* [LTP] [PATCH] thp testcase come from CVE reproducer @ 2011-02-25 10:36 Han Pingtian 2011-03-04 10:38 ` Garrett Cooper 2011-04-07 6:57 ` Garrett Cooper 0 siblings, 2 replies; 18+ messages in thread From: Han Pingtian @ 2011-02-25 10:36 UTC (permalink / raw) To: Garrett Cooper; +Cc: ltp-list This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. Signed-off-by: Han Pingtian <phan@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++++ testcases/kernel/mem/thp/thp01.c | 99 +++++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c diff --git a/runtest/mm b/runtest/mm index f097256..6b7e003 100644 --- a/runtest/mm +++ b/runtest/mm @@ -84,3 +84,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..dbfbc1b --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2010 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..b667b78 --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,99 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2010 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <sys/resource.h> +#include <sys/types.h> +#include <sys/wait.h> + +static option_t options[] = { + {NULL, NULL, NULL} +}; + +static void usage(void) +{ + return; +} + +int main(int argc, char **argv) { + int i, lc, st; + pid_t pid; + char *msg; + char *c[257]; + char cc[32*4096]; + struct rlimit rl = { + .rlim_cur =RLIM_INFINITY, + .rlim_max=RLIM_INFINITY, + }; + + msg = parse_opts(argc, argv, options, usage); + if (msg != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, NULL, "fork"); + case 0: + memset(cc, 'c', 32*4096-1); + for (i=0;i<256;i++) + c[i] = cc; + if (setrlimit(RLIMIT_STACK, &rl) == -1) + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); + if (execve("/bin/true", c, c) == -1) + tst_brkm(TBROK|TERRNO, NULL, "execve"); + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); + + if (! WIFEXITED(st)) + tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st)); + + tst_resm(TPASS, "thp01 pass"); + } + } + + tst_exit(); +} -- 1.7.1 ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-02-25 10:36 [LTP] [PATCH] thp testcase come from CVE reproducer Han Pingtian @ 2011-03-04 10:38 ` Garrett Cooper 2011-03-07 7:29 ` Han Pingtian 2011-04-07 6:57 ` Garrett Cooper 1 sibling, 1 reply; 18+ messages in thread From: Garrett Cooper @ 2011-03-04 10:38 UTC (permalink / raw) To: Garrett Cooper, ltp-list On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote: > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > "Transparent hugepages can only be created if rmap is fully > functional. So we must prevent hugepages to be created while > is_vma_temporary_stack() is true." > > When running in a loop, it can trigger panic like this, if kernel > unpatched: > > kernel BUG at mm/huge_memory.c:1260! > invalid opcode: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map ... > +static option_t options[] = { > + {NULL, NULL, NULL} > +}; > + > +static void usage(void) > +{ > + return; > +} You can delete this if you do what I suggest below... ... > + msg = parse_opts(argc, argv, options, usage); > + if (msg != NULL) `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred. > + if (execve("/bin/true", c, c) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "execve"); Not all systems have /bin/true. It would be better to do: /bin/sh -c ':' etc, as we have code that depends on this type of shell-required POSIX behavior. Thanks, -Garrett ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-03-04 10:38 ` Garrett Cooper @ 2011-03-07 7:29 ` Han Pingtian 2011-03-11 4:54 ` Han Pingtian 2011-04-06 19:19 ` Cyril Hrubis 0 siblings, 2 replies; 18+ messages in thread From: Han Pingtian @ 2011-03-07 7:29 UTC (permalink / raw) To: Garrett Cooper; +Cc: ltp-list [-- Attachment #1: Type: text/plain, Size: 2047 bytes --] On Fri, Mar 04, 2011 at 02:38:51AM -0800, Garrett Cooper wrote: > On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote: > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > > > "Transparent hugepages can only be created if rmap is fully > > functional. So we must prevent hugepages to be created while > > is_vma_temporary_stack() is true." > > > > When running in a loop, it can trigger panic like this, if kernel > > unpatched: > > > > kernel BUG at mm/huge_memory.c:1260! > > invalid opcode: 0000 [#1] SMP > > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > > ... > > > +static option_t options[] = { > > + {NULL, NULL, NULL} > > +}; > > + > > +static void usage(void) > > +{ > > + return; > > +} > > You can delete this if you do what I suggest below... > > ... > > > + msg = parse_opts(argc, argv, options, usage); > > + if (msg != NULL) > > `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred. Thanks. I have updated this according to your suggestion. > > > + if (execve("/bin/true", c, c) == -1) > > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > > Not all systems have /bin/true. It would be better to do: > > /bin/sh -c ':' > > etc, as we have code that depends on this type of shell-required POSIX behavior. > I'm sorry for I cannot figure out how to do this way. I tried, but cannot crash unpatched kernel anymore. So I think the simple workaround is checking if /bin/true installed in the program: + + if (WEXITSTATUS(st) == 2) + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); + Please review the updated version. > Thanks, > -Garrett -- Han Pingtian Quality Engineer hpt @ #kernel-qe Red Hat, Inc Freedom ... courage ... Commitment ... ACCOUNTABILITY [-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/plain, Size: 5692 bytes --] From 38c3526fdb59c0b18015914745f2d43fc6c6b1a3 Mon Sep 17 00:00:00 2001 From: Han Pingtian <phan@redhat.com> Date: Fri, 25 Feb 2011 17:51:24 +0800 Subject: [PATCH] thp testcase come from CVE reproducer This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. Signed-off-by: Han Pingtian <phan@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++++ testcases/kernel/mem/thp/thp01.c | 95 +++++++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c diff --git a/runtest/mm b/runtest/mm index 1296e59..51cc82d 100644 --- a/runtest/mm +++ b/runtest/mm @@ -85,3 +85,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..dbfbc1b --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2010 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..0b6ec1a --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,95 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2010 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <sys/resource.h> +#include <sys/types.h> +#include <sys/wait.h> + +int main(int argc, char **argv) { + int i, lc, st; + pid_t pid; + char *msg; + char *c[257]; + char cc[32*4096]; + struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, NULL, "fork"); + case 0: + memset(cc, 'c', 32*4096-1); + for (i=0;i<256;i++) + c[i] = cc; + if (setrlimit(RLIMIT_STACK, &rl) == -1) + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); + if (execve("/bin/true", c, c) == -1) + tst_brkm(TBROK|TERRNO, NULL, "execve"); + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); + + if (! WIFEXITED(st)) + tst_brkm(TBROK, NULL, "child exits abnormally"); + + if (WEXITSTATUS(st) == 2) + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); + + if (WEXITSTATUS(st) != 0) + tst_brkm(TBROK, NULL, "chaild exits with non-zero value"); + + tst_resm(TPASS, "thp01 pass"); + } + } + + tst_exit(); +} -- 1.7.1 [-- Attachment #3: Type: text/plain, Size: 309 bytes --] ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-03-07 7:29 ` Han Pingtian @ 2011-03-11 4:54 ` Han Pingtian 2011-04-06 19:19 ` Cyril Hrubis 1 sibling, 0 replies; 18+ messages in thread From: Han Pingtian @ 2011-03-11 4:54 UTC (permalink / raw) To: Garrett Cooper, ltp-list On Mon, Mar 07, 2011 at 03:29:01PM +0800, Han Pingtian wrote: > On Fri, Mar 04, 2011 at 02:38:51AM -0800, Garrett Cooper wrote: > > On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote: > > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > > > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > > > > > "Transparent hugepages can only be created if rmap is fully > > > functional. So we must prevent hugepages to be created while > > > is_vma_temporary_stack() is true." > > > > > > When running in a loop, it can trigger panic like this, if kernel > > > unpatched: > > > > > > kernel BUG at mm/huge_memory.c:1260! > > > invalid opcode: 0000 [#1] SMP > > > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > > > > ... > > > > > +static option_t options[] = { > > > + {NULL, NULL, NULL} > > > +}; > > > + > > > +static void usage(void) > > > +{ > > > + return; > > > +} > > > > You can delete this if you do what I suggest below... > > > > ... > > > > > + msg = parse_opts(argc, argv, options, usage); > > > + if (msg != NULL) > > > > `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred. > Thanks. I have updated this according to your suggestion. > > > > > + if (execve("/bin/true", c, c) == -1) > > > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > > > > Not all systems have /bin/true. It would be better to do: > > > > /bin/sh -c ':' > > > > etc, as we have code that depends on this type of shell-required POSIX behavior. > > > I'm sorry for I cannot figure out how to do this way. I tried, but > cannot crash unpatched kernel anymore. So I think the simple workaround > is checking if /bin/true installed in the program: > > + > + if (WEXITSTATUS(st) == 2) > + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); > + > Is this acceptable, please? Thanks. > Please review the updated version. > > Thanks, > > -Garrett > > -- > Han Pingtian > Quality Engineer > hpt @ #kernel-qe > Red Hat, Inc > Freedom ... courage ... Commitment ... ACCOUNTABILITY > >From 38c3526fdb59c0b18015914745f2d43fc6c6b1a3 Mon Sep 17 00:00:00 2001 > From: Han Pingtian <phan@redhat.com> > Date: Fri, 25 Feb 2011 17:51:24 +0800 > Subject: [PATCH] thp testcase come from CVE reproducer > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > "Transparent hugepages can only be created if rmap is fully > functional. So we must prevent hugepages to be created while > is_vma_temporary_stack() is true." > > When running in a loop, it can trigger panic like this, if kernel > unpatched: > > kernel BUG at mm/huge_memory.c:1260! > invalid opcode: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > .... > > So I recommend to run it as 'thp01 -I xxx'. > > Signed-off-by: Han Pingtian <phan@redhat.com> > --- > runtest/mm | 2 + > testcases/kernel/mem/thp/Makefile | 23 +++++++++ > testcases/kernel/mem/thp/thp01.c | 95 +++++++++++++++++++++++++++++++++++++ > 3 files changed, 120 insertions(+), 0 deletions(-) > create mode 100644 testcases/kernel/mem/thp/Makefile > create mode 100644 testcases/kernel/mem/thp/thp01.c > > diff --git a/runtest/mm b/runtest/mm > index 1296e59..51cc82d 100644 > --- a/runtest/mm > +++ b/runtest/mm > @@ -85,3 +85,5 @@ oom01 oom01 > oom02 oom02 > oom03 oom03 > oom04 oom04 > + > +thp01 thp01 -I 600 > diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile > new file mode 100644 > index 0000000..dbfbc1b > --- /dev/null > +++ b/testcases/kernel/mem/thp/Makefile > @@ -0,0 +1,23 @@ > +# > +# Copyright (C) 2010 Red Hat, Inc. > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2 of the License, or (at > +# your option) any later version. > +# > +# This program is distributed in the hope that it will be useful, but > +# WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > +# General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program; if not, write to the Free Software > +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA > +# 02110-1301, USA. > +# > + > +top_srcdir ?