1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
4 */
5
6 /*\
7 * [Description]
8 *
9 * Reproducer of CVE-2018-10124; INT_MIN negation.
10 *
11 * On most two's complement CPUs negation of INT_MIN will result in
12 * INT_MIN because ~((unsigned)INT_MIN) + 1 overflows to INT_MIN
13 * (unless trapped). On one's complement ~((unsigned)INT_MIN) = INT_MAX.
14 *
15 * Without UBSAN kill will always return ESRCH. Regardless of if the
16 * bug is present as INT_MIN/INT_MAX are invalid PIDs. It checks the
17 * PID before the signal number so we can not cause EINVAL. A trivial
18 * test of kill is performed elsewhere. So we don't run the test
19 * without UBSAN to avoid giving the impression we have actually
20 * tested for the bug.
21 */
22
23 #include <limits.h>
24 #include <signal.h>
25 #include "tst_test.h"
26
run(void)27 static void run(void)
28 {
29 TST_EXP_FAIL2(kill(INT_MIN, 0), ESRCH,
30 "kill(INT_MIN, ...) fails with ESRCH");
31 }
32
33 static struct tst_test test = {
34 .test_all = run,
35 .taint_check = TST_TAINT_W | TST_TAINT_D,
36 .needs_kconfigs = (const char *[]) {
37 "CONFIG_UBSAN_SIGNED_OVERFLOW",
38 NULL
39 },
40 .tags = (const struct tst_tag[]) {
41 {"linux-git", "4ea77014af0d"},
42 {"CVE", "CVE-2018-10124"},
43 {}
44 }
45 };
46