From 3bde502f612f17b6ed928b04cf5c4ba9ad54d598 Mon Sep 17 00:00:00 2001 From: He Zhe Date: Mon, 30 Sep 2019 10:38:01 +0800 Subject: ltp: Fix hang of cve test cases Backport a patch to the fix possible hang caused by the case of CVE-2017-17052. CVE: CVE-2017-17052 Signed-off-by: He Zhe Signed-off-by: Ross Burton --- ...-2017-17052-Avoid-unsafe-exits-in-threads.patch | 64 ++++++++++++++++++++++ meta/recipes-extended/ltp/ltp_20190517.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch diff --git a/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch new file mode 100644 index 0000000000..cc40081300 --- /dev/null +++ b/meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch @@ -0,0 +1,64 @@ +From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001 +From: Mathias Fiedler +Date: Fri, 23 Aug 2019 12:46:48 +0200 +Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads + +According to manpage exit(3) calling exit is not thread-safe. +And with glibc 2.28 (and probably also with glibc >=2.27) sometimes +child processes created in fork_thread can get stuck on process exit in +glibc's __run_exit_handlers trying to acquire some lock which was in +locked state while the fork was created. This can happen when exit is +called in mmap_thread concurrently to the fork. +While the main process will still return with PASSED some of its +children are left behind. + +Comparing the source code with the original program as described in the +commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13 +the exits in mmap_thread and fork_thread should not be necessary to +trigger the original bug. + +Therefore those exit calls are removed. The mmap_thread and fork_thread +should still exit when their corresponding main thread in do_test_fork +calls exit_group. The remaining exit in do_test_fork will be called in +the main thread without any concurrent thread in the same process. + +Signed-off-by: Mathias Fiedler +Acked-by: Cyril Hrubis +Acked-by: Jan Stancek + +Upstream-Status: Backport +[https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4] + +CVE: CVE-2017-17052 + +Signed-off-by: He Zhe +--- + testcases/cve/cve-2017-17052.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c +index d7da7e919..18cd2a6d7 100644 +--- a/testcases/cve/cve-2017-17052.c ++++ b/testcases/cve/cve-2017-17052.c +@@ -58,8 +58,6 @@ static void *mmap_thread(void *arg) + for (;;) { + SAFE_MMAP(NULL, 0x1000000, PROT_READ, + MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); +- if (*do_exit) +- exit(0); + } + + return arg; +@@ -67,9 +65,6 @@ static void *mmap_thread(void *arg) + + static void *fork_thread(void *arg) + { +- if (*do_exit) +- exit(0); +- + usleep(rand() % 10000); + SAFE_FORK(); + +-- +2.17.1 + diff --git a/meta/recipes-extended/ltp/ltp_20190517.bb b/meta/recipes-extended/ltp/ltp_20190517.bb index e9a588f496..4650715607 100644 --- a/meta/recipes-extended/ltp/ltp_20190517.bb +++ b/meta/recipes-extended/ltp/ltp_20190517.bb @@ -48,6 +48,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0001-cve-meltdown.c-Fix-kernel-symbol-finding.patch \ file://0001-testcases-use-python3-everywhere-to-run-python-scrip.patch \ file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \ + file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \ " S = "${WORKDIR}/git" -- cgit 1.2.3-korg