/0x84
[    0.059348]  [<ffffffffae9cf811>] ? acpi_os_signal_semaphore+0x21/0x2d
[    0.059350]  [<ffffffffae9d3818>] acpi_bus_get_status_handle+0x1e/0x39
[    0.059353]  [<ffffffffae9d5d1b>] acpi_bus_check_add+0x81/0x1c2
[    0.059355]  [<ffffffffae6c0d02>] ? up+0x32/0x50
[    0.059358]  [<ffffffffae9f316c>] acpi_ns_walk_namespace+0xcb/0x184
[    0.059360]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
[    0.059362]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
[    0.059364]  [<ffffffffae9f36a2>] acpi_walk_namespace+0x95/0xc5
[    0.059367]  [<ffffffffaf3b722b>] ? acpi_sleep_proc_init+0x2a/0x2a
[    0.059369]  [<ffffffffae9d60dd>] acpi_bus_scan+0x5c/0x90
[    0.059371]  [<ffffffffaf3b76b1>] acpi_scan_init+0x89/0x1d8
[    0.059373]  [<ffffffffaf3b74ce>] acpi_init+0x2a3/0x2bd
[    0.059376]  [<ffffffffae60210a>] do_one_initcall+0xba/0x240
[    0.059379]  [<ffffffffaf36c362>] kernel_init_freeable+0x180/0x21f
[    0.059381]  [<ffffffffaf36bb1f>] ? initcall_blacklist+0xb0/0xb0
[    0.059383]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
[    0.059385]  [<ffffffffaecfc6be>] kernel_init+0xe/0xf0
[    0.059388]  [<ffffffffaed1f637>] ret_from_fork_nospec_begin+0x21/0x21
[    0.059390]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
[    0.059393] ---[ end trace a7b32a0fce036eb7 ]---
-----------------------------------------------------------------

Please let me know if more information is needed, thanks.

Thanks,
Xiao Yang
On 2018/03/09 20:44, Michael Moese wrote:

> Add a regression test for CVE-2017-17053. This testcase is depending
> on some new library functions included in this series.
>
> This patch series consists of reworked patches according to previous
> review comments, as well as a small new library wrapper function
> SAFE_SIGACTION() to install a signal handler.
>
> Michael Moese (3):
>    Add library support for /proc/sys/kernel/tainted
>    Add a library wrapper for sigaction()
>    Add regression test for CVE-2017-17053
>
>   doc/test-writing-guidelines.txt |  42 ++++++++++
>   include/tst_safe_macros.h       |  20 +++++
>   include/tst_taint.h             | 104 +++++++++++++++++++++++++
>   lib/tst_taint.c                 | 106 +++++++++++++++++++++++++
>   runtest/cve                     |   1 +
>   testcases/cve/.gitignore        |   1 +
>   testcases/cve/Makefile          |   2 +
>   testcases/cve/cve-2017-17053.c  | 166 ++++++++++++++++++++++++++++++++++++++++
>   8 files changed, 442 insertions(+)
>   create mode 100644 include/tst_taint.h
>   create mode 100644 lib/tst_taint.c
>   create mode 100644 testcases/cve/cve-2017-17053.c
>

[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[Xiao Yang]

Hi，

Can anybody help me look into this issue?

