| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jun 2021 14:17:00 +0200
From: Stefano Garzarella <sgarzare@...hat.com>
To: Arseny Krasnov <arseny.krasnov@...persky.com>
Cc: Stefan Hajnoczi <stefanha@...hat.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
Jason Wang <jasowang@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Jorgen Hansen <jhansen@...are.com>,
Norbert Slusarek <nslusarek@....net>,
Colin Ian King <colin.king@...onical.com>,
Andra Paraschiv <andraprs@...zon.com>,
kvm <kvm@...r.kernel.org>,
Linux Virtualization <virtualization@...ts.linux-foundation.org>,
netdev <netdev@...r.kernel.org>,
kernel list <linux-kernel@...r.kernel.org>,
Krasnov Arseniy <oxffffaa@...il.com>
Subject: Re: [RFC PATCH v1 16/16] vsock_test: SEQPACKET read to broken buffer
On Mon, Jun 28, 2021 at 01:05:36PM +0300, Arseny Krasnov wrote:
>Add test where sender sends two message, each with own
>data pattern. Reader tries to read first to broken buffer:
>it has three pages size, but middle page is unmapped. Then,
>reader tries to read second message to valid buffer. Test
>checks, that uncopied part of first message was dropped
>and thus not copied as part of second message.
>
>Signed-off-by: Arseny Krasnov <arseny.krasnov@...persky.com>
>---
> tools/testing/vsock/vsock_test.c | 121 +++++++++++++++++++++++++++++++
> 1 file changed, 121 insertions(+)
Cool test! Thanks for doing this!
>
>diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
>index 67766bfe176f..697ba168e97f 100644
>--- a/tools/testing/vsock/vsock_test.c
>+++ b/tools/testing/vsock/vsock_test.c
>@@ -16,6 +16,7 @@
> #include <linux/kernel.h>
> #include <sys/types.h>
> #include <sys/socket.h>
>+#include <sys/mman.h>
>
> #include "timeout.h"
> #include "control.h"
>@@ -385,6 +386,121 @@ static void test_seqpacket_msg_trunc_server(const struct test_opts *opts)
> close(fd);
> }
>
>+#define BUF_PATTERN_1 'a'
>+#define BUF_PATTERN_2 'b'
>+
>+static void test_seqpacket_invalid_rec_buffer_client(const struct test_opts *opts)
>+{
>+ int fd;
>+ unsigned char *buf1;
>+ unsigned char *buf2;
>+ int buf_size = getpagesize() * 3;
>+
>+ fd = vsock_seqpacket_connect(opts->peer_cid, 1234);
>+ if (fd < 0) {
>+ perror("connect");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ buf1 = malloc(buf_size);
>+ if (buf1 == NULL) {
checkpatch suggests to use "if (!buf1)" ...
>+ perror("'malloc()' for 'buf1'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ buf2 = malloc(buf_size);
>+ if (buf2 == NULL) {
... and "if (!buf2)" ...
>+ perror("'malloc()' for 'buf2'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ memset(buf1, BUF_PATTERN_1, buf_size);
>+ memset(buf2, BUF_PATTERN_2, buf_size);
>+
>+ if (send(fd, buf1, buf_size, 0) != buf_size) {
>+ perror("send failed");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ if (send(fd, buf2, buf_size, 0) != buf_size) {
>+ perror("send failed");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ close(fd);
>+}
>+
>+static void test_seqpacket_invalid_rec_buffer_server(const struct test_opts *opts)
>+{
>+ int fd;
>+ unsigned char *broken_buf;
>+ unsigned char *valid_buf;
>+ int page_size = getpagesize();
>+ int buf_size = page_size * 3;
>+ ssize_t res;
>+ int prot = PROT_READ | PROT_WRITE;
>+ int flags = MAP_PRIVATE | MAP_ANONYMOUS;
>+ int i;
>+
>+ fd = vsock_seqpacket_accept(VMADDR_CID_ANY, 1234, NULL);
>+ if (fd < 0) {
>+ perror("accept");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ /* Setup first buffer. */
>+ broken_buf = mmap(NULL, buf_size, prot, flags, -1, 0);
>+ if (broken_buf == MAP_FAILED) {
>+ perror("mmap for 'broken_buf'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ /* Unmap "hole" in buffer. */
>+ if (munmap(broken_buf + page_size, page_size)) {
>+ perror("'broken_buf' setup");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ valid_buf = mmap(NULL, buf_size, prot, flags, -1, 0);
>+ if (valid_buf == MAP_FAILED) {
>+ perror("mmap for 'valid_buf'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ /* Try to fill buffer with unmapped middle. */
>+ res = read(fd, broken_buf, buf_size);
>+ if (res != -1) {
>+ perror("invalid read result of 'broken_buf'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ if (errno != ENOMEM) {
>+ perror("invalid errno of 'broken_buf'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ /* Try to fill valid buffer. */
>+ res = read(fd, valid_buf, buf_size);
>+ if (res != buf_size) {
>+ perror("invalid read result of 'valid_buf'");
>+ exit(EXIT_FAILURE);
>+ }
>+
>+ for (i = 0; i < buf_size; i++) {
>+ if (valid_buf[i] != BUF_PATTERN_2) {
>+ perror("invalid pattern for valid buf");
>+ exit(EXIT_FAILURE);
>+ }
>+ }
>+
>+
... and to remove the extra blank line here :-)
Thanks,
Stefano
>+ /* Unmap buffers. */
>+ munmap(broken_buf, page_size);
>+ munmap(broken_buf + page_size * 2, page_size);
>+ munmap(valid_buf, buf_size);
>+ close(fd);
>+}
>+
> static struct test_case test_cases[] = {
> {
> .name = "SOCK_STREAM connection reset",
>@@ -425,6 +541,11 @@ static struct test_case test_cases[] = {
> .run_client = test_seqpacket_msg_trunc_client,
> .run_server = test_seqpacket_msg_trunc_server,
> },
>+ {
>+ .name = "SOCK_SEQPACKET invalid receive buffer",
>+ .run_client = test_seqpacket_invalid_rec_buffer_client,
>+ .run_server = test_seqpacket_invalid_rec_buffer_server,
>+ },
> {},
> };
>
>--
>2.25.1
>
Powered by blists - more mailing lists