From patchwork Wed Aug 11 11:26:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= X-Patchwork-Id: 44635 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id BC8AC3972808 for ; Wed, 11 Aug 2021 11:28:37 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BC8AC3972808 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1628681317; bh=Tk/Ci/4PO8pNisq1su0bcL2/s1AE9WO68LNGaEd2BWo=; h=Date:Subject:To:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=AKa8cLPF8cW+Dznc+oU4868iX7jj2n8H5rANJRABVVQUdGnkMPuej69xFe2TElKep XCwipsJX0LmpXI+9GBfPooHl3fSEPgV9/+/pIqj3ibw8M9FHjgrXIFBoASNlIvjyGm 3WGtXSs3DDgdrMbX11lV6TX0XszWz5haOEajKA4w= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by sourceware.org (Postfix) with ESMTPS id 8D624384C001 for ; Wed, 11 Aug 2021 11:27:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8D624384C001 Received: by mail-lj1-x22f.google.com with SMTP id m18so4012067ljo.1 for ; Wed, 11 Aug 2021 04:27:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Tk/Ci/4PO8pNisq1su0bcL2/s1AE9WO68LNGaEd2BWo=; b=iwDB8cTehhRpk+vu0JhX6jDeiiRv1jBwdlpcoX4onDwvz4fFvtu7+nRKH+wPpQWndK eAyUsyPHfoSDE7I8TE0ZVYgeel5qzA4/+YwhAl0wX4TmYrq/7Z8AR5neqbuIrR+RHbkb T37+Sv7JvIewmb7/QsqITe68kwMzw8kXCmvYQO/huR8o8UZr4VpKa7KeQK/nyEugW3cn Coez5PwXoAaK9ENGr0Ibtn+/GJ7E6LALl8P+C37qtWqBWLktJyd42H49gLoqc6UoJW5f ch6xviLs1YGuIp4z6DHEL+aJR5Kv+liPseaqK6jMqwGLiN3Wb1FOc4jpJutnSRO3j9om SWxA== X-Gm-Message-State: AOAM533CLold0ghIC4+941/STSvwLCGnNZz2j8gPXcR0b55lanGaAdDK rH8WNPwq+vwWa1RB1jzFhqn3IWxhNtHb6giMixTa3EB0oUw= X-Google-Smtp-Source: ABdhPJw28iqb2RmQDMuoyW3YMA00Tp84BWXiKGWzLrQuBuxEEx+NN75SPJdKmYQlWv3pDNJEMtx8fjZpNVTRQsunG/0= X-Received: by 2002:a2e:b16e:: with SMTP id a14mr1910009ljm.356.1628681229249; Wed, 11 Aug 2021 04:27:09 -0700 (PDT) MIME-Version: 1.0 Date: Wed, 11 Aug 2021 16:26:58 +0500 Message-ID: Subject: [PATCH] librt: add test (bug 28213) To: libc-alpha@sourceware.org X-Spam-Status: No, score=-10.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LIgdmlhIExpYmMtYWxwaGE=?= From: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= Reply-To: =?utf-8?b?0J3QuNC60LjRgtCwINCf0L7Qv9C+0LI=?= Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Hello. I'm submitting a test case for recent bug 28213. It shows the following results. Before fix of bug 28213: # cat ./rt/tst-bz28213.out Child caused segmentation fault # cat ./rt/tst-bz28213.test-result FAIL: rt/tst-bz28213 original exit status 1 After fix of bug 28213: # cat ./rt/tst-bz28213.out # cat ./rt/tst-bz28213.test-result PASS: rt/tst-bz28213 original exit status 0 I managed to get libc cause segmentation fault. Looking forward to receiving feedback from you. From eb51dcf05befe6e839102e0cb622b1afdbf72a7a Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 11 Aug 2021 14:36:50 +0500 Subject: [PATCH] librt: add test (bug 28213) To: libc-alpha@sourceware.org This test implements following logic: 1) Create dummy message queue, register it with mq_notify (using NULL attributes), immediately close the queue. Helper thread should cause NULL pointer dereference by this moment. 