Thanks,
Xiao Yang

On 2018/03/22 15:21, Xiao Yang wrote:
> Hi Michael,
>
> Sorry to bother you.
>
> tst_taint_init() always got TBROK before verifying CVE-2017-17053 on 
> my enviorment, as below:
> -----------------------------------------------------------------
> [root@RHEL7U5RC_Intel64 cve]# ./cve-2017-17053
> tst_test.c:987: INFO: Timeout per run is 0h 05m 00s
> tst_taint.c:88: BROK: Kernel is already tainted: 512
> ......
> -----------------------------------------------------------------
>
> On my enviorment, __ioremap_caller() displayed the warning message and 
> set /proc/sys/kernel/tainted to
> TST_TAINT_W(512) when too high physical address wasn't handled.  Is 
> this a usual case?  should we break
> and skip CVE-2017-17053 due to this existed TST_TAINT_W?
>
> Please see the the following warning message:
> -----------------------------------------------------------------
> [    0.059261] ioremap: invalid physical address fffffffffff90000
> [    0.059263] ------------[ cut here ]------------
> [    0.059268] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:103 
> __ioremap_caller+0x2f2/0x340
> [    0.059269] Modules linked in:
> [    0.059272] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 
> 3.10.0-860.el7.x86_64 #1
> [    0.059273] Hardware name: LENOVO QiTianM7150/To be filled by 
> O.E.M., BIOS 90KT20CUS 09/14/2010
> [    0.059275] Call Trace:
> [    0.059281]  [<ffffffffaed0d768>] dump_stack+0x19/0x1b
> [    0.059284]  [<ffffffffae6916d8>] __warn+0xd8/0x100
> [    0.059286]  [<ffffffffae69181d>] warn_slowpath_null+0x1d/0x20
> [    0.059288]  [<ffffffffae66f442>] __ioremap_caller+0x2f2/0x340
> [    0.059290]  [<ffffffffaed0064a>] ? acpi_os_map_memory+0xfd/0x155
> [    0.059293]  [<ffffffffae7f7606>] ? kmem_cache_alloc_trace+0x1d6/0x200
> [    0.059295]  [<ffffffffae66f4c4>] ioremap_cache+0x14/0x20
> [    0.059297]  [<ffffffffaed0064a>] acpi_os_map_memory+0xfd/0x155
> [    0.059301]  [<ffffffffae9ec576>] 
> acpi_ex_system_memory_space_handler+0xdd/0x1ca
> [    0.059304]  [<ffffffffae9e5fa3>] 
> acpi_ev_address_space_dispatch+0x1c5/0x231
> [    0.059306]  [<ffffffffae9e963a>] acpi_ex_access_region+0x20e/0x2a2
> [    0.059309]  [<ffffffffae9cf86d>] ? acpi_os_release_lock+0xe/0x10
> [    0.059312]  [<ffffffffae9fae9c>] ? 
> acpi_ut_update_ref_count+0x99/0x2bf
> [    0.059314]  [<ffffffffae9e99f5>] acpi_ex_field_datum_io+0x105/0x196
> [    0.059316]  [<ffffffffae9e9c0e>] 
> acpi_ex_extract_from_field+0x98/0x228
> [    0.059318]  [<ffffffffae9fca3a>] ? 
> acpi_ut_create_internal_object_dbg+0x23/0x8a
> [    0.059321]  [<ffffffffae9e91bd>] 
> acpi_ex_read_data_from_field+0x13c/0x178
> [    0.059323]  [<ffffffffae9ec8fc>] 
> acpi_ex_resolve_node_to_value+0x1a3/0x245
> [    0.059325]  [<ffffffffae9ecbbb>] acpi_ex_resolve_to_value+0x21d/0x23a
> [    0.059327]  [<ffffffffae9e26c3>] 
> acpi_ds_evaluate_name_path+0x8d/0x11b
> [    0.059329]  [<ffffffffae9e2aaa>] acpi_ds_exec_end_op+0x98/0x3f3
> [    0.059332]  [<ffffffffae9f4fb8>] acpi_ps_parse_loop+0x526/0x583
> [    0.059335]  [<ffffffffae9fd618>] ? 
