1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) 2018 Google, Inc. 4f08c3bdfSopenharmony_ci */ 5f08c3bdfSopenharmony_ci 6f08c3bdfSopenharmony_ci/*\ 7f08c3bdfSopenharmony_ci * [Description] 8f08c3bdfSopenharmony_ci * 9f08c3bdfSopenharmony_ci * Regression test for commit 10f08c3bdfSopenharmony_ci * 3f05317d9889 (ipc/shm: fix use-after-free of shm file via remap_file_pages()). 11f08c3bdfSopenharmony_ci * 12f08c3bdfSopenharmony_ci * This bug allowed the remap_file_pages() syscall to use the file of a System 13f08c3bdfSopenharmony_ci * V shared memory segment after its ID had been reallocated and the file 14f08c3bdfSopenharmony_ci * freed. This test reproduces the bug as a NULL pointer dereference in 15f08c3bdfSopenharmony_ci * touch_atime(), although it's a race condition so it's not guaranteed to 16f08c3bdfSopenharmony_ci * work. This test is based on the reproducer provided in the fix's commit 17f08c3bdfSopenharmony_ci * message. 18f08c3bdfSopenharmony_ci */ 19f08c3bdfSopenharmony_ci 20f08c3bdfSopenharmony_ci#include "tst_test.h" 21f08c3bdfSopenharmony_ci#include "tst_fuzzy_sync.h" 22f08c3bdfSopenharmony_ci#include "tst_safe_pthread.h" 23f08c3bdfSopenharmony_ci#include "tst_safe_sysv_ipc.h" 24f08c3bdfSopenharmony_ci#include "tst_timer.h" 25f08c3bdfSopenharmony_ci#include "lapi/syscalls.h" 26f08c3bdfSopenharmony_ci 27f08c3bdfSopenharmony_cistatic struct tst_fzsync_pair fzsync_pair; 28f08c3bdfSopenharmony_ci 29f08c3bdfSopenharmony_ci/* 30f08c3bdfSopenharmony_ci * Thread 2: repeatedly remove the shm ID and reallocate it again for a 31f08c3bdfSopenharmony_ci * new shm segment. 32f08c3bdfSopenharmony_ci */ 33f08c3bdfSopenharmony_cistatic void *thrproc(void *unused) 34f08c3bdfSopenharmony_ci{ 35f08c3bdfSopenharmony_ci int id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700); 36f08c3bdfSopenharmony_ci 37f08c3bdfSopenharmony_ci while (tst_fzsync_run_b(&fzsync_pair)) { 38f08c3bdfSopenharmony_ci tst_fzsync_start_race_b(&fzsync_pair); 39f08c3bdfSopenharmony_ci SAFE_SHMCTL(id, IPC_RMID, NULL); 40f08c3bdfSopenharmony_ci id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700); 41f08c3bdfSopenharmony_ci tst_fzsync_end_race_b(&fzsync_pair); 42f08c3bdfSopenharmony_ci } 43f08c3bdfSopenharmony_ci return unused; 44f08c3bdfSopenharmony_ci} 45f08c3bdfSopenharmony_ci 46f08c3bdfSopenharmony_cistatic void setup(void) 47f08c3bdfSopenharmony_ci{ 48f08c3bdfSopenharmony_ci /* Skip test if either remap_file_pages() or SysV IPC is unavailable */ 49f08c3bdfSopenharmony_ci tst_syscall(__NR_remap_file_pages, NULL, 0, 0, 0, 0); 50f08c3bdfSopenharmony_ci tst_syscall(__NR_shmctl, 0xF00F, IPC_RMID, NULL); 51f08c3bdfSopenharmony_ci 52f08c3bdfSopenharmony_ci tst_fzsync_pair_init(&fzsync_pair); 53f08c3bdfSopenharmony_ci} 54f08c3bdfSopenharmony_ci 55f08c3bdfSopenharmony_cistatic void do_test(void) 56f08c3bdfSopenharmony_ci{ 57f08c3bdfSopenharmony_ci /* 58f08c3bdfSopenharmony_ci * Thread 1: repeatedly attach a shm segment, then remap it until the ID 59f08c3bdfSopenharmony_ci * seems to have been removed by the other process. 