* [LTP] Unifying syscalls tests for EFAULT
@ 2014-04-30 12:14 chrubis
[not found] ` <1372990689.12607095.1398862329568.JavaMail.zimbra@redhat.com>
0 siblings, 1 reply; 3+ messages in thread
From: chrubis @ 2014-04-30 12:14 UTC (permalink / raw)
To: ltp-list
Hi!
We have quite a lot of testcases that passes wrong pointer to syscalls
to check that they return EFAULT and several ad-hoc ways to do this.
I've looked at the code we have and at the kernel implementation in
order to fix this mess.
There are several ways that testcases use to generate bad addres:
* (void*)-1
* get_high_address()
* mmap(..., PROT_NONE, ...)
I've looked how is the checking implemented in kernel and it boils down
to various get_user/put_user variants of strncpy build on the top of the
__get_user and __put_user functions.
On x86 these functions do coarse check for overflow which should be
triggered by the (void*)-1 parameter, then if the pointer is smaller
than maximal possible userspace address and then proceeds with the
memory access. If memory access creates a page fault the page fault
handler executes fixup code which returns the EFAULT and if I understand
this correctly this is the case for both get_high_address() and
mmap(..., PROT_NONE, ...).
Then there are other architectures that does things a little bit
differently and I'm not even sure how because most of the functions are
written in assembler.
Now there are a few things I wonder about:
* Is there an machine that has userspace memory mapped on (void*)-1 ?
because that would make quite a lot of our testcases to fail
* Is there a machine that has userspace address mapped on NULL ?
I would consider this pretty evil thing to do, due to fact that
most of the libraries returns NULL on failure and dereferencing
these should really cause SegFault or EFAULT.
--
Cyril Hrubis
chrubis@suse.cz
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LTP] Unifying syscalls tests for EFAULT
[not found] ` <1372990689.12607095.1398862329568.JavaMail.zimbra@redhat.com>
@ 2014-04-30 13:01 ` chrubis
2014-04-30 13:13 ` chrubis
0 siblings, 1 reply; 3+ messages in thread
From: chrubis @ 2014-04-30 13:01 UTC (permalink / raw)
To: Jan Stancek; +Cc: ltp-list
Hi!
> > * Is there a machine that has userspace address mapped on NULL ?
>
> I do recall a testcase, which had special setup for ia64, because
> it didn't work as expected for NULL. When looking at process map,
> there was a single page mapped 0, which didn't come from test:
>
> # cat /proc/self/maps
> 00000000-00004000 r--p 00000000 00:00 0
>
> See this email thread:
> https://www.mail-archive.com/ltp-list@lists.sourceforge.net/msg17855.html
Hmm, so I guess that only portable way to cause EFAULT would be mapping
PROT_NONE page.
--
Cyril Hrubis
chrubis@suse.cz
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LTP] Unifying syscalls tests for EFAULT
2014-04-30 13:01 ` chrubis
@ 2014-04-30 13:13 ` chrubis
0 siblings, 0 replies; 3+ messages in thread
From: chrubis @ 2014-04-30 13:13 UTC (permalink / raw)
To: Jan Stancek; +Cc: ltp-list
Hi!
> > I do recall a testcase, which had special setup for ia64, because
> > it didn't work as expected for NULL. When looking at process map,
> > there was a single page mapped 0, which didn't come from test:
> >
> > # cat /proc/self/maps
> > 00000000-00004000 r--p 00000000 00:00 0
> >
> > See this email thread:
> > https://www.mail-archive.com/ltp-list@lists.sourceforge.net/msg17855.html
>
> Hmm, so I guess that only portable way to cause EFAULT would be mapping
> PROT_NONE page.
And we can parse /proc/self/maps and figure out if NULL is mapped and
try more than one address, however I haven't had figured out a
reasonably simple way how to change the current testcases to cope with
something between 1 and 3 tests for EFAULT yet.
--
Cyril Hrubis
chrubis@suse.cz
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-04-30 13:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-30 12:14 [LTP] Unifying syscalls tests for EFAULT chrubis
[not found] ` <1372990689.12607095.1398862329568.JavaMail.zimbra@redhat.com>
2014-04-30 13:01 ` chrubis
2014-04-30 13:13 ` chrubis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox