1 /*
2 * Copyright (C) 2013 Linux Test Project
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
7 *
8 * This program is distributed in the hope that it would be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11 *
12 * Further, this software is distributed without any warranty that it
13 * is free of the rightful claim of any third person regarding
14 * infringement or the like. Any license provided herein, whether
15 * implied or otherwise, applies only to this software file. Patent
16 * licenses, if any, provided herein do not apply to combinations of
17 * this program with other software, or any other product whatsoever.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
22 * 02110-1301, USA.
23 */
24 /*
25 * reproducer for:
26 * BUG: unable to handle kernel NULL ptr deref in selinux_socket_unix_may_send
27 * fixed in 3.9.0-0.rc5:
28 * commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
29 * Author: Paul Moore <pmoore@redhat.com>
30 * Date: Mon Mar 25 03:18:33 2013 +0000
31 * unix: fix a race condition in unix_release()
32 */
33
34 #define _GNU_SOURCE
35 #include <sys/ipc.h>
36 #include <sys/stat.h>
37 #include <sys/socket.h>
38 #include <sys/types.h>
39 #include <sys/un.h>
40 #include <sys/wait.h>
41 #include <errno.h>
42 #include <signal.h>
43 #include <limits.h>
44 #include "config.h"
45 #include "test.h"
46 #include "safe_macros.h"
47 #include "lapi/sem.h"
48
49 char *TCID = "sendmsg02";
50
51 static int sem_id;
52 static int tflag;
53 static char *t_opt;
54 static option_t options[] = {
55 {"s:", &tflag, &t_opt},
56 {NULL, NULL, NULL}
57 };
58
59 static void setup(void);
60 static void cleanup(void);
61
client(int id,int pipefd[])62 static void client(int id, int pipefd[])
63 {
64 int fd, semval;
65 char data[] = "123456789";
66 struct iovec w;
67 struct sockaddr_un sa;
68 struct msghdr mh;
69 struct cmsghdr cmh;
70
71 close(pipefd[0]);
72
73 memset(&sa, 0, sizeof(sa));
74 sa.sun_family = AF_UNIX;
75 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
76
77 w.iov_base = data;
78 w.iov_len = 10;
79
80 memset(&cmh, 0, sizeof(cmh));
81 mh.msg_control = &cmh;
82 mh.msg_controllen = sizeof(cmh);
83
84 memset(&mh, 0, sizeof(mh));
85 mh.msg_name = &sa;
86 mh.msg_namelen = sizeof(struct sockaddr_un);
87 mh.msg_iov = &w;
88 mh.msg_iovlen = 1;
89
90 do {
91 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
92 write(pipefd[1], &fd, 1);
93 sendmsg(fd, &mh, MSG_NOSIGNAL);
94 close(fd);
95 semval = semctl(sem_id, 0, GETVAL);
96 } while (semval != 0);
97 close(pipefd[1]);
98 }
99
server(int id,int pipefd[])100 static void server(int id, int pipefd[])
101 {
102 int fd, semval;
103 struct sockaddr_un sa;
104
105 close(pipefd[1]);
106
107 memset(&sa, 0, sizeof(sa));
108 sa.sun_family = AF_UNIX;
109 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
110
111 do {
112 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
113 unlink(sa.sun_path);
114 bind(fd, (struct sockaddr *) &sa, sizeof(struct sockaddr_un));
115 read(pipefd[0], &fd, 1);
116 close(fd);
117 semval = semctl(sem_id, 0, GETVAL);
118 } while (semval != 0);
119 close(pipefd[0]);
120 }
121
reproduce(int seconds)122 static void reproduce(int seconds)
123 {
124 int i, status, pipefd[2];
125 int child_pairs = sysconf(_SC_NPROCESSORS_ONLN)*4;
126 int child_count = 0;
127 int *child_pids;
128 int child_pid;
129 union semun u;
130
131 child_pids = SAFE_MALLOC(cleanup, sizeof(int) * child_pairs * 2);
132
133 u.val = 1;
134 if (semctl(sem_id, 0, SETVAL, u) == -1)
135 tst_brkm(TBROK | TERRNO, cleanup, "couldn't set semval to 1");
136
137 /* fork child for each client/server pair */
138 for (i = 0; i < child_pairs*2; i++) {
139 if (i%2 == 0) {
140 if (pipe(pipefd) < 0) {
141 tst_resm(TBROK | TERRNO, "pipe failed");
142 break;
143 }
144 }
145
146 child_pid = fork();
147 switch (child_pid) {
148 case -1:
149 tst_resm(TBROK | TERRNO, "fork");
150 break;
151 case 0:
152 if (i%2 == 0)
153 server(i, pipefd);
154 else
155 client(i-1, pipefd);
156 exit(0);
157 default:
158 child_pids[child_count++] = child_pid;
159 };
160
161 /* this process can close the pipe now */
162 if (i%2 == 0) {
163 close(pipefd[0]);
164 close(pipefd[1]);
165 }
166 }
167
168 /* let clients/servers run for a while, then clear semval to signal
169 * they should stop running now */
170 if (child_count == child_pairs*2)
171 sleep(seconds);
172
173 u.val = 0;
174 if (semctl(sem_id, 0, SETVAL, u) == -1) {
175 /* kill children if setting semval failed */
176 for (i = 0; i < child_count; i++)
177 kill(child_pids[i], SIGKILL);
178 tst_resm(TBROK | TERRNO, "couldn't set semval to 0");
179 }
180
181 for (i = 0; i < child_count; i++) {
182 if (waitpid(child_pids[i], &status, 0) == -1)
183 tst_resm(TBROK | TERRNO, "waitpid for %d failed",
184 child_pids[i]);
185 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
186 tst_resm(TFAIL, "child %d returns %d", i, status);
187 }
188 free(child_pids);
189 }
190
help(void)191 static void help(void)
192 {
193 printf(" -s NUM Number of seconds to run.\n");
194 }
195
main(int argc,char * argv[])196 int main(int argc, char *argv[])
197 {
198 int lc;
199 long seconds;
200
201 tst_parse_opts(argc, argv, options, &help);
202 setup();
203
204 seconds = tflag ? SAFE_STRTOL(NULL, t_opt, 1, LONG_MAX) : 15;
205 for (lc = 0; TEST_LOOPING(lc); lc++)
206 reproduce(seconds);
207 tst_resm(TPASS, "finished after %ld seconds", seconds);
208
209 cleanup();
210 tst_exit();
211 }
212
setup(void)213 static void setup(void)
214 {
215 tst_require_root();
216 tst_tmpdir();
217
218 sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT | S_IRWXU);
219 if (sem_id == -1)
220 tst_brkm(TBROK | TERRNO, NULL, "Couldn't allocate semaphore");
221
222 TEST_PAUSE;
223 }
224
cleanup(void)225 static void cleanup(void)
226 {
227 semctl(sem_id, 0, IPC_RMID);
228 tst_rmdir();
229 }
230