= ../../../.. > + > +include $(top_srcdir)/include/mk/testcases.mk > +include $(top_srcdir)/include/mk/generic_leaf_target.mk > diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c > new file mode 100644 > index 0000000..0b6ec1a > --- /dev/null > +++ b/testcases/kernel/mem/thp/thp01.c > @@ -0,0 +1,95 @@ > +/* > + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit > + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > + * > + * "Transparent hugepages can only be created if rmap is fully > + * functional. So we must prevent hugepages to be created while > + * is_vma_temporary_stack() is true." > + * > + * It will cause a panic something like this, if the patch didn't get applied: > + * > + * kernel BUG at mm/huge_memory.c:1260! > + * invalid opcode: 0000 [#1] SMP > + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > + * .... > + * > + * Copyright (C) 2010 Red Hat, Inc. > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of version 2 of the GNU General Public > + * License as published by the Free Software Foundation. > + * > + * This program is distributed in the hope that it would be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > + * > + * Further, this software is distributed without any warranty that it > + * is free of the rightful claim of any third person regarding > + * infringement or the like. Any license provided herein, whether > + * implied or otherwise, applies only to this software file. Patent > + * licenses, if any, provided herein do not apply to combinations of > + * this program with other software, or any other product whatsoever. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, write the Free Software > + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA > + * 02110-1301, USA. > + */ > +#include "test.h" > +#include "usctest.h" > +#include "config.h" > + > +char *TCID = "thp01"; > +int TST_TOTAL = 1; > + > +#include <stdio.h> > +#include <unistd.h> > +#include <string.h> > +#include <sys/resource.h> > +#include <sys/types.h> > +#include <sys/wait.h> > + > +int main(int argc, char **argv) { > + int i, lc, st; > + pid_t pid; > + char *msg; > + char *c[257]; > + char cc[32*4096]; > + struct rlimit rl = { > + .rlim_cur = RLIM_INFINITY, > + .rlim_max = RLIM_INFINITY, > + }; > + > + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > + > + for (lc = 0; TEST_LOOPING(lc); lc++) { > + switch (pid = fork()) { > + case -1: > + tst_brkm(TBROK|TERRNO, NULL, "fork"); > + case 0: > + memset(cc, 'c', 32*4096-1); > + for (i=0;i<256;i++) > + c[i] = cc; > + if (setrlimit(RLIMIT_STACK, &rl) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); > + if (execve("/bin/true", c, c) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > + default: > + if (waitpid(pid, &st, 0) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); > + > + if (! WIFEXITED(st)) > + tst_brkm(TBROK, NULL, "child exits abnormally"); > + > + if (WEXITSTATUS(st) == 2) > + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); > + > + if (WEXITSTATUS(st) != 0) > + tst_brkm(TBROK, NULL, "chaild exits with non-zero value"); > + > + tst_resm(TPASS, "thp01 pass"); > + } > + } > + > + tst_exit(); > +} > -- > 1.7.1 > > ------------------------------------------------------------------------------ > What You Don't Know About Data Connectivity CAN Hurt You > This paper provides an overview of data connectivity, details > its effect on application quality, and explores various alternative > solutions. http://p.sf.net/sfu/progress-d2d > _______________________________________________ > Ltp-list mailing list > Ltp-list@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ltp-list -- Han Pingtian Quality Engineer hpt @ #kernel-qe Red Hat, Inc Freedom ... courage ... Commitment ... ACCOUNTABILITY ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-03-07 7:29 ` Han Pingtian 2011-03-11 4:54 ` Han Pingtian @ 2011-04-06 19:19 ` Cyril Hrubis [not found] ` <BANLkTik=ZwxHTEgF_E9UeC1Tutx-MRnMkw@mail.gmail.com> 1 sibling, 1 reply; 18+ messages in thread From: Cyril Hrubis @ 2011-04-06 19:19 UTC (permalink / raw) To: Han Pingtian; +Cc: ltp-list Hi! > > Not all systems have /bin/true. It would be better to do: > > > > /bin/sh -c ':' > > > > etc, as we have code that depends on this type of shell-required POSIX behavior. > > > I'm sorry for I cannot figure out how to do this way. I tried, but > cannot crash unpatched kernel anymore. So I think the simple workaround > is checking if /bin/true installed in the program: It should as simple as execve("/bin/sh -c ':'", c, c), or that didn't work? What about "/bin/sh -c ''" ? > +#include <stdio.h> > +#include <unistd.h> > +#include <string.h> > +#include <sys/resource.h> > +#include <sys/types.h> > +#include <sys/wait.h> > + > +int main(int argc, char **argv) { The curly bracked should be on new line here. > + int i, lc, st; > + pid_t pid; > + char *msg; > + char *c[257]; > + char cc[32*4096]; > + struct rlimit rl = { > + .rlim_cur = RLIM_INFINITY, > + .rlim_max = RLIM_INFINITY, > + }; > + > + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > + > + for (lc = 0; TEST_LOOPING(lc); lc++) { > + switch (pid = fork()) { > + case -1: > + tst_brkm(TBROK|TERRNO, NULL, "fork"); > + case 0: > + memset(cc, 'c', 32*4096-1); Hmm should not the cc actually be C string and so terminated with '\0'? > + for (i=0;i<256;i++) > + c[i] = cc; > + if (setrlimit(RLIMIT_STACK, &rl) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); > + if (execve("/bin/true", c, c) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > + default: > + if (waitpid(pid, &st, 0) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); > + > + if (! WIFEXITED(st)) > + tst_brkm(TBROK, NULL, "child exits abnormally"); Please don't add space after ! here. > + if (WEXITSTATUS(st) == 2) > + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); > + > + if (WEXITSTATUS(st) != 0) > + tst_brkm(TBROK, NULL, "chaild exits with non-zero value"); > + > + tst_resm(TPASS, "thp01 pass"); > + } > + } > + > + tst_exit(); > +} -- Cyril Hrubis chrubis@suse.cz ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
[parent not found: <BANLkTik=ZwxHTEgF_E9UeC1Tutx-MRnMkw@mail.gmail.com>]
