From 8c1a84778bb05a3becc493698b215681bf7249b3 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Sat, 19 Sep 2020 08:00:00 +0000
Subject: [PATCH 160/162] tests: disable shmctl IPC_STAT test with a bogus
 address on glibc >= 2.32

Starting with commit glibc-2.32~80, on every 32-bit architecture where
32-bit time_t support is enabled, glibc tries to retrieve the data
provided in the third argument of shmctl call.  This results to
segfaults inside glibc when shmctl is called with a bogus address.

* tests/ipc_shm.c [GLIBC_PREREQ_GE(2, 32) && __TIMESIZE != 64]
(TEST_SHMCTL_BOGUS_ADDR): Define to 0.
(main): Conditionalize on TEST_SHMCTL_BOGUS_ADDR the shmctl IPC_STAT
invocation with a bogus address.
---
 tests/ipc_shm.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tests/ipc_shm.c b/tests/ipc_shm.c
index 5cd414e..695fd94 100644
--- a/tests/ipc_shm.c
+++ b/tests/ipc_shm.c
@@ -73,6 +73,21 @@
 # define str_bogus_cmd "0xdefaced2 /\\* SHM_\\?\\?\\? \\*/"
 #endif
 
+#undef TEST_SHMCTL_BOGUS_ADDR
+
+/*
+ * Starting with commit glibc-2.32~80, on every 32-bit architecture
+ * where 32-bit time_t support is enabled, glibc tries to retrieve
+ * the data provided in the third argument of shmctl call.
+ */
+#if GLIBC_PREREQ_GE(2, 32) && defined __TIMESIZE && __TIMESIZE != 64
+# define TEST_SHMCTL_BOGUS_ADDR 0
+#endif
+
+#ifndef TEST_SHMCTL_BOGUS_ADDR
+# define TEST_SHMCTL_BOGUS_ADDR 1
+#endif
+
 static int id = -1;
 
 static void
@@ -92,7 +107,9 @@ main(void)
 	static const key_t bogus_key = (key_t) 0xeca86420fdb97531ULL;
 	static const int bogus_id = 0xdefaced1;
 	static const int bogus_cmd = 0xdefaced2;
+#if TEST_SHMCTL_BOGUS_ADDR
 	static void * const bogus_addr = (void *) -1L;
+#endif
 	static const size_t bogus_size =
 	/*
 	 * musl sets size to SIZE_MAX if size argument is greater than
@@ -160,10 +177,12 @@ main(void)
 	printf("shmctl\\(%d, (%s\\|)?%s, NULL\\) = %s\n",
 	       bogus_id, str_ipc_64, str_bogus_cmd, sprintrc_grep(rc));
 
+#if TEST_SHMCTL_BOGUS_ADDR
 	rc = shmctl(bogus_id, IPC_STAT, bogus_addr);
 	printf("shmctl\\(%d, (%s\\|)?%s, %p\\) = %s\n",
 	       bogus_id, str_ipc_64, str_ipc_stat, bogus_addr,
 	       sprintrc_grep(rc));
+#endif
 
 	if (shmctl(id, IPC_STAT, &ds))
 		perror_msg_and_skip("shmctl IPC_STAT");
diff --git a/tests-m32/ipc_shm.c b/tests-m32/ipc_shm.c
index 5cd414e..695fd94 100644
--- a/tests-m32/ipc_shm.c
+++ b/tests-m32/ipc_shm.c
@@ -73,6 +73,21 @@
 # define str_bogus_cmd "0xdefaced2 /\\* SHM_\\?\\?\\? \\*/"
 #endif
 
