219750 – Unexpected result from the stack_clash test for CVE 2017-1000364

Bug 219750 - Unexpected result from the stack_clash test for CVE 2017-1000364

Summary: Unexpected result from the stack_clash test for CVE 2017-1000364

Status:	NEW

Alias:	None

Product:	Memory Management
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	Andrew Morton

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-02-04 22:19 UTC by Leandro Awa
Modified:	2025-02-05 18:22 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
git bisect log file (3.40 KB, text/plain) 2025-02-04 22:19 UTC, Leandro Awa	Details
attachment-19278-0.html (8.64 KB, text/html) 2025-02-05 18:22 UTC, Leandro Awa	Details
Add an attachment (proposed patch, testcase, etc.)

Description Leandro Awa 2025-02-04 22:19:44 UTC

Created attachment 307574 [details]
git bisect log file

I ran into the following unexpected result from the stack clash test included with the LTP testsuite while running tests against 6.12.10:
    
###

tst_test.c:1724: TINFO: Overall timeout per run is 0h 04m 00s 
tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline 
stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffcfd0 > 0x7fffffffcf40 
stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000 mmap:0x7fffffdfb000+0x1000 
stack_clash.c:207: TBROK: mmap((nil),4096,PROT_READ | PROT_WRITE(3),34,0,0) failed: ENOMEM (12) 
stack_clash.c:329: TBROK: Child exited with 2 
 
HINT: You _MAY_ be missing kernel fixes: 
 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58c5d0d6d522 
 
HINT: You _MAY_ be vulnerable to CVE(s): 

###


The test worked previously on 6.1.x.   

I ran the same test on a 6.6.x  (6.6.70 to be specific) and I got the same failure.

git bisect testing appeared to narrow down the reason for the unexpected result to the   following commit:

6b008640db7355d8de6ac18f74cedd7ccc92684f


Tested reverting the changes from the latter commit and I was able to get the expected result:


[root@rno2-sim-j08-017 ~]# stack_clash
tst_test.c:1900: TINFO: LTP version: 20240930
tst_test.c:1904: TINFO: Tested kernel: 6.12.10 #8 SMP PREEMPT_DYNAMIC Fri Jan 31 12:42:41 PST 2025 x86_64
tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
tst_test.c:1724: TINFO: Overall timeout per run is 0h 00m 30s 
tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline
stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffd3b0 > 0x7fffffffd320
stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000 mmap:0x7fffffdfb000+0x1000
stack_clash.c:89: TINFO: mmap = [7fffffdfb000, 7fffffdfc000), addr = 7fffffefbd60, diff = ffd60, THRESHOLD = ff000
stack_clash.c:321: TPASS: stack is far enough from mmaped area

Summary:
passed   1   
failed   0   
broken   0   
skipped  0
warnings 0

Comment 1 Andrew Morton 2025-02-05 02:37:11 UTC

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 04 Feb 2025 22:19:44 +0000 bugzilla-daemon@kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=219750
> 
>             Bug ID: 219750
>            Summary: Unexpected result from the stack_clash test for CVE
>                     2017-1000364
>            Product: Memory Management
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: Other
>           Assignee: akpm@linux-foundation.org
>           Reporter: lawa@nvidia.com
>         Regression: No

Thanks.  I'm suspecting that the changes in 6b008640db73 ("mm: move
'mmap_min_addr' logic from callers into vm_unmapped_area()") broke the
heuristics in stack_clash.c.  Let's cc the LTP team and ask whether
others are seeing this?

