| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <diqzldlx1fyk.fsf@google.com>
Date: Mon, 29 Sep 2025 14:38:43 +0000
From: Ackerley Tng <ackerleytng@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>,
Christian Borntraeger <borntraeger@...ux.ibm.com>, Janosch Frank <frankja@...ux.ibm.com>,
Claudio Imbrenda <imbrenda@...ux.ibm.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
David Hildenbrand <david@...hat.com>, Fuad Tabba <tabba@...gle.com>,
Sean Christopherson <seanjc@...gle.com>
Subject: Re: [PATCH 6/6] KVM: selftests: Verify that faulting in private
guest_memfd memory fails
Sean Christopherson <seanjc@...gle.com> writes:
> Add a guest_memfd testcase to verify that faulting in private memory gets
> a SIGBUS. For now, test only the case where memory is private by default
> since KVM doesn't yet support in-place conversion.
>
> Cc: Ackerley Tng <ackerleytng@...gle.com>
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
> ---
> .../testing/selftests/kvm/guest_memfd_test.c | 62 ++++++++++++++-----
> 1 file changed, 46 insertions(+), 16 deletions(-)
>
> diff --git a/tools/testing/selftests/kvm/guest_memfd_test.c b/tools/testing/selftests/kvm/guest_memfd_test.c
> index 5dd40b77dc07..b5a631aca933 100644
> --- a/tools/testing/selftests/kvm/guest_memfd_test.c
> +++ b/tools/testing/selftests/kvm/guest_memfd_test.c
> @@ -40,17 +40,26 @@ static void test_file_read_write(int fd, size_t total_size)
> "pwrite on a guest_mem fd should fail");
> }
>
I feel that the tests should be grouped by concepts being tested
+ test_cow_not_supported()
+ mmap() should fail
+ test_mmap_supported()
+ kvm_mmap()
+ regular, successful accesses to offsets within the size of the fd
+ kvm_munmap()
+ test_fault_overflow()
+ kvm_mmap()
+ a helper (perhaps "assert_fault_sigbus(char *mem)"?) that purely
tries to access beyond the size of the fd and catches SIGBUS
+ regular, successful accesses to offsets within the size of the fd
+ kvm_munmap()
+ test_fault_private()
+ kvm_mmap()
+ a helper (perhaps "assert_fault_sigbus(char *mem)"?) that purely
tries to access within the size of the fd and catches SIGBUS
+ kvm_munmap()
I think some code duplication in tests is okay if it makes the test flow
more obvious.
> -static void test_mmap_supported(int fd, size_t total_size)
> +static void *test_mmap_common(int fd, size_t size)
> {
> - const char val = 0xaa;
> - char *mem;
> - size_t i;
> - int ret;
> + void *mem;
>
> - mem = mmap(NULL, total_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
> + mem = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
> TEST_ASSERT(mem == MAP_FAILED, "Copy-on-write not allowed by guest_memfd.");
>
When grouped this way, test_mmap_common() tests that MAP_PRIVATE or COW
is not allowed twice, once in test_mmap_supported() and once in
test_fault_sigbus(). Is that intentional?
> - mem = kvm_mmap(total_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd);
> + mem = kvm_mmap(size, PROT_READ | PROT_WRITE, MAP_SHARED, fd);
> +
> + return mem;
I feel that returning (and using) the userspace address from a test
(test_mmap_common()) is a little hard to follow.
> +}
> +
> +static void test_mmap_supported(int fd, size_t total_size)
> +{
> + const char val = 0xaa;
> + char *mem;
> + size_t i;
> + int ret;
> +
> + mem = test_mmap_common(fd, total_size);
>
> memset(mem, val, total_size);
> for (i = 0; i < total_size; i++)
> @@ -78,31 +87,47 @@ void fault_sigbus_handler(int signum)
> siglongjmp(jmpbuf, 1);
> }
>
> -static void test_fault_overflow(int fd, size_t total_size)
> +static void *test_fault_sigbus(int fd, size_t size)
> {
> struct sigaction sa_old, sa_new = {
> .sa_handler = fault_sigbus_handler,
> };
> - size_t map_size = total_size * 4;
> - const char val = 0xaa;
> - char *mem;
> - size_t i;
> + void *mem;
>
> - mem = kvm_mmap(map_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd);
> + mem = test_mmap_common(fd, size);
>
> sigaction(SIGBUS, &sa_new, &sa_old);
> if (sigsetjmp(jmpbuf, 1) == 0) {
> - memset(mem, 0xaa, map_size);
> + memset(mem, 0xaa, size);
> TEST_ASSERT(false, "memset() should have triggered SIGBUS.");
> }
> sigaction(SIGBUS, &sa_old, NULL);
>
> + return mem;
I think returning the userspace address from a test is a little hard to
follow. This one feels even more unexpected because a valid address is
being returned (and used) from a test that has sigbus in its name.
