[LTP] [PATCH 2/2] readdir02: use invalid DIR stream descriptor
Cyril Hrubis
chrubis@suse.cz
Mon Jan 28 16:16:23 CET 2019
Hi!
> Issue:
> On ppc64le and aarch64, when testing in NFS mountpoint, test
> process receives SIGSEGV when calling readdir on a DIR which
> has just been closed by closedir().
>
> Unfortunately, ltp/readdir02.c handles SIGSEGV. This makes it
> hits SIGSEGV again in its cleanup function. So readdir02 hangs
> there hitting SEGV endlessly.
>
> That's because a DIR * is NOT a file descriptor. It's memory
> allocated by opendir() that contains libc internal information
> about the directory. closedir(test_dir) frees any memory associated
> with the open directory pointer test_dir.
>
> To then pass the freed dir pointer to readdir() is a use-after-free.
> It probably won't return EBADF, it will dereference freed memory
> and whatever happens after that is undefined.
>
> In this patch, I simply modify the test to use an exist FILE *
> stream to simulate the invalid directory stream descriptor. Then
> it won't hit the use-after-free issue any more.
Actually I think that the best we can do here is to delete the testcase
because:
* Casting FILE* to DIR* is IMHO invoking even worse undefined behavior
than the original test that called readdir() on closed DIR*
* We do cover the EBADF for getents() syscalls getents02 test
--
Cyril Hrubis
chrubis@suse.cz
More information about the ltp
mailing list