1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018 Google, Inc.
4 */
5
6 /*
7 * Regression test for commit 3f05317d9889 ("ipc/shm: fix use-after-free of shm
8 * file via remap_file_pages()"). This bug allowed the remap_file_pages()
9 * syscall to use the file of a System V shared memory segment after its ID had
10 * been reallocated and the file freed. This test reproduces the bug as a NULL
11 * pointer dereference in touch_atime(), although it's a race condition so it's
12 * not guaranteed to work. This test is based on the reproducer provided in the
13 * fix's commit message.
14 */
15
16 #include "lapi/syscalls.h"
17 #include "tst_test.h"
18 #include "tst_fuzzy_sync.h"
19 #include "tst_safe_pthread.h"
20 #include "tst_safe_sysv_ipc.h"
21 #include "tst_timer.h"
22
23 static struct tst_fzsync_pair fzsync_pair;
24
25 /*
26 * Thread 2: repeatedly remove the shm ID and reallocate it again for a
27 * new shm segment.
28 */
thrproc(void * unused)29 static void *thrproc(void *unused)
30 {
31 int id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700);
32
33 while (tst_fzsync_run_b(&fzsync_pair)) {
34 tst_fzsync_start_race_b(&fzsync_pair);
35 SAFE_SHMCTL(id, IPC_RMID, NULL);
36 id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700);
37 tst_fzsync_end_race_b(&fzsync_pair);
38 }
39 return unused;
40 }
41
setup(void)42 static void setup(void)
43 {
44 /* Skip test if either remap_file_pages() or SysV IPC is unavailable */
45 tst_syscall(__NR_remap_file_pages, NULL, 0, 0, 0, 0);
46 tst_syscall(__NR_shmctl, 0xF00F, IPC_RMID, NULL);
47
48 tst_fzsync_pair_init(&fzsync_pair);
49 }
50
do_test(void)51 static void do_test(void)
52 {
53 /*
54 * Thread 1: repeatedly attach a shm segment, then remap it until the ID
55 * seems to have been removed by the other process.
56 */
57 tst_fzsync_pair_reset(&fzsync_pair, thrproc);
58 while (tst_fzsync_run_a(&fzsync_pair)) {
59 int id;
60 void *addr;
61
62 id = SAFE_SHMGET(0xF00F, 4096, IPC_CREAT|0700);
63 addr = SAFE_SHMAT(id, NULL, 0);
64 tst_fzsync_start_race_a(&fzsync_pair);
65 do {
66 /* This is the system call that crashed */
67 TEST(syscall(__NR_remap_file_pages, addr, 4096,
68 0, 0, 0));
69 } while (TST_RET == 0);
70 tst_fzsync_end_race_a(&fzsync_pair);
71
72 if (TST_ERR != EIDRM && TST_ERR != EINVAL) {
73 tst_brk(TBROK | TTERRNO,
74 "Unexpected remap_file_pages() error");
75 }
76
77 /*
78 * Ensure that a shm segment will actually be destroyed.
79 * This call may fail on recent kernels (v4.0+) because
80 * remap_file_pages() already unmapped the shm segment.
81 */
82 shmdt(addr);
83 }
84
85 tst_res(TPASS, "didn't crash");
86 }
87
cleanup(void)88 static void cleanup(void)
89 {
90 tst_fzsync_pair_cleanup(&fzsync_pair);
91 shmctl(0xF00F, IPC_RMID, NULL);
92 }
93
94 static struct tst_test test = {
95 .timeout = 20,
96 .setup = setup,
97 .test_all = do_test,
98 .cleanup = cleanup,
99 .tags = (const struct tst_tag[]) {
100 {"linux-git", "3f05317d9889"},
101 {}
102 }
103 };
104