> Created attachment 307574 [details]
>   --> https://bugzilla.kernel.org/attachment.cgi?id=307574&action=edit
> git bisect log file
> 
> I ran into the following unexpected result from the stack clash test included
> with the LTP testsuite while running tests against 6.12.10:
> 
> ###
> 
> tst_test.c:1724: TINFO: Overall timeout per run is 0h 04m 00s 
> tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline 
> stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffcfd0 >
> 0x7fffffffcf40 
> stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000
> mmap:0x7fffffdfb000+0x1000 
> stack_clash.c:207: TBROK: mmap((nil),4096,PROT_READ | PROT_WRITE(3),34,0,0)
> failed: ENOMEM (12) 
> stack_clash.c:329: TBROK: Child exited with 2 
> 
> HINT: You _MAY_ be missing kernel fixes: 
> 
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58c5d0d6d522 
> 
> HINT: You _MAY_ be vulnerable to CVE(s): 
> 
> ###
> 
> 
> The test worked previously on 6.1.x.   
> 
> I ran the same test on a 6.6.x  (6.6.70 to be specific) and I got the same
> failure.
> 
> git bisect testing appeared to narrow down the reason for the unexpected
> result
> to the   following commit:
> 
> 6b008640db7355d8de6ac18f74cedd7ccc92684f
> 
> 
> Tested reverting the changes from the latter commit and I was able to get the
> expected result:
> 
> 
> [root@rno2-sim-j08-017 ~]# stack_clash
> tst_test.c:1900: TINFO: LTP version: 20240930
> tst_test.c:1904: TINFO: Tested kernel: 6.12.10 #8 SMP PREEMPT_DYNAMIC Fri Jan
> 31 12:42:41 PST 2025 x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_test.c:1724: TINFO: Overall timeout per run is 0h 00m 30s 
> tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline
> stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffd3b0 >
> 0x7fffffffd320
> stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000
> mmap:0x7fffffdfb000+0x1000
> stack_clash.c:89: TINFO: mmap = [7fffffdfb000, 7fffffdfc000), addr =
> 7fffffefbd60, diff = ffd60, THRESHOLD = ff000
> stack_clash.c:321: TPASS: stack is far enough from mmaped area
> 
> Summary:
> passed   1   
> failed   0   
> broken   0   
> skipped  0
> warnings 0
> 
> -- 
> You may reply to this email to add a comment.
> 
> You are receiving this mail because:
> You are the assignee for the bug.

Comment 2 Leandro Awa 2025-02-05 18:22:35 UTC

Created attachment 307576 [details]
attachment-19278-0.html

Thank you for the reply.

I forgot to include this information but the test system was running a Rocky 8.9 OS.



Regards,

Leandro Awa



________________________________
From: Andrew Morton <akpm@linux-foundation.org>
Sent: Tuesday, February 4, 2025 6:37 PM
To: bugzilla-daemon@kernel.org <bugzilla-daemon@kernel.org>
Cc: Leandro Awa <lawa@nvidia.com>; ltp@lists.linux.it <ltp@lists.linux.it>; rick.p.edgecombe@intel.com <rick.p.edgecombe@intel.com>
Subject: Re: [Bug 219750] New: Unexpected result from the stack_clash test for CVE 2017-1000364

[You don't often get email from akpm@linux-foundation.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

External email: Use caution opening links or attachments


(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 04 Feb 2025 22:19:44 +0000 bugzilla-daemon@kernel.org wrote:

>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.kernel.org%2Fshow_bug.cgi%3Fid%3D219750&data=05%7C02%7Clawa%40nvidia.com%7C5ab5b4d3c70344f417fe08dd458dfe42%7C43083d15727340c1b7db39efd9ccc17a%7C0%7C0%7C638743198365806564%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=lCwiGq%2FLpeyLROctH6Zo%2FIYl7h5JSsbb8%2FZPmwpXuhQ%3D&reserved=0<https://bugzilla.kernel.org/show_bug.cgi?id=219750>
>
>             Bug ID: 219750
>            Summary: Unexpected result from the stack_clash test for CVE
>                     2017-1000364
>            Product: Memory Management
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: Other
>           Assignee: akpm@linux-foundation.org
>           Reporter: lawa@nvidia.com
>         Regression: No

Thanks.  I'm suspecting that the changes in 6b008640db73 ("mm: move
'mmap_min_addr' logic from callers into vm_unmapped_area()") broke the
heuristics in stack_clash.c.  Let's cc the LTP team and ask whether
others are seeing this?

