[LTP] [PATCH 0/3] Various fixes for out-of-bound uaccess
Kevin Brodsky
kevin.brodsky@arm.com
Mon Oct 23 15:56:44 CEST 2023
Hi,
This series addresses various situations where syscalls tests cause the
kernel to access arbitrary data, beyond the bounds of the object that
the test meant to specify.
Patch 1 and 2 are straightforward fixes for tests that don't pass
syscall arguments correctly.
Patch 3 is a little subtler, in that the argument is appropriately
passed, but the kernel ends up accessing arbitrary data due to the
referenced buffer being too small.
These issues were caught while running the syscalls suite on
Morello [1], using the pure-capability ABI [2]. Thanks to the capability
representation, pointers carry bounds that match the object they refer
to. The kernel accesses user memory via such capabilities, and as a
result a syscall will fail (-EFAULT) if any uaccess goes out of bounds.
A CI run can be found here [3].
Cheers,
Kevin
[1] https://www.morello-project.org/
[2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-capability-kernel-user-Linux-ABI-specification
[3] https://github.com/kevin-brodsky-arm/ltp/actions/runs/6610988117
Kevin Brodsky (3):
syscalls/{,f}setxattr: Fix passing of value pointer
syscalls/msgctl06: Pass an appropriate struct to msgsnd()
Provide a PATH_MAX-long buffer when expecting ENAMETOOLONG
include/old/usctest.h | 12 ++----------
testcases/kernel/syscalls/fsetxattr/fsetxattr01.c | 2 +-
testcases/kernel/syscalls/ipc/msgctl/msgctl06.c | 6 +++++-
testcases/kernel/syscalls/rename/rename10.c | 2 +-
testcases/kernel/syscalls/setxattr/setxattr01.c | 2 +-
5 files changed, 10 insertions(+), 14 deletions(-)
--
2.38.1
More information about the ltp
mailing list