Bug 1026914 - (CVE-2017-5669) VUL-0: CVE-2017-5669: kernel-source: Shmat allows mmap null page protection bypass
(CVE-2017-5669)
VUL-0: CVE-2017-5669: kernel-source: Shmat allows mmap null page protection b...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Davidlohr Bueso
Security Team bot
CVSSv2:SUSE:CVE-2017-5669:4.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-24 18:27 UTC by Mikhail Kasimov
Modified: 2020-06-08 23:23 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
20170119_shmat_nullpage_poc.c (1.23 KB, text/plain)
2017-02-27 07:59 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-24 18:27:07 UTC
Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5669
=====================================================================
Original release date: 02/24/2017
Last revised: 02/24/2017
Source: US-CERT/NIST
Undergoing Analysis

This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary.
Overview

The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context.
References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: MISC
Name: https://bugzilla.kernel.org/show_bug.cgi?id=192931
Hyperlink: https://bugzilla.kernel.org/show_bug.cgi?id=192931


External Source: CONFIRM
Name: https://github.com/torvalds/linux/commit/e1d35d4dc7f089e6c9c080d556feedf9c706f0c7
Hyperlink: https://github.com/torvalds/linux/commit/e1d35d4dc7f089e6c9c080d556feedf9c706f0c7

=====================================================================
Comment 1 Swamp Workflow Management 2017-02-24 23:01:17 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2017-02-27 07:59:52 UTC
Created attachment 715522 [details]
20170119_shmat_nullpage_poc.c

QA REPRODUCER:

poc attached to kernel.org bug

as root:
# gcc -o 20170119_shmat_nullpage_poc 20170119_shmat_nullpage_poc.c
# ./20170119_shmat_nullpage_poc
Attempting to mmap the null page
Mmap: 0x7f3f37af1000
Unmapping mmaped page
Allocating system-v shared memory
Attaching shared memory to null page
Mapped to (nil)   <<<< should NOT happen
Unmapping page
Comment 3 Marcus Meissner 2017-02-27 08:00:25 UTC

The issue is described here, with a nice testcase:

    https://bugzilla.kernel.org/show_bug.cgi?id=192931

The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the
address rounded down to 0.  For the regular mmap case, the protection
mentioned above is that the kernel gets to generate the address --
arch_get_unmapped_area() will always check for MAP_FIXED and return that
address.  So by the time we do security_mmap_addr(0) things get funky for
shmat().

The testcase itself shows that while a regular user crashes, root will not
have a problem attaching a nil-page.  There are two possible fixes to
this.  The first, and which this patch does, is to simply allow root to
crash as well -- this is also regular mmap behavior, ie when hacking up
the testcase and adding mmap(...  |MAP_FIXED).  While this approach is the
safer option, the second alternative is to ignore SHM_RND if the rounded
address is 0, thus only having MAP_SHARED flags.  This makes the behavior
of shmat() identical to the mmap() case.  The downside of this is
obviously user visible, but does make sense in that it maintains semantics
after the round-down wrt 0 address and mmap.

Passes shm related ltp tests.

Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Comment 4 Marcus Meissner 2017-02-27 08:06:47 UTC
so this is a "root user" to "kernel code" escape.
Comment 6 Davidlohr Bueso 2017-03-23 19:17:54 UTC
Backported to cve/3.12, cve/3.0, cve/2.6.32 and cve/2.6.16. Closing bug.
Comment 10 Bernhard Wiedemann 2017-03-30 08:02:18 UTC
This is an autogenerated message for OBS integration:
This bug (1026914) was mentioned in
https://build.opensuse.org/request/show/483729 42.1 / kernel-source
Comment 11 Swamp Workflow Management 2017-04-01 13:09:08 UTC
openSUSE-SU-2017:0906-1: An update that solves 15 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1019851,1020602,1022785,1023377,1025235,1026722,1026914,1027066,1027178,1027179,1027189,1027190,1027565,1028415,1029986,1030118,1030573,968697
CVE References: CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-5669,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.39-53.1, kernel-default-4.1.39-53.1, kernel-docs-4.1.39-53.2, kernel-ec2-4.1.39-53.1, kernel-obs-build-4.1.39-53.1, kernel-obs-qa-4.1.39-53.1, kernel-pae-4.1.39-53.1, kernel-pv-4.1.39-53.1, kernel-source-4.1.39-53.1, kernel-syms-4.1.39-53.1, kernel-vanilla-4.1.39-53.1, kernel-xen-4.1.39-53.1
Comment 12 Swamp Workflow Management 2017-05-11 19:11:21 UTC
SUSE-SU-2017:1247-1: An update that solves 25 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1003077,1015703,1021256,1021762,1023377,1023762,1023992,1024938,1025235,1026024,1026722,1026914,1027066,1027149,1027178,1027189,1027190,1028415,1028895,1029986,1030118,1030213,1030901,1031003,1031052,1031440,1031579,1032344,1033336,914939,954763,968697,979215,983212,989056
CVE References: CVE-2015-1350,CVE-2016-10044,CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2016-3070,CVE-2016-5243,CVE-2016-7117,CVE-2016-9588,CVE-2017-2671,CVE-2017-5669,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6348,CVE-2017-6353,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.72.1, kernel-source-3.12.61-52.72.1, kernel-syms-3.12.61-52.72.1, kernel-xen-3.12.61-52.72.1, kgraft-patch-SLE12_Update_21-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.72.1, kernel-source-3.12.61-52.72.1, kernel-syms-3.12.61-52.72.1, kernel-xen-3.12.61-52.72.1, kgraft-patch-SLE12_Update_21-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.72.1
Comment 13 Swamp Workflow Management 2017-05-15 19:38:47 UTC
SUSE-SU-2017:1301-1: An update that solves 18 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1005651,1008374,1008893,1013018,1013070,1013800,1013862,1016489,1017143,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1028415,1028880,1029212,1029770,1030213,1030573,1031003,1031052,1031440,1031579,1032141,1033336,1033771,1033794,1033804,1033816,1034026,909486,911105,931620,979021,982783,983212,985561,988065,989056,995542,999245
CVE References: CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-5243,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-100.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-source-3.0.101-100.1, kernel-syms-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
Comment 15 Swamp Workflow Management 2017-05-17 08:26:24 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-05-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63611
Comment 16 Swamp Workflow Management 2017-05-19 16:17:22 UTC
SUSE-SU-2017:1360-1: An update that solves 30 vulnerabilities and has 72 fixes is now available.

