OS-6241 LTP new cve-2017-5669 test fails

Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
Approved by: Patrick Mooney <patrick.mooney@joyent.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/usr/src/lib/brand/lx/lx_brand/common/sysv_ipc.c b/usr/src/lib/brand/lx/lx_brand/common/sysv_ipc.c
index 99cc12704e..80b7b92be3 100644
--- a/usr/src/lib/brand/lx/lx_brand/common/sysv_ipc.c
+++ b/usr/src/lib/brand/lx/lx_brand/common/sysv_ipc.c
@@ -21,7 +21,7 @@
 /*
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
- * Copyright 2016 Joyent, Inc.  All rights reserved.
+ * Copyright 2017 Joyent, Inc.  All rights reserved.
  */
 
 #include <errno.h>
@@ -694,6 +694,18 @@ lx_shmat(int shmid, void *addr, int flags)
 
 	lx_debug("\tlx_shmat(%d, 0x%p, %d)\n", shmid, addr, flags);
 
+	/*
+	 * Linux has a fix for CVE-2017-5669 which LTP is testing for. The
+	 * kernel will disallow mapping into the first 64k of the address space.
+	 * LTP passes 1 as the address which will then round down to 0.
+	 * In the future, once more work has been done to tighten up the lx
+	 * brand handling for the minimum mappable address (e.g. with secflags),
+	 * then we can remove this check.
+	 */
+	if ((flags & LX_SHM_RND) && addr != NULL && addr < (void *)0x10000) {
+		return (-EINVAL);
+	}
+
 	sol_flags = 0;
 	if (flags & LX_SHM_RDONLY)
 		sol_flags |= SHM_RDONLY;