[LTP] [PATCH v2] syscalls/statmount07: change "invalid buffer size" test
Jan Stancek
jstancek@redhat.com
Tue Oct 15 14:41:53 CEST 2024
On Tue, Oct 15, 2024 at 2:08 PM Cyril Hrubis <chrubis@suse.cz> wrote:
>
> Hi!
> > Signed-off-by: Jan Stancek <jstancek@redhat.com>
> > ---
> > testcases/kernel/syscalls/statmount/statmount07.c | 9 +++++----
> > 1 file changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/testcases/kernel/syscalls/statmount/statmount07.c b/testcases/kernel/syscalls/statmount/statmount07.c
> > index 0cc83429872f..58fcc20acce7 100644
> > --- a/testcases/kernel/syscalls/statmount/statmount07.c
> > +++ b/testcases/kernel/syscalls/statmount/statmount07.c
> > @@ -20,10 +20,10 @@
> > static struct statmount *st_mount;
> > static struct statmount *st_mount_null;
> > static struct statmount *st_mount_small;
> > +static struct statmount *st_mount_bad;
> > static uint64_t mnt_id;
> > static uint64_t mnt_id_dont_exist = -1;
> > static size_t buff_size;
> > -static size_t buff_size_invalid = -1;
> >
> > struct tcase {
> > int exp_errno;
> > @@ -90,12 +90,12 @@ struct tcase {
> > },
> > {
> > EFAULT,
> > - "invalid buffer size",
> > + "buffer crosses to PROT_NONE",
> > &mnt_id,
> > 0,
> > 0,
> > - &buff_size_invalid,
> > - &st_mount
> > + &buff_size,
> > + &st_mount_bad
> > },
> > {
> > EFAULT,
> > @@ -139,6 +139,7 @@ static struct tst_test test = {
> > .bufs = (struct tst_buffers []) {
> > {&st_mount, .size = sizeof(struct statmount)},
> > {&st_mount_small, .size = sizeof(struct statmount)},
> > + {&st_mount_bad, .size = 1},
>
> With this we create a mapping where PROT_NONE is before the buffer, not
> after it
Are you sure?
17019 08:32:23 write(2, "tst_buffers.c:57: \33[1;34mTINFO: "..., 66) = 66
17019 08:32:23 mmap(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x3ff94f75000
17019 08:32:23 mprotect(0x3ff94f76000, 4096, PROT_NONE) = 0
st_mount_bad: 0x3ff94f75fff
(/proc/self/maps)
...
3ff94f2e000-3ff94f30000 rw-p 0002e000 fd:03 67110911
/usr/lib/ld64.so.1
3ff94f75000-3ff94f76000 rw-p 00000000 00:00 0
3ff94f76000-3ff94f77000 ---p 00000000 00:00 0
3ff94f77000-3ff94f7b000 rw-p 00000000 00:00 0
3fffba5a000-3fffba7b000 rw-p 00000000 00:00 0 [stack]
3fffba9f000-3fffbaa1000 r--p 00000000 00:00 0 [vvar]
3fffbaa1000-3fffbaa3000 r-xp 00000000 00:00 0 [vdso]
>, since guarded buffers are primarily guarding about off-by-one
> at the start of the buffer.
I'd expect going over end of buffer to be a lot more common.
> There is a canaray after after the allocated
> buffer that will potentialy be rewritten, but that would be detected
> only at the test exit.
>
> If I remmeber correctly the mappings will look like:
>
> | PROT_NONE |_ CANARY BYTES |
> ^
> And this is our 1-byte buffer.
>
> --
> Cyril Hrubis
> chrubis@suse.cz
>
More information about the ltp
mailing list