[LTP] [PATCH] kallsyms: skip user-space mapped addresses

Jan Stancek jstancek@redhat.com
Wed Jul 10 10:04:32 CEST 2024 

On Wed, Jul 10, 2024 at 9:26 AM Li Wang <liwan@redhat.com> wrote:
>
>
>
> On Tue, Jul 9, 2024 at 8:18 PM Jan Stancek <jstancek@redhat.com> wrote:
>>
>> RHEL9 s390x with KPTI enabled has been observed to sporadically
>> use same address ranges for user-space libraries as the ones
>> occupied by kallsyms while in kernel-space.
>>
>> The test currently (wrongly) assumes, that a write to kallsym
>> address should fail and doesn't take into account that same
>> memory ranges could be mapped differently in user vs. kernel-space.
>>
>> Add a check to see if a kallsym address is already mapped by user-space,
>> and if it is, skip it to avoid false positives.
>>
>> Before:
>>     13  kallsyms.c:115: TFAIL: Successfully accessed kernel addr 0x3ff8060787d (r) (__kstrtabns_nfs3_set_ds_client)
>>     14  kallsyms.c:115: TFAIL: Successfully accessed kernel addr 0x3ff806007a0 (t) (nfs_init_server_aclclient)
>>     15  kallsyms.c:115: TFAIL: Successfully accessed kernel addr 0x3ff8060a058 (d) (nfsacl_version)
>>     16  kallsyms.c:115: TFAIL: Successfully accessed kernel addr 0x3ff8060a078 (d) (nfsacl_rpcstat)
>>     ...
>>     kallsyms.c:130: TFAIL: Caught 103102 SIGSEGV but expected 153738
>>
>> After:
>>     kallsyms.c:175: TDEBUG: Skipping userspace mapped address 0x3ff80220024
>>     kallsyms.c:175: TDEBUG: Skipping userspace mapped address 0x3ff8022003c
>>     kallsyms.c:175: TDEBUG: Skipping userspace mapped address 0x3ff80213b20
>>     ...
>>     kallsyms.c:184: TPASS: Caught 103473 SIGSEGV in access ksymbols addr, skipped 27234
>>
>> Signed-off-by: Jan Stancek <jstancek@redhat.com>
>> ---
>>  testcases/kernel/security/kallsyms/kallsyms.c | 68 +++++++++++++++++--
>>  1 file changed, 63 insertions(+), 5 deletions(-)
>>
>> diff --git a/testcases/kernel/security/kallsyms/kallsyms.c b/testcases/kernel/security/kallsyms/kallsyms.c
>> index 2a5cbaa325ea..b07cb9cda268 100644
>> --- a/testcases/kernel/security/kallsyms/kallsyms.c
>> +++ b/testcases/kernel/security/kallsyms/kallsyms.c
>> @@ -54,6 +54,8 @@ static struct kallsym *sym_table;
>>  static unsigned int nr_symbols;
>>  static sigjmp_buf jmpbuf;
>>  volatile sig_atomic_t segv_caught;
>> +static unsigned long *ranges;
>> +static int ranges_size, ranges_len;
>>
>>  static void segv_handler(int sig)
>>  {
>> @@ -89,6 +91,49 @@ static unsigned int read_kallsyms(struct kallsym *table, unsigned int table_size
>>         return nr_syms;
>>  }
>>
>> +static void read_proc_self_maps(void)
>> +{
>> +       FILE *fp;
>> +
>> +       ranges_len = 0;
>> +       fp = fopen("/proc/self/maps", "r");
>> +       if (fp == NULL)
>> +               tst_brk(TBROK | TERRNO, "Failed to open /proc/self/maps.");
>> +
>> +       while (!feof(fp)) {
>> +               unsigned long start, end;
>> +               int ret;
>> +
>> +               ret = fscanf(fp, "%lx-%lx %*[^\n]\n", &start, &end);
>> +               if (ret != 2) {
>> +                       fclose(fp);
>> +                       tst_brk(TBROK | TERRNO, "Couldn't parse /proc/self/maps line.");
>> +               }
>> +
>> +               if (ranges_size < ranges_len + 1) {
>> +                       ranges_size += 128;
>> +                       ranges = realloc(ranges, 2*ranges_size*sizeof(unsigned long));
>
>
> BTW, we have SAFE_REALLOC macro now.

Ah, ok, I can update that in v2 - I'll wait to see if there's any more
feedback for day or two.

>
>>
>> +               }
>> +               ranges[ranges_len*2] = start;
>> +               ranges[ranges_len*2 + 1] = end;
>> +
>> +               ranges_len++;
>> +       }
>> +
>> +       fclose(fp);
>> +}
>> +
>> +static int is_address_mapped(unsigned long addr)
>> +{
>> +       int i;
>> +
>> +       for (i = 0; i < ranges_len; i++) {
>> +               if (ranges[i*2] <= addr && addr < ranges[i*2 + 1])
>> +                       return 1;
>> +       }
>> +       return 0;
>> +}
>> +
>>  static void setup(void)
>>  {
>>         struct sigaction sa;
>> @@ -117,17 +162,30 @@ static void access_ksymbols_address(struct kallsym *table)
>>         }
>>  }
>>
>> +
>>  static void test_access_kernel_address(void)
>>  {
>> -       segv_caught = 0;
>> +       int skipped = 0;
>>
>> -       for (unsigned int i = 0; i < nr_symbols; i++)
>> +       segv_caught = 0;
>> +       read_proc_self_maps();
>> +
>> +       for (unsigned int i = 0; i < nr_symbols; i++) {
>> +               if (is_address_mapped(sym_table[i].addr)) {
>> +                       tst_res(TDEBUG, "Skipping userspace mapped address 0x%lx",
>> +                               sym_table[i].addr);
>> +                       skipped++;
>> +                       continue;
>> +               }
>>                 access_ksymbols_address(&sym_table[i]);
>> +       }
>>
>> -       if (segv_caught == (sig_atomic_t)nr_symbols)
>> -               tst_res(TPASS, "Caught %d SIGSEGV in access ksymbols addr", segv_caught);
>> +       if (segv_caught == (sig_atomic_t)nr_symbols - skipped)
>> +               tst_res(TPASS, "Caught %d SIGSEGV in access ksymbols addr, skipped %d",
>> +                       segv_caught, skipped);
>>         else
>> -               tst_res(TFAIL, "Caught %d SIGSEGV but expected %d", segv_caught, nr_symbols);
>> +               tst_res(TFAIL, "Caught %d SIGSEGV but expected %d, skipped %d",
>> +                       segv_caught, nr_symbols-skipped, skipped);
>>  }
>>
>>  static void cleanup(void)
>> --
>> 2.39.3
>>

More information about the ltp mailing list