> acpi_ut_create_generic_state+0x37/0x54
> [    0.059337]  [<ffffffffae9f5ac0>] acpi_ps_parse_aml+0x98/0x289
> [    0.059339]  [<ffffffffae9f6313>] acpi_ps_execute_method+0x1c7/0x272
> [    0.059341]  [<ffffffffae9f0a40>] acpi_ns_evaluate+0x1c1/0x258
> [    0.059343]  [<ffffffffae9f3387>] acpi_evaluate_object+0x135/0x252
> [    0.059346]  [<ffffffffae9cfc7e>] acpi_evaluate_integer+0x52/0x84
> [    0.059348]  [<ffffffffae9cf811>] ? acpi_os_signal_semaphore+0x21/0x2d
> [    0.059350]  [<ffffffffae9d3818>] acpi_bus_get_status_handle+0x1e/0x39
> [    0.059353]  [<ffffffffae9d5d1b>] acpi_bus_check_add+0x81/0x1c2
> [    0.059355]  [<ffffffffae6c0d02>] ? up+0x32/0x50
> [    0.059358]  [<ffffffffae9f316c>] acpi_ns_walk_namespace+0xcb/0x184
> [    0.059360]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
> [    0.059362]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
> [    0.059364]  [<ffffffffae9f36a2>] acpi_walk_namespace+0x95/0xc5
> [    0.059367]  [<ffffffffaf3b722b>] ? acpi_sleep_proc_init+0x2a/0x2a
> [    0.059369]  [<ffffffffae9d60dd>] acpi_bus_scan+0x5c/0x90
> [    0.059371]  [<ffffffffaf3b76b1>] acpi_scan_init+0x89/0x1d8
> [    0.059373]  [<ffffffffaf3b74ce>] acpi_init+0x2a3/0x2bd
> [    0.059376]  [<ffffffffae60210a>] do_one_initcall+0xba/0x240
> [    0.059379]  [<ffffffffaf36c362>] kernel_init_freeable+0x180/0x21f
> [    0.059381]  [<ffffffffaf36bb1f>] ? initcall_blacklist+0xb0/0xb0
> [    0.059383]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
> [    0.059385]  [<ffffffffaecfc6be>] kernel_init+0xe/0xf0
> [    0.059388]  [<ffffffffaed1f637>] ret_from_fork_nospec_begin+0x21/0x21
> [    0.059390]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
> [    0.059393] ---[ end trace a7b32a0fce036eb7 ]---
> -----------------------------------------------------------------
>
> Please let me know if more information is needed, thanks.
>
> Thanks,
> Xiao Yang
> On 2018/03/09 20:44, Michael Moese wrote:
>
>> Add a regression test for CVE-2017-17053. This testcase is depending
>> on some new library functions included in this series.
>>
>> This patch series consists of reworked patches according to previous
>> review comments, as well as a small new library wrapper function
>> SAFE_SIGACTION() to install a signal handler.
>>
>> Michael Moese (3):
>>    Add library support for /proc/sys/kernel/tainted
>>    Add a library wrapper for sigaction()
>>    Add regression test for CVE-2017-17053
>>
>>   doc/test-writing-guidelines.txt |  42 ++++++++++
>>   include/tst_safe_macros.h       |  20 +++++
>>   include/tst_taint.h             | 104 +++++++++++++++++++++++++
>>   lib/tst_taint.c                 | 106 +++++++++++++++++++++++++
>>   runtest/cve                     |   1 +
>>   testcases/cve/.gitignore        |   1 +
>>   testcases/cve/Makefile          |   2 +
>>   testcases/cve/cve-2017-17053.c  | 166 
>> ++++++++++++++++++++++++++++++++++++++++
>>   8 files changed, 442 insertions(+)
>>   create mode 100644 include/tst_taint.h
>>   create mode 100644 lib/tst_taint.c
>>   create mode 100644 testcases/cve/cve-2017-17053.c
>>
>
>
>
>

