| Brad Bishop | 00e122a | 2019-10-05 11:10:57 -0400 | [diff] [blame^] | 1 | From e3a8502d0a4f8a44ddd02ca4b2efc097133fb9f7 Mon Sep 17 00:00:00 2001 |
| 2 | From: Mathias Fiedler <mathias.fiedler@aox-tech.de> |
| 3 | Date: Fri, 23 Aug 2019 12:46:48 +0200 |
| 4 | Subject: [PATCH] cve-2017-17052: Avoid unsafe exits in threads |
| 5 | |
| 6 | According to manpage exit(3) calling exit is not thread-safe. |
| 7 | And with glibc 2.28 (and probably also with glibc >=2.27) sometimes |
| 8 | child processes created in fork_thread can get stuck on process exit in |
| 9 | glibc's __run_exit_handlers trying to acquire some lock which was in |
| 10 | locked state while the fork was created. This can happen when exit is |
| 11 | called in mmap_thread concurrently to the fork. |
| 12 | While the main process will still return with PASSED some of its |
| 13 | children are left behind. |
| 14 | |
| 15 | Comparing the source code with the original program as described in the |
| 16 | commit 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a of linux kernel >=4.13 |
| 17 | the exits in mmap_thread and fork_thread should not be necessary to |
| 18 | trigger the original bug. |
| 19 | |
| 20 | Therefore those exit calls are removed. The mmap_thread and fork_thread |
| 21 | should still exit when their corresponding main thread in do_test_fork |
| 22 | calls exit_group. The remaining exit in do_test_fork will be called in |
| 23 | the main thread without any concurrent thread in the same process. |
| 24 | |
| 25 | Signed-off-by: Mathias Fiedler <mathias.fiedler@aox-tech.de> |
| 26 | Acked-by: Cyril Hrubis <chrubis@suse.cz> |
| 27 | Acked-by: Jan Stancek <jstancek@redhat.com> |
| 28 | |
| 29 | Upstream-Status: Backport |
| 30 | [https://github.com/linux-test-project/ltp/commit/9f0b452c1af4bcb54da35711eb3fa77334a350b4] |
| 31 | |
| 32 | CVE: CVE-2017-17052 |
| 33 | |
| 34 | Signed-off-by: He Zhe <zhe.he@windriver.com> |
| 35 | --- |
| 36 | testcases/cve/cve-2017-17052.c | 5 ----- |
| 37 | 1 file changed, 5 deletions(-) |
| 38 | |
| 39 | diff --git a/testcases/cve/cve-2017-17052.c b/testcases/cve/cve-2017-17052.c |
| 40 | index d7da7e919..18cd2a6d7 100644 |
| 41 | --- a/testcases/cve/cve-2017-17052.c |
| 42 | +++ b/testcases/cve/cve-2017-17052.c |
| 43 | @@ -58,8 +58,6 @@ static void *mmap_thread(void *arg) |
| 44 | for (;;) { |
| 45 | SAFE_MMAP(NULL, 0x1000000, PROT_READ, |
| 46 | MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); |
| 47 | - if (*do_exit) |
| 48 | - exit(0); |
| 49 | } |
| 50 | |
| 51 | return arg; |
| 52 | @@ -67,9 +65,6 @@ static void *mmap_thread(void *arg) |
| 53 | |
| 54 | static void *fork_thread(void *arg) |
| 55 | { |
| 56 | - if (*do_exit) |
| 57 | - exit(0); |
| 58 | - |
| 59 | usleep(rand() % 10000); |
| 60 | SAFE_FORK(); |
| 61 | |
| 62 | -- |
| 63 | 2.17.1 |
| 64 | |