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer [not found] ` <BANLkTik=ZwxHTEgF_E9UeC1Tutx-MRnMkw@mail.gmail.com> @ 2011-04-07 19:41 ` Cyril Hrubis 0 siblings, 0 replies; 18+ messages in thread From: Cyril Hrubis @ 2011-04-07 19:41 UTC (permalink / raw) To: Garrett Cooper; +Cc: ltp-list Hi! > >> > Not all systems have /bin/true. It would be better to do: > >> > > >> > /bin/sh -c ':' > >> > > >> > etc, as we have code that depends on this type of shell-required POSIX behavior. > >> > > >> I'm sorry for I cannot figure out how to do this way. I tried, but > >> cannot crash unpatched kernel anymore. So I think the simple workaround > >> is checking if /bin/true installed in the program: > > > > It should as simple as execve("/bin/sh -c ':'", c, c), or that didn't work? > > execve doesn't work that way. It should be: > > execve("/bin/sh", "sh", "-c", ":"); Ahh, right, so it's difficuilt in this case as it seems that trigger is particulary big argv and envp (at least it seems so from the source, some better description wouldn't harm too). -- Cyril Hrubis chrubis@suse.cz ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-02-25 10:36 [LTP] [PATCH] thp testcase come from CVE reproducer Han Pingtian 2011-03-04 10:38 ` Garrett Cooper @ 2011-04-07 6:57 ` Garrett Cooper 2011-04-09 3:23 ` Han Pingtian 1 sibling, 1 reply; 18+ messages in thread From: Garrett Cooper @ 2011-04-07 6:57 UTC (permalink / raw) To: Garrett Cooper, ltp-list I'm going to be more anal retentive with this review than I was previously. On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote: > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > "Transparent hugepages can only be created if rmap is fully > functional. So we must prevent hugepages to be created while > is_vma_temporary_stack() is true." > > When running in a loop, it can trigger panic like this, if kernel > unpatched: > > kernel BUG at mm/huge_memory.c:1260! > invalid opcode: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map ... > > So I recommend to run it as 'thp01 -I xxx'. > +static option_t options[] = { > + {NULL, NULL, NULL} > +}; > + > +static void usage(void) > +{ > + return; > +} > + > +int main(int argc, char **argv) { > + int i, lc, st; > + pid_t pid; > + char *msg; > + char *c[257]; > + char cc[32*4096]; > + struct rlimit rl = { > + .rlim_cur =RLIM_INFINITY, > + .rlim_max=RLIM_INFINITY, > + }; > + > + msg = parse_opts(argc, argv, options, usage); > + if (msg != NULL) > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > + > + for (lc = 0; TEST_LOOPING(lc); lc++) { > + switch (pid = fork()) { > + case -1: > + tst_brkm(TBROK|TERRNO, NULL, "fork"); > + case 0: > + memset(cc, 'c', 32*4096-1); > + for (i=0;i<256;i++) > + c[i] = cc; > + if (setrlimit(RLIMIT_STACK, &rl) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); > + if (execve("/bin/true", c, c) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "execve"); I would just do perror("execve"), etc, because this is a child process and according to the style guide you shouldn't use tst_resm in child processes (I recommended that in the style guide for a very good reason that you should understand). > + default: > + if (waitpid(pid, &st, 0) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); > + > + if (! WIFEXITED(st)) > + tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st)); I agree with what Cyril said before about whitespace. ... -Garrett ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-04-07 6:57 ` Garrett Cooper @ 2011-04-09 3:23 ` Han Pingtian 2011-04-09 6:12 ` Garrett Cooper 0 siblings, 1 reply; 18+ messages in thread From: Han Pingtian @ 2011-04-09 3:23 UTC (permalink / raw) To: Garrett Cooper; +Cc: ltp-list [-- Attachment #1: Type: text/plain, Size: 3496 bytes --] I have updated the patch based on your suggestions. Please review. Thanks. Han Pingtian On Wed, Apr 06, 2011 at 11:57:51PM -0700, Garrett Cooper wrote: > I'm going to be more anal retentive with this review than I was previously. > > On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote: > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > > > "Transparent hugepages can only be created if rmap is fully > > functional. So we must prevent hugepages to be created while > > is_vma_temporary_stack() is true." > > > > When running in a loop, it can trigger panic like this, if kernel > > unpatched: > > > > kernel BUG at mm/huge_memory.c:1260! > > invalid opcode: 0000 [#1] SMP > > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > > ... > > > > So I recommend to run it as 'thp01 -I xxx'. > > +static option_t options[] = { > > + {NULL, NULL, NULL} > > +}; > > + > > +static void usage(void) > > +{ > > + return; > > +} > > + > > +int main(int argc, char **argv) { > > + int i, lc, st; > > + pid_t pid; > > + char *msg; > > + char *c[257]; > > + char cc[32*4096]; > > + struct rlimit rl = { > > + .rlim_cur =RLIM_INFINITY, > > + .rlim_max=RLIM_INFINITY, > > + }; > > + > > + msg = parse_opts(argc, argv, options, usage); > > + if (msg != NULL) > > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > > + > > + for (lc = 0; TEST_LOOPING(lc); lc++) { > > + switch (pid = fork()) { > > + case -1: > > + tst_brkm(TBROK|TERRNO, NULL, "fork"); > > + case 0: > > + memset(cc, 'c', 32*4096-1); > > + for (i=0;i<256;i++) > > + c[i] = cc; > > + if (setrlimit(RLIMIT_STACK, &rl) == -1) > > + tst_brkm(TBROK|TERRNO, NULL, "setrlimit"); > > + if (execve("/bin/true", c, c) == -1) > > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > > I would just do perror("execve"), etc, because this is a child process > and according to the style guide you shouldn't use tst_resm in child > processes (I recommended that in the style guide for a very good > reason that you should understand). > > > + default: > > + if (waitpid(pid, &st, 0) == -1) > > + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); > > + > > + if (! WIFEXITED(st)) > > + tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st)); > > I agree with what Cyril said before about whitespace. > > ... > > -Garrett > > ------------------------------------------------------------------------------ > Xperia(TM) PLAY > It's a major breakthrough. An authentic gaming > smartphone on the nation's most reliable network. > And it wants your games. > http://p.sf.net/sfu/verizon-sfdev > _______________________________________________ > Ltp-list mailing list > Ltp-list@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/ltp-list [-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/plain, Size: 5727 bytes --] From 0e226273edd93e50afdf5d698bfc000cc9823a8c Mon Sep 17 00:00:00 2001 From: Han Pingtian <phan@redhat.com> Date: Fri, 25 Feb 2011 17:51:24 +0800 Subject: [PATCH] thp testcase come from CVE reproducer This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. Signed-off-by: Han