C++程序  |  125行  |  3.34 KB

/*
 * Copyright (C) 2011-2017  Red Hat, Inc.
 *
 * This program is free software;  you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY;  without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
 * the GNU General Public License for more details.
 *
 * KSM - NULL pointer dereference in ksm_do_scan() (CVE-2011-2183)
 *
 * This is a testcase from upstream commit:
 * 2b472611a32a72f4a118c069c2d62a1a3f087afd.
 *
 * an exiting task can race against ksmd::scan_get_next_rmap_item
 * (http://lkml.org/lkml/2011/6/1/742) easily triggering a NULL pointer
 * dereference in ksmd.
 * ksm_scan.mm_slot == &ksm_mm_head with only one registered mm
 *
 * CPU 1 (__ksm_exit)          CPU 2 (scan_get_next_rmap_item)
 *                             list_empty() is false
 * lock                        slot == &ksm_mm_head
 * list_del(slot->mm_list)
 * (list now empty)
 * unlock
 *                              lock
 *                              slot = list_entry(slot->mm_list.next)
 *                              (list is empty, so slot is still ksm_mm_head)
 *                              unlock
 *                              slot->mm == NULL ... Oops
 *
 * Close this race by revalidating that the new slot is not simply the list
 * head again.
 *
 * Test Prerequisites:
 *
 * *) ksm and ksmtuned daemons need to be disabled. Otherwise, it could
 *    distrub the testing as they also change some ksm tunables depends
 *    on current workloads.
 */

#include <sys/wait.h>
#include <signal.h>
#include <stdlib.h>
#include <errno.h>
#include "tst_test.h"
#include "mem.h"

#ifdef HAVE_MADV_MERGEABLE

static int ksm_run_orig;
static void sighandler(int sig);

static void test_ksm(void)
{
	int status;
	long ps;
	pid_t pid;
	void *ptr;
	struct sigaction sa;

	memset (&sa, '\0', sizeof(sa));
	sa.sa_handler = sighandler;
	sa.sa_flags = 0;
	TEST(sigaction(SIGSEGV, &sa, NULL));
	if (TEST_RETURN == -1)
		tst_brk(TBROK | TRERRNO,
				"SIGSEGV signal setup failed");

	ps = sysconf(_SC_PAGESIZE);

	pid = SAFE_FORK();
	if (pid == 0) {
		ptr = SAFE_MEMALIGN(ps, ps);
		if (madvise(ptr, ps, MADV_MERGEABLE) < 0)
			tst_brk(TBROK | TERRNO, "madvise");
		*(char *)NULL = 0;	/* SIGSEGV occurs as expected. */
	}
	SAFE_WAITPID(pid, &status, WUNTRACED | WCONTINUED);
	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
		tst_brk(TBROK, "invalid signal received: %d", status);

	tst_res(TPASS, "still alive.");
}

static void sighandler(int sig)
{
	_exit((sig == SIGSEGV) ? 0 : sig);
}

static void setup(void)
{
	if (access(PATH_KSM, F_OK) == -1)
		tst_brk(TCONF, "KSM configuration is not enabled");

	/* save original /sys/kernel/mm/ksm/run value */
	SAFE_FILE_SCANF(PATH_KSM "run", "%d", &ksm_run_orig);

	/* echo 1 > /sys/kernel/mm/ksm/run */
	SAFE_FILE_PRINTF(PATH_KSM "run", "1");
}

static void cleanup(void)
{
	/* restore /sys/kernel/mm/ksm/run value */
	FILE_PRINTF(PATH_KSM "run", "%d", ksm_run_orig);
}

static struct tst_test test = {
	.needs_root = 1,
	.forks_child = 1,
	.setup = setup,
	.cleanup = cleanup,
	.test_all = test_ksm,
	.min_kver = "2.6.32",
};

#else
	TST_TEST_TCONF("no MADV_MERGEABLE found.");
#endif