Category: security (important)
Bug References: 1003077,1008842,1009682,1012620,1012985,1015703,1015787,1015821,1017512,1018100,1018263,1018419,1018446,1019168,1019514,1020048,1020795,1021256,1021374,1021762,1021913,1022559,1022971,1023164,1023207,1023377,1023762,1023824,1023888,1023992,1024081,1024234,1024309,1024508,1024788,1025039,1025235,1025354,1025802,1026024,1026722,1026914,1027066,1027178,1027189,1027190,1027974,1028041,1028415,1028595,1028648,1028895,1029470,1029850,1029986,1030118,1030213,1030593,1030901,1031003,1031052,1031080,1031440,1031567,1031579,1031662,1031842,1032125,1032141,1032344,1032345,1033336,1034670,103470,1034700,1035576,1035699,1035738,1035877,1036752,1038261,799133,857926,914939,917630,922853,930399,931620,937444,940946,954763,968697,970083,971933,979215,982783,983212,984530,985561,988065,989056,993832
CVE References: CVE-2015-1350,CVE-2016-10044,CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2016-3070,CVE-2016-5243,CVE-2016-7117,CVE-2016-9191,CVE-2016-9588,CVE-2016-9604,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5897,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616,CVE-2017-7645,CVE-2017-8106
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.74-60.64.40.4, kernel-obs-build-3.12.74-60.64.40.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1, kernel-source-3.12.74-60.64.40.1, kernel-syms-3.12.74-60.64.40.1, kernel-xen-3.12.74-60.64.40.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.40.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_15-1-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1, kernel-source-3.12.74-60.64.40.1, kernel-syms-3.12.74-60.64.40.1, kernel-xen-3.12.74-60.64.40.1
Comment 17 Marcus Meissner 2017-06-23 10:41:32 UTC
released
Comment 18 Swamp Workflow Management 2017-09-04 19:17:07 UTC
SUSE-SU-2017:2342-1: An update that solves 44 vulnerabilities and has 135 fixes is now available.