+#undef TEST_SHMCTL_BOGUS_ADDR
+
+/*
+ * Starting with commit glibc-2.32~80, on every 32-bit architecture
+ * where 32-bit time_t support is enabled, glibc tries to retrieve
+ * the data provided in the third argument of shmctl call.
+ */
+#if GLIBC_PREREQ_GE(2, 32) && defined __TIMESIZE && __TIMESIZE != 64
+# define TEST_SHMCTL_BOGUS_ADDR 0
+#endif
+
+#ifndef TEST_SHMCTL_BOGUS_ADDR
+# define TEST_SHMCTL_BOGUS_ADDR 1
+#endif
+
 static int id = -1;
 
 static void
@@ -92,7 +107,9 @@ main(void)
 	static const key_t bogus_key = (key_t) 0xeca86420fdb97531ULL;
 	static const int bogus_id = 0xdefaced1;
 	static const int bogus_cmd = 0xdefaced2;
+#if TEST_SHMCTL_BOGUS_ADDR
 	static void * const bogus_addr = (void *) -1L;
+#endif
 	static const size_t bogus_size =
 	/*
 	 * musl sets size to SIZE_MAX if size argument is greater than
@@ -160,10 +177,12 @@ main(void)
 	printf("shmctl\\(%d, (%s\\|)?%s, NULL\\) = %s\n",
 	       bogus_id, str_ipc_64, str_bogus_cmd, sprintrc_grep(rc));
 
+#if TEST_SHMCTL_BOGUS_ADDR
 	rc = shmctl(bogus_id, IPC_STAT, bogus_addr);
 	printf("shmctl\\(%d, (%s\\|)?%s, %p\\) = %s\n",
 	       bogus_id, str_ipc_64, str_ipc_stat, bogus_addr,
 	       sprintrc_grep(rc));
+#endif
 
 	if (shmctl(id, IPC_STAT, &ds))
 		perror_msg_and_skip("shmctl IPC_STAT");
diff --git a/tests-mx32/ipc_shm.c b/tests-mx32/ipc_shm.c
index 5cd414e..695fd94 100644
--- a/tests-mx32/ipc_shm.c
+++ b/tests-mx32/ipc_shm.c
@@ -73,6 +73,21 @@
 # define str_bogus_cmd "0xdefaced2 /\\* SHM_\\?\\?\\? \\*/"
 #endif
 
+#undef TEST_SHMCTL_BOGUS_ADDR
+
+/*
+ * Starting with commit glibc-2.32~80, on every 32-bit architecture
+ * where 32-bit time_t support is enabled, glibc tries to retrieve
+ * the data provided in the third argument of shmctl call.
+ */
+#if GLIBC_PREREQ_GE(2, 32) && defined __TIMESIZE && __TIMESIZE != 64
+# define TEST_SHMCTL_BOGUS_ADDR 0
+#endif
+
+#ifndef TEST_SHMCTL_BOGUS_ADDR
+# define TEST_SHMCTL_BOGUS_ADDR 1
+#endif
+
 static int id = -1;
 
 static void
@@ -92,7 +107,9 @@ main(void)
 	static const key_t bogus_key = (key_t) 0xeca86420fdb97531ULL;
 	static const int bogus_id = 0xdefaced1;
 	static const int bogus_cmd = 0xdefaced2;
+#if TEST_SHMCTL_BOGUS_ADDR
 	static void * const bogus_addr = (void *) -1L;
+#endif
 	static const size_t bogus_size =
 	/*
 	 * musl sets size to SIZE_MAX if size argument is greater than
@@ -160,10 +177,12 @@ main(void)
 	printf("shmctl\\(%d, (%s\\|)?%s, NULL\\) = %s\n",
 	       bogus_id, str_ipc_64, str_bogus_cmd, sprintrc_grep(rc));
 
+#if TEST_SHMCTL_BOGUS_ADDR
 	rc = shmctl(bogus_id, IPC_STAT, bogus_addr);
 	printf("shmctl\\(%d, (%s\\|)?%s, %p\\) = %s\n",
 	       bogus_id, str_ipc_64, str_ipc_stat, bogus_addr,
 	       sprintrc_grep(rc));
+#endif
 
 	if (shmctl(id, IPC_STAT, &ds))
 		perror_msg_and_skip("shmctl IPC_STAT");
-- 
2.1.4