Pingtian <phan@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 ++++++++ testcases/kernel/mem/thp/thp01.c | 102 +++++++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c diff --git a/runtest/mm b/runtest/mm index f2d50d6..dded529 100644 --- a/runtest/mm +++ b/runtest/mm @@ -78,3 +78,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..dbfbc1b --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2010 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..4c94031 --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,102 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2010 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <sys/resource.h> +#include <sys/types.h> +#include <sys/wait.h> + +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + char *c[257]; + char cc[32*4096]; + struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, NULL, "fork"); + case 0: + memset(cc, 'c', 32*4096-1); + cc[32*4096-1] = '\0'; + + for (i=0;i<256;i++) + c[i] = cc; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execve("/bin/true", c, c) == -1) { + perror("execve"); + exit(2); + } + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); + + if (!WIFEXITED(st)) + tst_brkm(TBROK, NULL, "child exits abnormally"); + + if (WEXITSTATUS(st) == 2) + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); + + if (WEXITSTATUS(st) != 0) + tst_brkm(TBROK, NULL, "chaild exits with non-zero value"); + + tst_resm(TPASS, "thp01 pass"); + } + } + + tst_exit(); +} -- 1.7.4.2 [-- Attachment #3: Type: text/plain, Size: 250 bytes --] ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH] thp testcase come from CVE reproducer 2011-04-09 3:23 ` Han Pingtian @ 2011-04-09 6:12 ` Garrett Cooper 2011-04-27 3:40 ` [LTP] [PATCH v3] " Caspar Zhang 0 siblings, 1 reply; 18+ messages in thread From: Garrett Cooper @ 2011-04-09 6:12 UTC (permalink / raw) To: Han Pingtian; +Cc: ltp-list On Fri, Apr 8, 2011 at 8:23 PM, Han Pingtian <phan@redhat.com> wrote: > I have updated the patch based on your suggestions. Please review. > > Thanks. An inline diff would have been nice. Anyhow.. ... +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <sys/resource.h> +#include <sys/types.h> +#include <sys/wait.h> Please read the style guide and the example code I've provided in the style guide. This doesn't conform to those examples. +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + char *c[257]; + char cc[32*4096]; + struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: Unnecessary indentation. + tst_brkm(TBROK|TERRNO, NULL, "fork"); + case 0: + memset(cc, 'c', 32*4096-1); + cc[32*4096-1] = '\0'; Make the magic number (32*4096-1) a number. BTW -- did you derive this from a pagesize or something? If so, you should really use the sysconf function to derive _SC_PAGESIZE. + for (i=0;i<256;i++) [Lack of] whitespace. + c[i] = cc; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execve("/bin/true", c, c) == -1) { + perror("execve"); + exit(2); + } So, this isn't supposed to exit I assume? Seems kind of funky (i.e. would run out of processes). + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); + + if (!WIFEXITED(st)) + tst_brkm(TBROK, NULL, "child exits abnormally"); *exited. + if (WEXITSTATUS(st) == 2) + tst_brkm(TBROK, NULL, "Do you have /bin/true installed?"); Add a check at the beginning of the test to ensure (via stat) that /bin/true exists. That way you can skip this check. + if (WEXITSTATUS(st) != 0) + tst_brkm(TBROK, NULL, "chaild exits with non-zero value"); You didn't do a proper exit(0). How is this possible (unless the forked child runs to completion and exits the loop first which just seems like a bad idea because you're executing tst_exit() at the bottom)? + tst_resm(TPASS, "thp01 pass"); How do you know it passes from just one run when it could cascade over several iterations? My gut feeling is that this really should be moved somewhere else. + } + } + + tst_exit(); Indentation is off. +} ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* [LTP] [PATCH v3] thp testcase come from CVE reproducer 2011-04-09 6:12 ` Garrett Cooper @ 2011-04-27 3:40 ` Caspar Zhang 2011-04-28 15:49 ` Cyril Hrubis 0 siblings, 1 reply; 18+ messages in thread From: Caspar Zhang @ 2011-04-27 3:40 UTC (permalink / raw) To: LTP List [-- Attachment #1: Type: text/plain, Size: 1002 bytes --] This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. v2 & v3: update code style Signed-off-by: Pingtian Han <phan@redhat.com> Signed-off-by: Caspar Zhang <czhang@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++ testcases/kernel/mem/thp/thp01.c | 127 +++++++++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4972 bytes --] diff --git a/runtest/mm b/runtest/mm index f2d50d6..dded529 100644 --- a/runtest/mm +++ b/runtest/mm @@ -78,3 +78,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..d43511a --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..a1d248f --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,127 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get + * applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2011 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include <sys/types.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#define ARRAY_SZ 256 + +static int ps; +static long length; +static char *array[ARRAY_SZ]; +static char *arg; + +struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, +}; + +static void setup(void); +static void cleanup(void); + +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + + msg = parse_opts(argc, argv, NULL, NULL); + if (msg != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + setup(); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, cleanup, "fork"); + case 0: + memset(arg, 'c', length - 1); + arg[length - 1] = '\0'; + for (i = 0; i < ARRAY_SZ; i++) + array[i] = arg; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execve("/bin/true", array, array) == -1) { + perror("execve"); + exit(1); + } + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, cleanup, "waitpid"); + if (!WIFEXITED(st) || WEXITSTATUS(st) != 0) + tst_brkm(TBROK, cleanup, + "child exited abnormally"); + } + } + tst_resm(TPASS, "system didn't crash, pass."); + cleanup(); + tst_exit(); +} + +static void setup() +{ + if (access("/bin/true", F_OK) == -1) + tst_brkm(TBROK, NULL, "/bin/true not exist"); + + ps = sysconf(_SC_PAGESIZE); + length = 32 * ps; + arg = malloc(length * sizeof(char)); + if (arg == NULL) + tst_brkm(TBROK|TERRNO, NULL, "malloc"); + + tst_sig(FORK, DEF_HANDLER, cleanup); + TEST_PAUSE; +} + +static void cleanup() +{ + TEST_CLEANUP; +} [-- Attachment #3: Type: text/plain, Size: 355 bytes --] ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH v3] thp testcase come from CVE reproducer 2011-04-27 3:40 ` [LTP] [PATCH v3] " Caspar Zhang @ 2011-04-28 15:49 ` Cyril Hrubis 2011-04-30 2:56 ` [LTP] [PATCH v4] " Caspar Zhang 0 siblings, 1 reply; 18+ messages in thread From: Cyril Hrubis @ 2011-04-28 15:49 UTC (permalink / raw) To: Caspar Zhang; +Cc: LTP List Hi! > +#include <sys/types.h> > +#include <sys/resource.h> > +#include <sys/wait.h> > +#include <stdio.h> > +#include <string.h> > +#include <unistd.h> > +#include "test.h" > +#include "usctest.h" > +#include "config.h" > + > +char *TCID = "thp01"; > +int TST_TOTAL = 1; > + > +#define ARRAY_SZ 256 > + > +static int ps; > +static long length; > +static char *array[ARRAY_SZ]; > +static char *arg; > + > +struct rlimit rl = { > + .rlim_cur = RLIM_INFINITY, > + .rlim_max = RLIM_INFINITY, > +}; Perhaps static struct rlimit just to be consistent. > +static void setup(void); > +static void cleanup(void); > + > +int main(int argc, char **argv) > +{ > + int i, lc, st; > + pid_t pid; > + char *msg; > + > + msg = parse_opts(argc, argv, NULL, NULL); > + if (msg != NULL) > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > + > + setup(); > + > + for (lc = 0; TEST_LOOPING(lc); lc++) { > + switch (pid = fork()) { > + case -1: > + tst_brkm(TBROK|TERRNO, cleanup, "fork"); > + case 0: > + memset(arg, 'c', length - 1); > + arg[length - 1] = '\0'; > + for (i = 0; i < ARRAY_SZ; i++) > + array[i] = arg; > + if (setrlimit(RLIMIT_STACK, &rl) == -1) { > + perror("setrlimit"); > + exit(1); > + } > + if (execve("/bin/true", array, array) == -1) { > + perror("execve"); > + exit(1); > + } > + default: > + if (waitpid(pid, &st, 0) == -1) > + tst_brkm(TBROK|TERRNO, cleanup, "waitpid"); > + if (!WIFEXITED(st) || WEXITSTATUS(st) != 0) > + tst_brkm(TBROK, cleanup, > + "child exited abnormally"); > + } > + } > + tst_resm(TPASS, "system didn't crash, pass."); > + cleanup(); > + tst_exit(); > +} > + > +static void setup() > +{ Please void into prototypes here as well eg: static void setup(void) > + if (access("/bin/true", F_OK) == -1) > + tst_brkm(TBROK, NULL, "/bin/true not exist"); Should rather be "/bin/true does not exists" and maybe TCONF rather than TBROK. > + ps = sysconf(_SC_PAGESIZE); > + length = 32 * ps; > + arg = malloc(length * sizeof(char)); sizeof(char) is 1 by definition > + if (arg == NULL) > + tst_brkm(TBROK|TERRNO, NULL, "malloc"); > + > + tst_sig(FORK, DEF_HANDLER, cleanup); > + TEST_PAUSE; > +} > + > +static void cleanup() Here void as vell. > +{ > + TEST_CLEANUP; > +} -- Cyril Hrubis chrubis@suse.cz ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* [LTP] [PATCH v4] thp testcase come from CVE reproducer 2011-04-28 15:49 ` Cyril Hrubis @ 2011-04-30 2:56 ` Caspar Zhang 2011-04-30 3:05 ` Mike Frysinger 0 siblings, 1 reply; 18+ messages in thread From: Caspar Zhang @ 2011-04-30 2:56 UTC (permalink / raw) To: LTP List [-- Attachment #1: Type: text/plain, Size: 974 bytes --] This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. Signed-off-by: Pingtian Han <phan@redhat.com> Signed-off-by: Caspar Zhang <czhang@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++ testcases/kernel/mem/thp/thp01.c | 126 +++++++++++++++++++++++++++++++++++++ 3 files changed, 151 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4975 bytes --] diff --git a/runtest/mm b/runtest/mm index f2d50d6..dded529 100644 --- a/runtest/mm +++ b/runtest/mm @@ -78,3 +78,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..d43511a --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..bcb03e6 --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,126 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get + * applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2011 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include <sys/types.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#define ARRAY_SZ 256 + +static int ps; +static long length; +static char *array[ARRAY_SZ]; +static char *arg; +static struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, +}; + +static void setup(void); +static void cleanup(void); + +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + + msg = parse_opts(argc, argv, NULL, NULL); + if (msg != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + setup(); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, cleanup, "fork"); + case 0: + memset(arg, 'c', length - 1); + arg[length - 1] = '\0'; + for (i = 0; i < ARRAY_SZ; i++) + array[i] = arg; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execve("/bin/true", array, array) == -1) { + perror("execve"); + exit(1); + } + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, cleanup, "waitpid"); + if (!WIFEXITED(st) || WEXITSTATUS(st) != 0) + tst_brkm(TBROK, cleanup, + "child exited abnormally"); + } + } + tst_resm(TPASS, "system didn't crash, pass."); + cleanup(); + tst_exit(); +} + +static void setup(void) +{ + if (access("/bin/true", F_OK) == -1) + tst_brkm(TCONF, NULL, "/bin/true does not exist"); + + ps = sysconf(_SC_PAGESIZE); + length = 32 * ps; + arg = malloc(length); + if (arg == NULL) + tst_brkm(TBROK|TERRNO, NULL, "malloc"); + + tst_sig(FORK, DEF_HANDLER, cleanup); + TEST_PAUSE; +} + +static void cleanup(void) +{ + TEST_CLEANUP; +} [-- Attachment #3: Type: text/plain, Size: 355 bytes --] ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH v4] thp testcase come from CVE reproducer 2011-04-30 2:56 ` [LTP] [PATCH v4] " Caspar Zhang @ 2011-04-30 3:05 ` Mike Frysinger 2011-04-30 8:46 ` [LTP] [PATCH v5] " Caspar Zhang 0 siblings, 1 reply; 18+ messages in thread From: Mike Frysinger @ 2011-04-30 3:05 UTC (permalink / raw) To: ltp-list [-- Attachment #1.1: Type: Text/Plain, Size: 97 bytes --] dont hard depend on /bin/true. simply execute it through $PATH ... i.e. use execvp(). -mike [-- Attachment #1.2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 836 bytes --] [-- Attachment #2: Type: text/plain, Size: 355 bytes --] ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd [-- Attachment #3: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* [LTP] [PATCH v5] thp testcase come from CVE reproducer 2011-04-30 3:05 ` Mike Frysinger @ 2011-04-30 8:46 ` Caspar Zhang 2011-05-06 3:46 ` Caspar Zhang 2011-05-06 13:41 ` Cyril Hrubis 0 siblings, 2 replies; 18+ messages in thread From: Caspar Zhang @ 2011-04-30 8:46 UTC (permalink / raw) To: LTP List [-- Attachment #1: Type: text/plain, Size: 1048 bytes --] This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. v5: not using hard depend on /bin/true, use execvp() and "true" instead. Signed-off-by: Pingtian Han <phan@redhat.com> Signed-off-by: Caspar Zhang <czhang@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++ testcases/kernel/mem/thp/thp01.c | 124 +++++++++++++++++++++++++++++++++++++ 3 files changed, 149 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4904 bytes --] diff --git a/runtest/mm b/runtest/mm index f2d50d6..dded529 100644 --- a/runtest/mm +++ b/runtest/mm @@ -78,3 +78,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 600 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..d43511a --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..4432150 --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,124 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get + * applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2011 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include <sys/types.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#define ARRAY_SZ 256 + +static int ps; +static long length; +static char *array[ARRAY_SZ]; +static char *arg; +static struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, +}; + +static void setup(void); +static void cleanup(void); + +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + + msg = parse_opts(argc, argv, NULL, NULL); + if (msg != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + setup(); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, cleanup, "fork"); + case 0: + memset(arg, 'c', length - 1); + arg[length - 1] = '\0'; + for (i = 0; i < ARRAY_SZ - 1; i++) + array[i] = arg; + array[ARRAY_SZ - 1] = NULL; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execvp("true", array) == -1) { + perror("execvp"); + exit(1); + } + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, cleanup, "waitpid"); + if (!WIFEXITED(st) || WEXITSTATUS(st) != 0) + tst_brkm(TBROK, cleanup, + "child exited abnormally"); + } + } + tst_resm(TPASS, "system didn't crash, pass."); + cleanup(); + tst_exit(); +} + +static void setup(void) +{ + ps = sysconf(_SC_PAGESIZE); + length = 32 * ps; + arg = malloc(length); + if (arg == NULL) + tst_brkm(TBROK|TERRNO, NULL, "malloc"); + + tst_sig(FORK, DEF_HANDLER, cleanup); + TEST_PAUSE; +} + +static void cleanup(void) +{ + TEST_CLEANUP; +} [-- Attachment #3: Type: text/plain, Size: 355 bytes --] ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH v5] thp testcase come from CVE reproducer 2011-04-30 8:46 ` [LTP] [PATCH v5] " Caspar Zhang @ 2011-05-06 3:46 ` Caspar Zhang 2011-05-06 13:41 ` Cyril Hrubis 1 sibling, 0 replies; 18+ messages in thread From: Caspar Zhang @ 2011-05-06 3:46 UTC (permalink / raw) To: LTP List On 04/30/2011 04:46 PM, Caspar Zhang wrote: > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > "Transparent hugepages can only be created if rmap is fully functional. > So we must prevent hugepages to be created while > is_vma_temporary_stack() is true." > > When running in a loop, it can trigger panic like this, if kernel > unpatched: > > kernel BUG at mm/huge_memory.c:1260! > invalid opcode: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > .... > > So I recommend to run it as 'thp01 -I xxx'. > > v5: not using hard depend on /bin/true, use execvp() and "true" instead. > > Signed-off-by: Pingtian Han <phan@redhat.com> > Signed-off-by: Caspar Zhang <czhang@redhat.com> > --- > runtest/mm | 2 + > testcases/kernel/mem/thp/Makefile | 23 +++++++ > testcases/kernel/mem/thp/thp01.c | 124 +++++++++++++++++++++++++++++++++++++ > 3 files changed, 149 insertions(+), 0 deletions(-) > create mode 100644 testcases/kernel/mem/thp/Makefile > create mode 100644 testcases/kernel/mem/thp/thp01.c > Hi all, I've modified the patch as suggested and tested it. Any comments on this new case? Thanks, Caspar ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH v5] thp testcase come from CVE reproducer 2011-04-30 8:46 ` [LTP] [PATCH v5] " Caspar Zhang 2011-05-06 3:46 ` Caspar Zhang @ 2011-05-06 13:41 ` Cyril Hrubis 2011-05-30 14:46 ` [LTP] [PATCH v6] mm: " Caspar Zhang 1 sibling, 1 reply; 18+ messages in thread From: Cyril Hrubis @ 2011-05-06 13:41 UTC (permalink / raw) To: Caspar Zhang; +Cc: LTP List Hi! > diff --git a/runtest/mm b/runtest/mm > index f2d50d6..dded529 100644 > --- a/runtest/mm > +++ b/runtest/mm > @@ -78,3 +78,5 @@ oom01 oom01 > oom02 oom02 > oom03 oom03 > oom04 oom04 > + > +thp01 thp01 -I 600 On my machine this runs for 10 minutes (-I 1 runs for more than second). Is this amount of iterations really needed? The rest looks good enough. -- Cyril Hrubis chrubis@suse.cz ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