Category: security (important)
Bug References: 1003077,1005651,1008374,1008850,1008893,1012422,1013018,1013070,1013800,1013862,1016489,1017143,1018074,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023051,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1027565,1028372,1028415,1028880,1029140,1029212,1029770,1029850,1030213,1030552,1030573,1030593,1030814,1031003,1031052,1031440,1031579,1032141,1032340,1032471,1033287,1033336,1033771,1033794,1033804,1033816,1034026,1034670,1035576,1035777,1035920,1036056,1036288,1036629,1037182,1037183,1037191,1037193,1037227,1037232,1037233,1037356,1037358,1037359,1037441,1038544,1038879,1038981,1038982,1039258,1039348,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1040351,1041160,1041431,1041762,1041975,1042045,1042200,1042615,1042633,1042687,1042832,1043014,1043234,1043935,1044015,1044125,1044216,1044230,1044854,1044882,1044913,1044985,1045154,1045340,1045356,1045406,1045416,1045525,1045538,1045547,1045615,1046107,1046122,1046192,1046715,1047027,1047053,1047343,1047354,1047487,1047523,1047653,1048185,1048221,1048232,1048275,1049483,1049603,1049688,1049882,1050154,1050431,1051478,1051515,1051770,784815,792863,799133,870618,909486,909618,911105,919382,928138,931620,938352,943786,948562,962257,970956,971975,972891,979021,982783,983212,985561,986362,986365,986924,988065,989056,990682,991651,995542,999245
CVE References: CVE-2014-9922,CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-2188,CVE-2016-4997,CVE-2016-4998,CVE-2016-5243,CVE-2016-7117,CVE-2017-1000363,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-11176,CVE-2017-11473,CVE-2017-2636,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1, kernel-source-rt-3.0.101.rt130-69.5.1, kernel-syms-rt-3.0.101.rt130-69.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_debug-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1
Comment 19 Swamp Workflow Management 2017-09-19 13:09:57 UTC
SUSE-SU-2017:2525-1: An update that solves 40 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1006919,1012422,1013862,1017143,1020229,1021256,1023051,1024938,1025013,1025235,1026024,1026722,1026914,1027066,1027101,1027178,1027179,1027406,1028415,1028880,1029212,1029850,1030213,1030573,1030575,1030593,1031003,1031052,1031440,1031481,1031579,1031660,1033287,1033336,1034670,1034838,1035576,1037182,1037183,1037994,1038544,1038564,1038879,1038883,1038981,1038982,1039349,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1041431,1042364,1042863,1042892,1044125,1045416,1045487,1046107,1048232,1048275,1049483,1049603,1049882,1050677,1052311,1053148,1053152,1053760,1056588,870618,948562,957988,957990,963655,972891,979681,983212,986924,989896,999245
CVE References: CVE-2016-10200,CVE-2016-5243,CVE-2017-1000112,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-11473,CVE-2017-12762,CVE-2017-14051,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
Comment 20 Marcus Meissner 2018-06-15 08:53:40 UTC
this regressed on SLES 12 SP3, caused by this patch:

patches.kernel.org/4.4.134-011-Revert-ipc-shm-Fix-shmat-mmap-nil-page-protec.patch

+++ b/patches.kernel.org/4.4.134-011-Revert-ipc-shm-Fix-shmat-mmap-nil-page-protec.patch
@@ -0,0 +1,74 @@
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Fri, 25 May 2018 14:47:27 -0700
+Subject: [PATCH] Revert "ipc/shm: Fix shmat mmap nil-page protection"
+References: bnc#1012382
+Patch-mainline: 4.4.134
+Git-commit: a73ab244f0dad8fffb3291b905f73e2d3eaa7c00
+
+commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream.
+
+Patch series "ipc/shm: shmat() fixes around nil-page".
+
+These patches fix two issues reported[1] a while back by Joe and Andrea
+around how shmat(2) behaves with nil-page.
+
+The first reverts a commit that it was incorrectly thought that mapping
+nil-page (address=0) was a no no with MAP_FIXED.  This is not the case,
+with the exception of SHM_REMAP; which is address in the second patch.
+
+I chose two patches because it is easier to backport and it explicitly
+reverts bogus behaviour.  Both patches ought to be in -stable and ltp
+testcases need updated (the added testcase around the cve can be
+modified to just test for SHM_RND|SHM_REMAP).
+
+[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
+
+This patch (of 2):
+
+Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection")
+worked on the idea that we should not be mapping as root addr=0 and
+MAP_FIXED.  However, it was reported that this scenario is in fact
+valid, thus making the patch both bogus and breaks userspace as well.
+
+For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem
+initialization[1].
+
+[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347
+Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net
+Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection")
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
+Reported-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: <stable@vger.kernel.org>
Comment 21 Marcus Meissner 2018-06-15 08:55:29 UTC
+++ b/patches.kernel.org/4.4.134-012-ipc-shm-fix-shmat-nil-address-after-round-dow.patch
@@ -0,0 +1,57 @@
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Fri, 25 May 2018 14:47:30 -0700
+Subject: [PATCH] ipc/shm: fix shmat() nil address after round-down when
+ remapping
+References: bnc#1012382
+Patch-mainline: 4.4.134
+Git-commit: 8f89c007b6dec16a1793cb88de88fcc02117bbbc
+
+commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream.
+
+shmat()'s SHM_REMAP option forbids passing a nil address for; this is in
+fact the very first thing we check for.  Andrea reported that for
+SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check,
+but we need to check again if the address was rounded down to nil.  As
+of this patch, such cases will return -EINVAL.
+
+Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Reported-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Joe Lawrence <joe.lawrence@redhat.com>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ ipc/shm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
Comment 22 Marcus Meissner 2018-06-15 09:03:22 UTC
Either LTP test needs adjustment or the kernel code... test fails:

https://github.com/linux-test-project/ltp/blob/master/testcases/cve/cve-2017-5669.c
Comment 23 Marcus Meissner 2018-06-15 09:28:25 UTC
Cyril can you review?
Comment 24 Cyril Hrubis 2018-06-20 07:03:37 UTC
The test should be adjusted for newer kernels in:

https://github.com/linux-test-project/ltp/commit/b767b73ef027ba8d35f297c7d3659265ac80425b

In short the original kernel fix is supposed to be reverted and replaced with different fix (see the commit message for the LTP test).
Comment 26 Davidlohr Bueso 2019-12-30 01:15:49 UTC
tests have been updated, re-closing.