[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[Michael Moese]

Hi,
I'm sorry, I must have missed your mail. 

The testcase cannot run if the TAINT_W flag is already set, as this
is triggered on vulnerable kernels - so if you have a already 
tainted kernel, this test cannot reliably detect if the kernel is 
safe to this CVE or not. 
Where does the warning message you get result from? Is this 
something you can fix?

Michael

On Tue, Mar 27, 2018 at 05:48:26PM +0800, Xiao Yang wrote:
> Hi，
> 
> Can anybody help me look into this issue?
> 
> Thanks,
> Xiao Yang
> 
> On 2018/03/22 15:21, Xiao Yang wrote:
> > Hi Michael,
> > 
> > Sorry to bother you.
> > 
> > tst_taint_init() always got TBROK before verifying CVE-2017-17053 on my
> > enviorment, as below:
> > -----------------------------------------------------------------
> > [root@RHEL7U5RC_Intel64 cve]# ./cve-2017-17053
> > tst_test.c:987: INFO: Timeout per run is 0h 05m 00s
> > tst_taint.c:88: BROK: Kernel is already tainted: 512
> > ......
> > -----------------------------------------------------------------
> > 
> > On my enviorment, __ioremap_caller() displayed the warning message and
> > set /proc/sys/kernel/tainted to
> > TST_TAINT_W(512) when too high physical address wasn't handled.  Is this
> > a usual case?  should we break
> > and skip CVE-2017-17053 due to this existed TST_TAINT_W?
> > 
> > Please see the the following warning message:
> > -----------------------------------------------------------------
> > [    0.059261] ioremap: invalid physical address fffffffffff90000
> > [    0.059263] ------------[ cut here ]------------
> > [    0.059268] WARNING: CPU: 0 PID: 1 at arch/x86/mm/ioremap.c:103
> > __ioremap_caller+0x2f2/0x340
> > [    0.059269] Modules linked in:
> > [    0.059272] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
> > 3.10.0-860.el7.x86_64 #1
> > [    0.059273] Hardware name: LENOVO QiTianM7150/To be filled by O.E.M.,
> > BIOS 90KT20CUS 09/14/2010
> > [    0.059275] Call Trace:
> > [    0.059281]  [<ffffffffaed0d768>] dump_stack+0x19/0x1b
> > [    0.059284]  [<ffffffffae6916d8>] __warn+0xd8/0x100
> > [    0.059286]  [<ffffffffae69181d>] warn_slowpath_null+0x1d/0x20
> > [    0.059288]  [<ffffffffae66f442>] __ioremap_caller+0x2f2/0x340
> > [    0.059290]  [<ffffffffaed0064a>] ? acpi_os_map_memory+0xfd/0x155
> > [    0.059293]  [<ffffffffae7f7606>] ? kmem_cache_alloc_trace+0x1d6/0x200
> > [    0.059295]  [<ffffffffae66f4c4>] ioremap_cache+0x14/0x20
> > [    0.059297]  [<ffffffffaed0064a>] acpi_os_map_memory+0xfd/0x155
> > [    0.059301]  [<ffffffffae9ec576>]
> > acpi_ex_system_memory_space_handler+0xdd/0x1ca
> > [    0.059304]  [<ffffffffae9e5fa3>]
> > acpi_ev_address_space_dispatch+0x1c5/0x231
> > [    0.059306]  [<ffffffffae9e963a>] acpi_ex_access_region+0x20e/0x2a2
> > [    0.059309]  [<ffffffffae9cf86d>] ? acpi_os_release_lock+0xe/0x10
> > [    0.059312]  [<ffffffffae9fae9c>] ?
> > acpi_ut_update_ref_count+0x99/0x2bf
> > [    0.059314]  [<ffffffffae9e99f5>] acpi_ex_field_datum_io+0x105/0x196
> > [    0.059316]  [<ffffffffae9e9c0e>]
> > acpi_ex_extract_from_field+0x98/0x228
> > [    0.059318]  [<ffffffffae9fca3a>] ?
> > acpi_ut_create_internal_object_dbg+0x23/0x8a
> > [    0.059321]  [<ffffffffae9e91bd>]
> > acpi_ex_read_data_from_field+0x13c/0x178
> > [    0.059323]  [<ffffffffae9ec8fc>]
> > acpi_ex_resolve_node_to_value+0x1a3/0x245
> > [    0.059325]  [<ffffffffae9ecbbb>] acpi_ex_resolve_to_value+0x21d/0x23a
> > [    0.059327]  [<ffffffffae9e26c3>]
> > acpi_ds_evaluate_name_path+0x8d/0x11b
> > [    0.059329]  [<ffffffffae9e2aaa>] acpi_ds_exec_end_op+0x98/0x3f3
> > [    0.059332]  [<ffffffffae9f4fb8>] acpi_ps_parse_loop+0x526/0x583
> > [    0.059335]  [<ffffffffae9fd618>] ?
