[LTP] [PATCH] syscalls/statmount07: drop "invalid buffer size" test
Jan Stancek
jstancek@redhat.com
Tue Oct 15 13:51:10 CEST 2024
On Tue, Oct 15, 2024 at 1:01 PM Cyril Hrubis <chrubis@suse.cz> wrote:
>
> Hi!
> > > > This check relies on access_ok() check, which can be skipped
> > > > on some arches/configs, for example on s390x with
> > > > CONFIG_ALTERNATE_USER_ADDRESS_SPACE=y. Test then fails with:
> > > > statmount07.c:117: TFAIL: invalid buffer size succeeded
> > >
> > > And does it fail later on in the copy_to_user() if the buffer is
> > > physically not accesible?
> > >
> > > We may add a test that would look like:
> > >
> > > | page mapped rw | page mapped read only |
> > > ^
> > > buf pointer starts here
> > >
> > > What do you think?
> >
> > we can add that, it would be variation of "invalid buffer pointer" test
>
> Looking at kernel __check_object_size() there seems to be a special case
> for a NULL pointer in check_bogus_address(). The part that would check
> if the page is writeable is done later. There are some checks in
> check_heap_object() but I'm not 100% sure what these do. If I'm reading
> it right it will abort the operation if the memory is not one continuous
> vma, which is probably the case if we have two pages with different
> access next to each other.
Aren't all those checks for the "from" address? We only care about "to",
when copying to user-space. I sent v2 with your suggestion to use a buffer
that crosses into PROT_NONE.
>
> It may be interesting to go over the copy_to_user() code with someone
> who understands mm and find a few cases to test.
>
> --
> Cyril Hrubis
> chrubis@suse.cz
>
More information about the ltp
mailing list