[缺陷描述]: ltp测试时cve-2018-13405用例fail,fail原因为TFAIL: mntpoint/testdir/creat.tmp: Setgid bit is set 测试日志: <<<test_start>>> tag=cve-2018-13405 stime=1639987199 cmdline="creat09" contacts="" analysis=exit <<<test_output>>> incrementing stop tst_device.c:89: TINFO: Found free device 0 '/dev/loop0' tst_supported_fs_types.c:89: TINFO: Kernel supports ext2 tst_supported_fs_types.c:51: TINFO: mkfs.ext2 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports ext3 tst_supported_fs_types.c:51: TINFO: mkfs.ext3 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports ext4 tst_supported_fs_types.c:51: TINFO: mkfs.ext4 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports xfs tst_supported_fs_types.c:51: TINFO: mkfs.xfs does exist tst_supported_fs_types.c:89: TINFO: Kernel supports btrfs tst_supported_fs_types.c:47: TINFO: mkfs.btrfs does not exist tst_supported_fs_types.c:148: TINFO: Skipping vfat as requested by the test tst_supported_fs_types.c:148: TINFO: Skipping exfat as requested by the test tst_supported_fs_types.c:148: TINFO: Skipping ntfs as requested by the test tst_supported_fs_types.c:89: TINFO: Kernel supports tmpfs tst_supported_fs_types.c:38: TINFO: mkfs is not needed for tmpfs tst_test.c:1477: TINFO: Testing on ext2 tst_test.c:975: TINFO: Formatting /dev/loop0 with ext2 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1411: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1477: TINFO: Testing on ext3 tst_test.c:975: TINFO: Formatting /dev/loop0 with ext3 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1411: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1477: TINFO: Testing on ext4 tst_test.c:975: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1411: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1477: TINFO: Testing on xfs tst_test.c:975: TINFO: Formatting /dev/loop0 with xfs opts='' extra opts='' tst_test.c:1411: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:92: TFAIL: mntpoint/testdir/creat.tmp: Setgid bit is set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:92: TFAIL: mntpoint/testdir/open.tmp: Setgid bit is set tst_test.c:1477: TINFO: Testing on tmpfs tst_test.c:975: TINFO: Skipping mkfs for TMPFS filesystem tst_test.c:955: TINFO: Limiting tmpfs size to 32MB tst_test.c:1411: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set HINT: You _MAY_ be missing kernel fixes, see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e HINT: You _MAY_ be vulnerable to CVE(s), see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405 Summary: passed 18 failed 2 broken 0 skipped 0 warnings 0 <<<execution_status>>> initiation_status="ok" duration=1 termination_type=exited termination_id=1 corefile=no cutime=8 cstime=7 <<<test_end>>> 系统镜像: http://8.131.87.1/kojifiles/output/an-8-loongarch64-RC1/compose/BaseOS/loongarch64/iso/ 复现环境: 龙芯物理机 复现概率: 必现 [复现步骤]: git clone https://github.com/linux-test-project/ltp.git cd ltp make autotools ./configure make make install /opt/ltp/runltp -f cve -s cve-2018-13405 内核信息: # uname -r 4.19.190-3.an8.loongarch64 操作系统信息: # cat /etc/anolis-release Anolis OS release 8.4 [root@localhost ~]# cat /etc/os-release NAME="Anolis OS" VERSION="8.4" ID="anolis" ID_LIKE="rhel fedora centos" VERSION_ID="8.4" PLATFORM_ID="platform:an8" PRETTY_NAME="Anolis OS 8.4" ANSI_COLOR="0;31" HOME_URL="https://openanolis.cn/" cpu信息: # lscpu Architecture: loongarch64 Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 NUMA node(s): 1 CPU family: Loongson-64bit Model name: Loongson-3A5000LL BogoMIPS: 4600.00 L1d cache: 64K L1i cache: 64K L2 cache: 256K L3 cache: 16384K NUMA node0 CPU(s): 0-3 Flags: cpucfg lam ual fpu lsx lasx complex crypto lvz lbt_x86 lbt_arm lbt_mips 内存信息: # free -h total used free shared buff/cache available Mem: 15Gi 1.3Gi 2.7Gi 18Mi 11Gi 12Gi Swap: 7.9Gi 1.0Mi 7.9Gi [期望结果]: cve-2018-13405用例pass [实际结果]: cve-2018-13405用例fail [初步分析]: 测试代码路径:ltp/testcases/kernel/syscalls/creat/creat09.c 疑似缺失上游关于sgid的一些bug fix补丁,请开发同学进一步确认 CVE-2018-13405问题: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405 sgid bug fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e