> +}
> +
> +static void test_fault_overflow(int fd, size_t total_size)
> +{
> + size_t map_size = total_size * 4;
> + const char val = 0xaa;
> + char *mem;
> + size_t i;
> +
> + mem = test_fault_sigbus(fd, map_size);
> +
> for (i = 0; i < total_size; i++)
> TEST_ASSERT_EQ(READ_ONCE(mem[i]), val);
>
> kvm_munmap(mem, map_size);
> }
>
> +static void test_fault_private(int fd, size_t total_size)
> +{
> + void *mem = test_fault_sigbus(fd, total_size);
> +
> + kvm_munmap(mem, total_size);
> +}
> +
Testing that faults fail when GUEST_MEMFD_FLAG_DEFAULT_SHARED is not set
is a good idea. Perhaps it could be even clearer if further split up:
+ test_mmap_supported()
+ kvm_mmap()
+ kvm_munmap()
+ test_mmap_supported_fault_supported()
+ kvm_mmap()
+ successful accesses to offsets within the size of the fd
+ kvm_munmap()
+ test_mmap_supported_fault_sigbus()
+ kvm_mmap()
+ expect SIGBUS from accesses to offsets within the size of the fd
+ kvm_munmap()
> static void test_mmap_not_supported(int fd, size_t total_size)
> {
> char *mem;
> @@ -274,9 +299,12 @@ static void __test_guest_memfd(struct kvm_vm *vm, uint64_t flags)
>
> gmem_test(file_read_write, vm, flags);
>
> - if (flags & GUEST_MEMFD_FLAG_MMAP) {
> + if (flags & GUEST_MEMFD_FLAG_MMAP &&
> + flags & GUEST_MEMFD_FLAG_DEFAULT_SHARED) {
> gmem_test(mmap_supported, vm, flags);
> gmem_test(fault_overflow, vm, flags);
> + } else if (flags & GUEST_MEMFD_FLAG_MMAP) {
> + gmem_test(fault_private, vm, flags);
test_fault_private() makes me think the test is testing for private
faults, but there's nothing private about this fault, and the fault
doesn't even come from the guest.
> } else {
> gmem_test(mmap_not_supported, vm, flags);
> }
If split up as described above, this could be
if (flags & GUEST_MEMFD_FLAG_MMAP &&
flags & GUEST_MEMFD_FLAG_DEFAULT_SHARED) {
gmem_test(mmap_supported_fault_supported, vm, flags);
gmem_test(fault_overflow, vm, flags);
} else if (flags & GUEST_MEMFD_FLAG_MMAP) {
gmem_test(mmap_supported_fault_sigbus, vm, flags);
} else {
gmem_test(mmap_not_supported, vm, flags);
}
> @@ -294,9 +322,11 @@ static void test_guest_memfd(unsigned long vm_type)
>
> __test_guest_memfd(vm, 0);
>
> - if (vm_check_cap(vm, KVM_CAP_GUEST_MEMFD_MMAP))
> + if (vm_check_cap(vm, KVM_CAP_GUEST_MEMFD_MMAP)) {
> + __test_guest_memfd(vm, GUEST_MEMFD_FLAG_MMAP);
> __test_guest_memfd(vm, GUEST_MEMFD_FLAG_MMAP |
> GUEST_MEMFD_FLAG_DEFAULT_SHARED);
> + }
>
> kvm_vm_free(vm);
> }
I could send a revision, if you agree/prefer!
Reviewed-by: Ackerley Tng <ackerleytng@...gle.com>
> --
> 2.51.0.536.g15c5d4f767-goog
Powered by blists - more mailing lists