2) Create another queue and try to send a message via the helper thread. Test is considered successful if the callback function receives the same message as was sent. Signed-off-by: Nikita Popov --- rt/Makefile | 1 + rt/tst-bz28213.c | 174 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+) create mode 100644 rt/tst-bz28213.c diff --git a/rt/Makefile b/rt/Makefile index 113cea03a5..910e775995 100644 --- a/rt/Makefile +++ b/rt/Makefile @@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \ tst-aio7 tst-aio8 tst-aio9 tst-aio10 \ tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \ tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \ + tst-bz28213 \ tst-timer3 tst-timer4 tst-timer5 \ tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \ tst-shm-cancel \ diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c new file mode 100644 index 0000000000..6c043a9017 --- /dev/null +++ b/rt/tst-bz28213.c @@ -0,0 +1,174 @@ +/* Bug 28213: test for NULL pointer dereference in mq_notify. + Copyright (C) 2018-2021 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static const char check_bz28213_name[] = "/bz28213_queue"; +static const char check_bz28213_msg[] = "dummy"; + +static void +check_bz28213_cb (union sigval sv) +{ + char buf[sizeof (check_bz28213_msg)]; + mqd_t m = sv.sival_int; + ssize_t n; + + if ((n = mq_receive (m, buf, sizeof (buf), NULL)) < 0L || + (size_t) n != sizeof (buf)) + exit (1); + + if (memcmp (buf, check_bz28213_msg, sizeof (buf)) != 0) + exit (1); + + exit (0); +} + +static void +check_bz28213 (void) +{ + mqd_t m; + struct sigevent sev; + struct mq_attr attr; + unsigned int i; + + /* First iteration should lead to undefined behavior due to NULL pointer dereference. + Second iteration tests whether helper thread still works. */ + for (i = 0U; i < 2U; i++) + { + memset (&attr, '\0', sizeof (attr)); + attr.mq_maxmsg = 1; + attr.mq_msgsize = sizeof (check_bz28213_msg); + + if ((m = mq_open (check_bz28213_name, + O_RDWR | O_CREAT | O_EXCL, + 0600, + &attr)) < 0) + exit (1); + + if (mq_unlink (check_bz28213_name) < 0) + exit (1); + + memset (&sev, '\0', sizeof (sev)); + sev.sigev_notify = SIGEV_THREAD; + sev.sigev_value.sival_int = m; + sev.sigev_notify_function = check_bz28213_cb; + + if (mq_notify (m, &sev) < 0) + exit (1); + + if (i && mq_send (m, check_bz28213_msg, sizeof (check_bz28213_msg), 1) < 0) + exit (1); + + if (!i) + mq_close (m); + } + + alarm (10); + + while (1) + pause (); +} + +/* Skip entire testing if queues are not implemented */ +static int +check_mq_api (void) +{ + struct mq_attr attr; + mqd_t m; + int rc = 0; + + memset (&attr, '\0', sizeof (attr)); + attr.mq_maxmsg = 1; + attr.mq_msgsize = 1; + + if ((m = mq_open (check_bz28213_name, + O_RDWR | O_CREAT | O_EXCL, + 0600, + &attr)) < 0) + { + if (errno == ENOSYS) + { + rc = 1; + printf ("SKIP: not implemented\n"); + } + + return rc; + } + + mq_unlink (check_bz28213_name); + mq_close (m); + + return rc; +} + +static int +do_test (void) +{ + pid_t pid; + int status, rc; + + if (check_mq_api () == 1) + return 0; + + if ((pid = xfork ()) == 0) + check_bz28213 (); + + if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid) + { + kill (pid, SIGKILL); + printf ("waitpid failed\n"); + return 1; + } + + rc = 1; + if (WIFEXITED (status)) + { + int child_rc; + + if ((child_rc = WEXITSTATUS (status)) == 0) + rc = 0; + else + printf ("Child returned non-zero exit code [%d]\n", child_rc); + } + else if (WIFSIGNALED (status)) + { + int child_signo; + + if ((child_signo = WTERMSIG (status)) == SIGABRT) + printf ("Child timed out\n"); + else if (child_signo == SIGSEGV) + printf ("Child caused segmentation fault\n"); + else + printf ("Child terminated with signal %d\n", child_signo); + } + + return rc; +} + +#include -- 2.17.1