> > acpi_ut_create_generic_state+0x37/0x54
> > [    0.059337]  [<ffffffffae9f5ac0>] acpi_ps_parse_aml+0x98/0x289
> > [    0.059339]  [<ffffffffae9f6313>] acpi_ps_execute_method+0x1c7/0x272
> > [    0.059341]  [<ffffffffae9f0a40>] acpi_ns_evaluate+0x1c1/0x258
> > [    0.059343]  [<ffffffffae9f3387>] acpi_evaluate_object+0x135/0x252
> > [    0.059346]  [<ffffffffae9cfc7e>] acpi_evaluate_integer+0x52/0x84
> > [    0.059348]  [<ffffffffae9cf811>] ? acpi_os_signal_semaphore+0x21/0x2d
> > [    0.059350]  [<ffffffffae9d3818>] acpi_bus_get_status_handle+0x1e/0x39
> > [    0.059353]  [<ffffffffae9d5d1b>] acpi_bus_check_add+0x81/0x1c2
> > [    0.059355]  [<ffffffffae6c0d02>] ? up+0x32/0x50
> > [    0.059358]  [<ffffffffae9f316c>] acpi_ns_walk_namespace+0xcb/0x184
> > [    0.059360]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
> > [    0.059362]  [<ffffffffae9d5c9a>] ? acpi_add_single_object+0x4f9/0x4f9
> > [    0.059364]  [<ffffffffae9f36a2>] acpi_walk_namespace+0x95/0xc5
> > [    0.059367]  [<ffffffffaf3b722b>] ? acpi_sleep_proc_init+0x2a/0x2a
> > [    0.059369]  [<ffffffffae9d60dd>] acpi_bus_scan+0x5c/0x90
> > [    0.059371]  [<ffffffffaf3b76b1>] acpi_scan_init+0x89/0x1d8
> > [    0.059373]  [<ffffffffaf3b74ce>] acpi_init+0x2a3/0x2bd
> > [    0.059376]  [<ffffffffae60210a>] do_one_initcall+0xba/0x240
> > [    0.059379]  [<ffffffffaf36c362>] kernel_init_freeable+0x180/0x21f
> > [    0.059381]  [<ffffffffaf36bb1f>] ? initcall_blacklist+0xb0/0xb0
> > [    0.059383]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
> > [    0.059385]  [<ffffffffaecfc6be>] kernel_init+0xe/0xf0
> > [    0.059388]  [<ffffffffaed1f637>] ret_from_fork_nospec_begin+0x21/0x21
> > [    0.059390]  [<ffffffffaecfc6b0>] ? rest_init+0x80/0x80
> > [    0.059393] ---[ end trace a7b32a0fce036eb7 ]---
> > -----------------------------------------------------------------
> > 
> > Please let me know if more information is needed, thanks.
> > 
> > Thanks,
> > Xiao Yang
> > On 2018/03/09 20:44, Michael Moese wrote:
> > 
> > > Add a regression test for CVE-2017-17053. This testcase is depending
> > > on some new library functions included in this series.
> > > 
> > > This patch series consists of reworked patches according to previous
> > > review comments, as well as a small new library wrapper function
> > > SAFE_SIGACTION() to install a signal handler.
> > > 
> > > Michael Moese (3):
> > >    Add library support for /proc/sys/kernel/tainted
> > >    Add a library wrapper for sigaction()
> > >    Add regression test for CVE-2017-17053
> > > 
> > >   doc/test-writing-guidelines.txt |  42 ++++++++++
> > >   include/tst_safe_macros.h       |  20 +++++
> > >   include/tst_taint.h             | 104 +++++++++++++++++++++++++
> > >   lib/tst_taint.c                 | 106 +++++++++++++++++++++++++
> > >   runtest/cve                     |   1 +
> > >   testcases/cve/.gitignore        |   1 +
> > >   testcases/cve/Makefile          |   2 +
> > >   testcases/cve/cve-2017-17053.c  | 166
> > > ++++++++++++++++++++++++++++++++++++++++
> > >   8 files changed, 442 insertions(+)
> > >   create mode 100644 include/tst_taint.h
> > >   create mode 100644 lib/tst_taint.c
> > >   create mode 100644 testcases/cve/cve-2017-17053.c
> > > 
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp


-- 
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

[LTP] [PATCH v6 0/3] Add regression test for CVE-2017-17053

[Cyril Hrubis]

Hi!
As Michael said there is not much we can do in LTP here, the test cannot
be executed because kernel is already tainted. The best solution is to
fix the kernel not to spew warnings but I know that it's not as easy as
it sounds.

-- 
Cyril Hrubis
chrubis@suse.cz