[LTP] [PATCH v2] syscalls/statmount07: change "invalid buffer size" test

Jan Stancek jstancek@redhat.com
Tue Oct 15 14:41:53 CEST 2024 

On Tue, Oct 15, 2024 at 2:08 PM Cyril Hrubis <chrubis@suse.cz> wrote:
>
> Hi!
> > Signed-off-by: Jan Stancek <jstancek@redhat.com>
> > ---
> >  testcases/kernel/syscalls/statmount/statmount07.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/testcases/kernel/syscalls/statmount/statmount07.c b/testcases/kernel/syscalls/statmount/statmount07.c
> > index 0cc83429872f..58fcc20acce7 100644
> > --- a/testcases/kernel/syscalls/statmount/statmount07.c
> > +++ b/testcases/kernel/syscalls/statmount/statmount07.c
> > @@ -20,10 +20,10 @@
> >  static struct statmount *st_mount;
> >  static struct statmount *st_mount_null;
> >  static struct statmount *st_mount_small;
> > +static struct statmount *st_mount_bad;
> >  static uint64_t mnt_id;
> >  static uint64_t mnt_id_dont_exist = -1;
> >  static size_t buff_size;
> > -static size_t buff_size_invalid = -1;
> >
> >  struct tcase {
> >       int exp_errno;
> > @@ -90,12 +90,12 @@ struct tcase {
> >       },
> >       {
> >               EFAULT,
> > -             "invalid buffer size",
> > +             "buffer crosses to PROT_NONE",
> >               &mnt_id,
> >               0,
> >               0,
> > -             &buff_size_invalid,
> > -             &st_mount
> > +             &buff_size,
> > +             &st_mount_bad
> >       },
> >       {
> >               EFAULT,
> > @@ -139,6 +139,7 @@ static struct tst_test test = {
> >       .bufs = (struct tst_buffers []) {
> >               {&st_mount, .size = sizeof(struct statmount)},
> >               {&st_mount_small, .size = sizeof(struct statmount)},
> > +             {&st_mount_bad, .size = 1},
>
> With this we create a mapping where PROT_NONE is before the buffer, not
> after it

Are you sure?

17019 08:32:23 write(2, "tst_buffers.c:57: \33[1;34mTINFO: "..., 66) = 66
17019 08:32:23 mmap(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3ff94f75000
17019 08:32:23 mprotect(0x3ff94f76000, 4096, PROT_NONE) = 0

st_mount_bad: 0x3ff94f75fff
(/proc/self/maps)
...
3ff94f2e000-3ff94f30000 rw-p 0002e000 fd:03 67110911
  /usr/lib/ld64.so.1
3ff94f75000-3ff94f76000 rw-p 00000000 00:00 0
3ff94f76000-3ff94f77000 ---p 00000000 00:00 0
3ff94f77000-3ff94f7b000 rw-p 00000000 00:00 0
3fffba5a000-3fffba7b000 rw-p 00000000 00:00 0                            [stack]
3fffba9f000-3fffbaa1000 r--p 00000000 00:00 0                            [vvar]
3fffbaa1000-3fffbaa3000 r-xp 00000000 00:00 0                            [vdso]

>, since guarded buffers are primarily guarding about off-by-one
> at the start of the buffer.

I'd expect going over end of buffer to be a lot more common.

> There is a canaray after after the allocated
> buffer that will potentialy be rewritten, but that would be detected
> only at the test exit.
>
> If I remmeber correctly the mappings will look like:
>
> | PROT_NONE |_ CANARY BYTES |
>              ^
>              And this is our 1-byte buffer.





>
> --
> Cyril Hrubis
> chrubis@suse.cz
>

More information about the ltp mailing list