[测试描述] 在内核4.18.0-305.25.1.el8_4.x86_64上也同样复现此问题 [测试日志] <<<test_start>>> tag=cve-2018-13405 stime=1640253435 cmdline="creat09" contacts="" analysis=exit <<<test_output>>> incrementing stop tst_device.c:89: TINFO: Found free device 0 '/dev/loop0' tst_supported_fs_types.c:89: TINFO: Kernel supports ext2 tst_supported_fs_types.c:51: TINFO: mkfs.ext2 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports ext3 tst_supported_fs_types.c:51: TINFO: mkfs.ext3 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports ext4 tst_supported_fs_types.c:51: TINFO: mkfs.ext4 does exist tst_supported_fs_types.c:89: TINFO: Kernel supports xfs tst_supported_fs_types.c:51: TINFO: mkfs.xfs does exist tst_supported_fs_types.c:115: TINFO: Filesystem btrfs is not supported tst_supported_fs_types.c:157: TINFO: Skipping vfat as requested by the test tst_supported_fs_types.c:157: TINFO: Skipping exfat as requested by the test tst_supported_fs_types.c:157: TINFO: Skipping ntfs as requested by the test tst_supported_fs_types.c:89: TINFO: Kernel supports tmpfs tst_supported_fs_types.c:38: TINFO: mkfs is not needed for tmpfs tst_test.c:1495: TINFO: Testing on ext2 tst_test.c:992: TINFO: Formatting /dev/loop0 with ext2 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1428: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1495: TINFO: Testing on ext3 tst_test.c:992: TINFO: Formatting /dev/loop0 with ext3 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1428: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1495: TINFO: Testing on ext4 tst_test.c:992: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts='' mke2fs 1.45.6 (20-Mar-2020) tst_test.c:1428: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set tst_test.c:1495: TINFO: Testing on xfs tst_test.c:992: TINFO: Formatting /dev/loop0 with xfs opts='' extra opts='' tst_test.c:1428: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:92: TFAIL: mntpoint/testdir/creat.tmp: Setgid bit is set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:92: TFAIL: mntpoint/testdir/open.tmp: Setgid bit is set tst_test.c:1495: TINFO: Testing on tmpfs tst_test.c:992: TINFO: Skipping mkfs for TMPFS filesystem tst_test.c:972: TINFO: Limiting tmpfs size to 32MB tst_test.c:1428: TINFO: Timeout per run is 0h 05m 00s creat09.c:56: TINFO: User nobody: uid = 65534, gid = 65534 creat09.c:57: TINFO: Found unused GID 13: SUCCESS (0) creat09.c:88: TPASS: mntpoint/testdir/creat.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/creat.tmp: Setgid bit not set creat09.c:88: TPASS: mntpoint/testdir/open.tmp: Owned by correct group creat09.c:94: TPASS: mntpoint/testdir/open.tmp: Setgid bit not set HINT: You _MAY_ be missing kernel fixes, see: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e HINT: You _MAY_ be vulnerable to CVE(s), see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405 Summary: passed 18 failed 2 broken 0 skipped 0 warnings 0 <<<execution_status>>> initiation_status="ok" duration=1 termination_type=exited termination_id=1 corefile=no cutime=4 cstime=59 <<<test_end>>> [复现步骤]: git clone https://github.com/linux-test-project/ltp.git cd ltp make autotools ./configure make make install /opt/ltp/runltp -f cve -s cve-2018-13405 [内核信息] # uname -r 4.18.0-305.25.1.el8_4.x86_64 [操作系统信息] # cat /etc/os-release NAME="CentOS Linux" VERSION="8" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="8" PLATFORM_ID="platform:el8" PRETTY_NAME="CentOS Linux 8" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:8" HOME_URL="https://centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-8" CENTOS_MANTISBT_PROJECT_VERSION="8" [cpu信息 ] # lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 8 On-line CPU(s) list: 0-7 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 8 NUMA node(s): 1 Vendor ID: GenuineIntel BIOS Vendor ID: Red Hat CPU family: 6 Model: 85 Model name: Intel Xeon Processor (Skylake, IBRS) BIOS Model name: RHEL-8.2.0 PC (Q35 + ICH9, 2009) Stepping: 4 CPU MHz: 2194.838 BogoMIPS: 4389.67 Virtualization: VT-x Hypervisor vendor: KVM Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 4096K L3 cache: 16384K NUMA node0 CPU(s): 0-7 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat umip pku ospke md_clear arch_capabilities [内存信息] # free -h total used free shared buff/cache available Mem: 15Gi 672Mi 14Gi 20Mi 711Mi 14Gi Swap: 0B 0B 0B [期望结果]: cve-2018-13405用例pass [实际结果]: cve-2018-13405用例fail
补丁已合入龙芯内部仓库