60f08c3bdfSopenharmony_ci */ 61f08c3bdfSopenharmony_ci tst_fzsync_pair_reset(&fzsync_pair, thrproc); 62f08c3bdfSopenharmony_ci while (tst_fzsync_run_a(&fzsync_pair)) { 63f08c3bdfSopenharmony_ci int id; 64f08c3bdfSopenharmony_ci void *addr; 65f08c3bdfSopenharmony_ci 66f08c3bdfSopenharmony_ci id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700); 67f08c3bdfSopenharmony_ci addr = SAFE_SHMAT(id, NULL, 0); 68f08c3bdfSopenharmony_ci tst_fzsync_start_race_a(&fzsync_pair); 69f08c3bdfSopenharmony_ci do { 70f08c3bdfSopenharmony_ci /* This is the system call that crashed */ 71f08c3bdfSopenharmony_ci TEST(syscall(__NR_remap_file_pages, addr, 4096, 72f08c3bdfSopenharmony_ci 0, 0, 0)); 73f08c3bdfSopenharmony_ci } while (TST_RET == 0); 74f08c3bdfSopenharmony_ci tst_fzsync_end_race_a(&fzsync_pair); 75f08c3bdfSopenharmony_ci 76f08c3bdfSopenharmony_ci if (TST_ERR != EIDRM && TST_ERR != EINVAL) { 77f08c3bdfSopenharmony_ci tst_brk(TBROK | TTERRNO, 78f08c3bdfSopenharmony_ci "Unexpected remap_file_pages() error"); 79f08c3bdfSopenharmony_ci } 80f08c3bdfSopenharmony_ci 81f08c3bdfSopenharmony_ci /* 82f08c3bdfSopenharmony_ci * Ensure that a shm segment will actually be destroyed. 83f08c3bdfSopenharmony_ci * This call may fail on recent kernels (v4.0+) because 84f08c3bdfSopenharmony_ci * remap_file_pages() already unmapped the shm segment. 85f08c3bdfSopenharmony_ci */ 86f08c3bdfSopenharmony_ci shmdt(addr); 87f08c3bdfSopenharmony_ci } 88f08c3bdfSopenharmony_ci 89f08c3bdfSopenharmony_ci tst_res(TPASS, "didn't crash"); 90f08c3bdfSopenharmony_ci} 91f08c3bdfSopenharmony_ci 92f08c3bdfSopenharmony_cistatic void cleanup(void) 93f08c3bdfSopenharmony_ci{ 94f08c3bdfSopenharmony_ci int id; 95f08c3bdfSopenharmony_ci 96f08c3bdfSopenharmony_ci tst_fzsync_pair_cleanup(&fzsync_pair); 97f08c3bdfSopenharmony_ci 98f08c3bdfSopenharmony_ci id = shmget(0xF00F, 4096, 0); 99f08c3bdfSopenharmony_ci if (id == -1) { 100f08c3bdfSopenharmony_ci if (errno != ENOENT) 101f08c3bdfSopenharmony_ci tst_res(TWARN | TERRNO, "shmget()"); 102f08c3bdfSopenharmony_ci return; 103f08c3bdfSopenharmony_ci } 104f08c3bdfSopenharmony_ci 105f08c3bdfSopenharmony_ci SAFE_SHMCTL(id, IPC_RMID, NULL); 106f08c3bdfSopenharmony_ci} 107f08c3bdfSopenharmony_ci 108f08c3bdfSopenharmony_cistatic struct tst_test test = { 109f08c3bdfSopenharmony_ci .max_runtime = 10, 110f08c3bdfSopenharmony_ci .setup = setup, 111f08c3bdfSopenharmony_ci .test_all = do_test, 112f08c3bdfSopenharmony_ci .cleanup = cleanup, 113f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 114f08c3bdfSopenharmony_ci {"linux-git", "3f05317d9889"}, 115f08c3bdfSopenharmony_ci {} 116f08c3bdfSopenharmony_ci } 117f08c3bdfSopenharmony_ci}; 118