1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com> 4f08c3bdfSopenharmony_ci */ 5f08c3bdfSopenharmony_ci 6f08c3bdfSopenharmony_ci/*\ 7f08c3bdfSopenharmony_ci * [Description] 8f08c3bdfSopenharmony_ci * 9f08c3bdfSopenharmony_ci * Reproducer of CVE-2018-10124; INT_MIN negation. 10f08c3bdfSopenharmony_ci * 11f08c3bdfSopenharmony_ci * On most two's complement CPUs negation of INT_MIN will result in 12f08c3bdfSopenharmony_ci * INT_MIN because ~((unsigned)INT_MIN) + 1 overflows to INT_MIN 13f08c3bdfSopenharmony_ci * (unless trapped). On one's complement ~((unsigned)INT_MIN) = INT_MAX. 14f08c3bdfSopenharmony_ci * 15f08c3bdfSopenharmony_ci * Without UBSAN kill will always return ESRCH. Regardless of if the 16f08c3bdfSopenharmony_ci * bug is present as INT_MIN/INT_MAX are invalid PIDs. It checks the 17f08c3bdfSopenharmony_ci * PID before the signal number so we can not cause EINVAL. A trivial 18f08c3bdfSopenharmony_ci * test of kill is performed elsewhere. So we don't run the test 19f08c3bdfSopenharmony_ci * without UBSAN to avoid giving the impression we have actually 20f08c3bdfSopenharmony_ci * tested for the bug. 21f08c3bdfSopenharmony_ci */ 22f08c3bdfSopenharmony_ci 23f08c3bdfSopenharmony_ci#include <limits.h> 24f08c3bdfSopenharmony_ci#include <signal.h> 25f08c3bdfSopenharmony_ci#include "tst_test.h" 26f08c3bdfSopenharmony_ci 27f08c3bdfSopenharmony_cistatic void run(void) 28f08c3bdfSopenharmony_ci{ 29f08c3bdfSopenharmony_ci TST_EXP_FAIL2(kill(INT_MIN, 0), ESRCH, 30f08c3bdfSopenharmony_ci "kill(INT_MIN, ...) fails with ESRCH"); 31f08c3bdfSopenharmony_ci} 32f08c3bdfSopenharmony_ci 33f08c3bdfSopenharmony_cistatic struct tst_test test = { 34f08c3bdfSopenharmony_ci .test_all = run, 35f08c3bdfSopenharmony_ci .taint_check = TST_TAINT_W | TST_TAINT_D, 36f08c3bdfSopenharmony_ci .needs_kconfigs = (const char *[]) { 37f08c3bdfSopenharmony_ci "CONFIG_UBSAN_SIGNED_OVERFLOW", 38f08c3bdfSopenharmony_ci NULL 39f08c3bdfSopenharmony_ci }, 40f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 41f08c3bdfSopenharmony_ci {"linux-git", "4ea77014af0d"}, 42f08c3bdfSopenharmony_ci {"CVE", "CVE-2018-10124"}, 43f08c3bdfSopenharmony_ci {} 44f08c3bdfSopenharmony_ci } 45f08c3bdfSopenharmony_ci}; 46