blob: cc40081300c0bb75688b11f50f8e41a0f1e78eb9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001
From: Mathias Fiedler <mathias.fiedler@aox-tech.de>
Date: Fri, 23 Aug 2019 12:46:48 +0200
Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads
According to manpage exit(3) calling exit is not thread-safe.
And with glibc 2.28 (and probably also with glibc >=2.27) sometimes
child processes created in fork_thread can get stuck on process exit in
glibc's __run_exit_handlers trying to acquire some lock which was in
locked state while the fork was created. This can happen when exit is
called in mmap_thread concurrently to the fork.
While the main process will still return with PASSED some of its
children are left behind.
Comparing the source code with the original program as described in the
commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13
the exits in mmap_thread and fork_thread should not be necessary to
trigger the original bug.
Therefore those exit calls are removed. The mmap_thread and fork_thread
should still exit when their corresponding main thread in do_test_fork
calls exit_group. The remaining exit in do_test_fork will be called in
the main thread without any concurrent thread in the same process.
Signed-off-by: Mathias Fiedler <mathias.fiedler@aox-tech.de>
Acked-by: Cyril Hrubis <chrubis@suse.cz>
Acked-by: Jan Stancek <jstancek@redhat.com>
Upstream-Status: Backport
[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4]
CVE: CVE-2017-17052
Signed-off-by: He Zhe <zhe.he@windriver.com>
---
testcases/cve/cve-2017-17052.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c
index d7da7e919..18cd2a6d7 100644
--- a/testcases/cve/cve-2017-17052.c
+++ b/testcases/cve/cve-2017-17052.c
@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg)
for (;;) {
SAFE_MMAP(NULL, 0x1000000, PROT_READ,
MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
- if (*do_exit)
- exit(0);
}
return arg;
@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg)
static void *fork_thread(void *arg)
{
- if (*do_exit)
- exit(0);
-
usleep(rand() % 10000);
SAFE_FORK();
--
2.17.1
|