> Created attachment 307574 [details]
>   -->
>   https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.kernel.org%2Fattachment.cgi%3Fid%3D307574%26action%3Dedit&data=05%7C02%7Clawa%40nvidia.com%7C5ab5b4d3c70344f417fe08dd458dfe42%7C43083d15727340c1b7db39efd9ccc17a%7C0%7C0%7C638743198365832526%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FYbvvW9%2Bj9LS1usZlgAUmwWQZa%2BwSRfH9M38%2FNnHB6o%3D&reserved=0<https://bugzilla.kernel.org/attachment.cgi?id=307574&action=edit>
> git bisect log file
>
> I ran into the following unexpected result from the stack clash test included
> with the LTP testsuite while running tests against 6.12.10:
>
> ###
>
> tst_test.c:1724: TINFO: Overall timeout per run is 0h 04m 00s
> tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline
> stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffcfd0 >
> 0x7fffffffcf40
> stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000
> mmap:0x7fffffdfb000+0x1000
> stack_clash.c:207: TBROK: mmap((nil),4096,PROT_READ | PROT_WRITE(3),34,0,0)
> failed: ENOMEM (12)
> stack_clash.c:329: TBROK: Child exited with 2
>
> HINT: You _MAY_ be missing kernel fixes:
>
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Ftorvalds%2Flinux.git%2Fcommit%2F%3Fid%3D58c5d0d6d522&data=05%7C02%7Clawa%40nvidia.com%7C5ab5b4d3c70344f417fe08dd458dfe42%7C43083d15727340c1b7db39efd9ccc17a%7C0%7C0%7C638743198365845964%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ykZjHGwpe2I2mEf5cV1hqpGRGZmqlPXVuWW0CEvXsyk%3D&reserved=0<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58c5d0d6d522>
>
> HINT: You _MAY_ be vulnerable to CVE(s):
>
> ###
>
>
> The test worked previously on 6.1.x.
>
> I ran the same test on a 6.6.x  (6.6.70 to be specific) and I got the same
> failure.
>
> git bisect testing appeared to narrow down the reason for the unexpected
> result
> to the   following commit:
>
> 6b008640db7355d8de6ac18f74cedd7ccc92684f
>
>
> Tested reverting the changes from the latter commit and I was able to get the
> expected result:
>
>
> [root@rno2-sim-j08-017 ~]# stack_clash
> tst_test.c:1900: TINFO: LTP version: 20240930
> tst_test.c:1904: TINFO: Tested kernel: 6.12.10 #8 SMP PREEMPT_DYNAMIC Fri Jan
> 31 12:42:41 PST 2025 x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_test.c:1724: TINFO: Overall timeout per run is 0h 00m 30s
> tst_kconfig.c:629: TINFO: stack_guard_gap is not found in /proc/cmdline
> stack_clash.c:296: TINFO: STACK_GROWSDOWN = 1 == 0x7fffffffd3b0 >
> 0x7fffffffd320
> stack_clash.c:247: TINFO: Stack:0x7fffffefc000+0x103000
> mmap:0x7fffffdfb000+0x1000
> stack_clash.c:89: TINFO: mmap = [7fffffdfb000, 7fffffdfc000), addr =
> 7fffffefbd60, diff = ffd60, THRESHOLD = ff000
> stack_clash.c:321: TPASS: stack is far enough from mmaped area
>
> Summary:
> passed   1
> failed   0
> broken   0
> skipped  0
> warnings 0
>
> --
> You may reply to this email to add a comment.
>
> You are receiving this mail because:
> You are the assignee for the bug.

Note You need to log in before you can comment on or make changes to this bug.