* [LTP] [PATCH v6] mm: thp testcase come from CVE reproducer 2011-05-06 13:41 ` Cyril Hrubis @ 2011-05-30 14:46 ` Caspar Zhang 2011-05-31 15:32 ` Cyril Hrubis 0 siblings, 1 reply; 18+ messages in thread From: Caspar Zhang @ 2011-05-30 14:46 UTC (permalink / raw) To: LTP List [-- Attachment #1: Type: text/plain, Size: 1079 bytes --] This is a reproducer of CVE-2011-0999, which fixed by mainline commit a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: "Transparent hugepages can only be created if rmap is fully functional. So we must prevent hugepages to be created while is_vma_temporary_stack() is true." When running in a loop, it can trigger panic like this, if kernel unpatched: kernel BUG at mm/huge_memory.c:1260! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map .... So I recommend to run it as 'thp01 -I xxx'. v5: not using hard depend on /bin/true, use execvp() and "true" instead. v6: set testing time to 2 min. Signed-off-by: Pingtian Han <phan@redhat.com> Signed-off-by: Caspar Zhang <czhang@redhat.com> --- runtest/mm | 2 + testcases/kernel/mem/thp/Makefile | 23 +++++++ testcases/kernel/mem/thp/thp01.c | 124 +++++++++++++++++++++++++++++++++++++ 3 files changed, 149 insertions(+), 0 deletions(-) create mode 100644 testcases/kernel/mem/thp/Makefile create mode 100644 testcases/kernel/mem/thp/thp01.c [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: 0001-mm-thp-testcase-come-from-CVE-reproducer.patch --] [-- Type: text/x-patch; name="0001-mm-thp-testcase-come-from-CVE-reproducer.patch", Size: 4904 bytes --] diff --git a/runtest/mm b/runtest/mm index f2d50d6..df7d0cb 100644 --- a/runtest/mm +++ b/runtest/mm @@ -78,3 +78,5 @@ oom01 oom01 oom02 oom02 oom03 oom03 oom04 oom04 + +thp01 thp01 -I 120 diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile new file mode 100644 index 0000000..d43511a --- /dev/null +++ b/testcases/kernel/mem/thp/Makefile @@ -0,0 +1,23 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. +# + +top_srcdir ?= ../../../.. + +include $(top_srcdir)/include/mk/testcases.mk +include $(top_srcdir)/include/mk/generic_leaf_target.mk diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c new file mode 100644 index 0000000..6c7cce3 --- /dev/null +++ b/testcases/kernel/mem/thp/thp01.c @@ -0,0 +1,124 @@ +/* + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: + * + * "Transparent hugepages can only be created if rmap is fully + * functional. So we must prevent hugepages to be created while + * is_vma_temporary_stack() is true." + * + * It will cause a panic something like this, if the patch didn't get + * applied: + * + * kernel BUG at mm/huge_memory.c:1260! + * invalid opcode: 0000 [#1] SMP + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map + * .... + * + * Copyright (C) 2011 Red Hat, Inc. + * This program is free software; you can redistribute it and/or + * modify it under the terms of version 2 of the GNU General Public + * License as published by the Free Software Foundation. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * + * Further, this software is distributed without any warranty that it + * is free of the rightful claim of any third person regarding + * infringement or the like. Any license provided herein, whether + * implied or otherwise, applies only to this software file. Patent + * licenses, if any, provided herein do not apply to combinations of + * this program with other software, or any other product whatsoever. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +#include <sys/types.h> +#include <sys/resource.h> +#include <sys/wait.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include "test.h" +#include "usctest.h" +#include "config.h" + +char *TCID = "thp01"; +int TST_TOTAL = 1; + +#define ARRAY_SZ 256 + +static int ps; +static long length; +static char *array[ARRAY_SZ]; +static char *arg; +static struct rlimit rl = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, +}; + +static void setup(void); +static void cleanup(void); + +int main(int argc, char **argv) +{ + int i, lc, st; + pid_t pid; + char *msg; + + msg = parse_opts(argc, argv, NULL, NULL); + if (msg != NULL) + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); + + setup(); + + for (lc = 0; TEST_LOOPING(lc); lc++) { + switch (pid = fork()) { + case -1: + tst_brkm(TBROK|TERRNO, cleanup, "fork"); + case 0: + memset(arg, 'c', length - 1); + arg[length - 1] = '\0'; + for (i = 0; i < ARRAY_SZ - 1; i++) + array[i] = arg; + array[ARRAY_SZ - 1] = NULL; + if (setrlimit(RLIMIT_STACK, &rl) == -1) { + perror("setrlimit"); + exit(1); + } + if (execvp("true", array) == -1) { + perror("execvp"); + exit(1); + } + default: + if (waitpid(pid, &st, 0) == -1) + tst_brkm(TBROK|TERRNO, cleanup, "waitpid"); + if (!WIFEXITED(st) || WEXITSTATUS(st) != 0) + tst_brkm(TBROK, cleanup, + "child exited abnormally"); + } + } + tst_resm(TPASS, "system didn't crash, pass."); + cleanup(); + tst_exit(); +} + +static void setup(void) +{ + ps = sysconf(_SC_PAGESIZE); + length = 32 * ps; + arg = malloc(length); + if (arg == NULL) + tst_brkm(TBROK|TERRNO, NULL, "malloc"); + + tst_sig(FORK, DEF_HANDLER, cleanup); + TEST_PAUSE; +} + +static void cleanup(void) +{ + TEST_CLEANUP; +} [-- Attachment #3: Type: text/plain, Size: 335 bytes --] ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 [-- Attachment #4: Type: text/plain, Size: 155 bytes --] _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [LTP] [PATCH v6] mm: thp testcase come from CVE reproducer 2011-05-30 14:46 ` [LTP] [PATCH v6] mm: " Caspar Zhang @ 2011-05-31 15:32 ` Cyril Hrubis 0 siblings, 0 replies; 18+ messages in thread From: Cyril Hrubis @ 2011-05-31 15:32 UTC (permalink / raw) To: Caspar Zhang; +Cc: LTP List Hi! Commited, thanks. -- Cyril Hrubis chrubis@suse.cz ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Data protection magic? Nope - It's vRanger. Get your free trial download today. http://p.sf.net/sfu/quest-sfdev2dev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2011-05-31 15:35 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-25 10:36 [LTP] [PATCH] thp testcase come from CVE reproducer Han Pingtian
2011-03-04 10:38 ` Garrett Cooper
2011-03-07 7:29 ` Han Pingtian
2011-03-11 4:54 ` Han Pingtian
2011-04-06 19:19 ` Cyril Hrubis
[not found] ` <BANLkTik=ZwxHTEgF_E9UeC1Tutx-MRnMkw@mail.gmail.com>
2011-04-07 19:41 ` Cyril Hrubis
2011-04-07 6:57 ` Garrett Cooper
2011-04-09 3:23 ` Han Pingtian
2011-04-09 6:12 ` Garrett Cooper
2011-04-27 3:40 ` [LTP] [PATCH v3] " Caspar Zhang
2011-04-28 15:49 ` Cyril Hrubis
2011-04-30 2:56 ` [LTP] [PATCH v4] " Caspar Zhang
2011-04-30 3:05 ` Mike Frysinger
2011-04-30 8:46 ` [LTP] [PATCH v5] " Caspar Zhang
2011-05-06 3:46 ` Caspar Zhang
2011-05-06 13:41 ` Cyril Hrubis
2011-05-30 14:46 ` [LTP] [PATCH v6] mm: " Caspar Zhang
2011-05-31 15:32 ` Cyril Hrubis
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox