| From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001 |
| From: Mathias Fiedler <mathias.fiedler@aox-tech.de> |
| Date: Fri, 23 Aug 2019 12:46:48 +0200 |
| Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads |
| |
| According to manpage exit(3) calling exit is not thread-safe. |
| And with glibc 2.28 (and probably also with glibc >=2.27) sometimes |
| child processes created in fork_thread can get stuck on process exit in |
| glibc's __run_exit_handlers trying to acquire some lock which was in |
| locked state while the fork was created. This can happen when exit is |
| called in mmap_thread concurrently to the fork. |
| While the main process will still return with PASSED some of its |
| children are left behind. |
| |
| Comparing the source code with the original program as described in the |
| commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13 |
| the exits in mmap_thread and fork_thread should not be necessary to |
| trigger the original bug. |
| |
| Therefore those exit calls are removed. The mmap_thread and fork_thread |
| should still exit when their corresponding main thread in do_test_fork |
| calls exit_group. The remaining exit in do_test_fork will be called in |
| the main thread without any concurrent thread in the same process. |
| |
| Signed-off-by: Mathias Fiedler <mathias.fiedler@aox-tech.de> |
| Acked-by: Cyril Hrubis <chrubis@suse.cz> |
| Acked-by: Jan Stancek <jstancek@redhat.com> |
| |
| Upstream-Status: Backport |
| [https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4] |
| |
| CVE: CVE-2017-17052 |
| |
| Signed-off-by: He Zhe <zhe.he@windriver.com> |
| --- |
| testcases/cve/cve-2017-17052.c | 5 ----- |
| 1 file changed, 5 deletions(-) |
| |
| diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c |
| index d7da7e919..18cd2a6d7 100644 |
| --- a/testcases/cve/cve-2017-17052.c |
| +++ b/testcases/cve/cve-2017-17052.c |
| @@ -58,8 +58,6 @@ static void *mmap_thread(void *arg) |
| for (;;) { |
| SAFE_MMAP(NULL, 0x1000000, PROT_READ, |
| MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); |
| - if (*do_exit) |
| - exit(0); |
| } |
| |
| return arg; |
| @@ -67,9 +65,6 @@ static void *mmap_thread(void *arg) |
| |
| static void *fork_thread(void *arg) |
| { |
| - if (*do_exit) |
| - exit(0); |
| - |
| usleep(rand() % 10000); |
| SAFE_FORK(); |
| |
| -- |
| 2.17.1 |
| |