1 /*
2 * Copyright (C) 2013 Linux Test Project
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
7 *
8 * This program is distributed in the hope that it would be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11 *
12 * Further, this software is distributed without any warranty that it
13 * is free of the rightful claim of any third person regarding
14 * infringement or the like. Any license provided herein, whether
15 * implied or otherwise, applies only to this software file. Patent
16 * licenses, if any, provided herein do not apply to combinations of
17 * this program with other software, or any other product whatsoever.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
22 * 02110-1301, USA.
23 */
24 /*
25 * reproducer for:
26 * BUG: unable to handle kernel NULL ptr deref in selinux_socket_unix_may_send
27 * fixed in 3.9.0-0.rc5:
28 * commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
29 * Author: Paul Moore <pmoore@redhat.com>
30 * Date: Mon Mar 25 03:18:33 2013 +0000
31 * unix: fix a race condition in unix_release()
32 */
33
34 #define _GNU_SOURCE
35 #include <sys/ipc.h>
36 #include <sys/stat.h>
37 #include <sys/sem.h>
38 #include <sys/socket.h>
39 #include <sys/types.h>
40 #include <sys/un.h>
41 #include <sys/wait.h>
42 #include <errno.h>
43 #include <signal.h>
44 #include <limits.h>
45 #include "config.h"
46 #include "test.h"
47 #include "safe_macros.h"
48 #include "lapi/semun.h"
49
50 char *TCID = "sendmsg02";
51
52 static int sem_id;
53 static int tflag;
54 static char *t_opt;
55 static option_t options[] = {
56 {"s:", &tflag, &t_opt},
57 {NULL, NULL, NULL}
58 };
59
60 static void setup(void);
61 static void cleanup(void);
62
client(int id,int pipefd[])63 static void client(int id, int pipefd[])
64 {
65 int fd, semval;
66 char data[] = "123456789";
67 struct iovec w;
68 struct sockaddr_un sa;
69 struct msghdr mh;
70 struct cmsghdr cmh;
71
72 close(pipefd[0]);
73
74 memset(&sa, 0, sizeof(sa));
75 sa.sun_family = AF_UNIX;
76 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
77
78 w.iov_base = data;
79 w.iov_len = 10;
80
81 memset(&cmh, 0, sizeof(cmh));
82 mh.msg_control = &cmh;
83 mh.msg_controllen = sizeof(cmh);
84
85 memset(&mh, 0, sizeof(mh));
86 mh.msg_name = &sa;
87 mh.msg_namelen = sizeof(struct sockaddr_un);
88 mh.msg_iov = &w;
89 mh.msg_iovlen = 1;
90
91 do {
92 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
93 write(pipefd[1], &fd, 1);
94 sendmsg(fd, &mh, MSG_NOSIGNAL);
95 close(fd);
96 semval = semctl(sem_id, 0, GETVAL);
97 } while (semval != 0);
98 close(pipefd[1]);
99 }
100
server(int id,int pipefd[])101 static void server(int id, int pipefd[])
102 {
103 int fd, semval;
104 struct sockaddr_un sa;
105
106 close(pipefd[1]);
107
108 memset(&sa, 0, sizeof(sa));
109 sa.sun_family = AF_UNIX;
110 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
111
112 do {
113 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
114 unlink(sa.sun_path);
115 bind(fd, (struct sockaddr *) &sa, sizeof(struct sockaddr_un));
116 read(pipefd[0], &fd, 1);
117 close(fd);
118 semval = semctl(sem_id, 0, GETVAL);
119 } while (semval != 0);
120 close(pipefd[0]);
121 }
122
reproduce(int seconds)123 static void reproduce(int seconds)
124 {
125 int i, status, pipefd[2];
126 int child_pairs = sysconf(_SC_NPROCESSORS_ONLN)*4;
127 int child_count = 0;
128 int *child_pids;
129 int child_pid;
130 union semun u;
131
132 child_pids = SAFE_MALLOC(cleanup, sizeof(int) * child_pairs * 2);
133
134 u.val = 1;
135 if (semctl(sem_id, 0, SETVAL, u) == -1)
136 tst_brkm(TBROK | TERRNO, cleanup, "couldn't set semval to 1");
137
138 /* fork child for each client/server pair */
139 for (i = 0; i < child_pairs*2; i++) {
140 if (i%2 == 0) {
141 if (pipe(pipefd) < 0) {
142 tst_resm(TBROK | TERRNO, "pipe failed");
143 break;
144 }
145 }
146
147 child_pid = fork();
148 switch (child_pid) {
149 case -1:
150 tst_resm(TBROK | TERRNO, "fork");
151 break;
152 case 0:
153 if (i%2 == 0)
154 server(i, pipefd);
155 else
156 client(i-1, pipefd);
157 exit(0);
158 default:
159 child_pids[child_count++] = child_pid;
160 };
161
162 /* this process can close the pipe now */
163 if (i%2 == 0) {
164 close(pipefd[0]);
165 close(pipefd[1]);
166 }
167 }
168
169 /* let clients/servers run for a while, then clear semval to signal
170 * they should stop running now */
171 if (child_count == child_pairs*2)
172 sleep(seconds);
173
174 u.val = 0;
175 if (semctl(sem_id, 0, SETVAL, u) == -1) {
176 /* kill children if setting semval failed */
177 for (i = 0; i < child_count; i++)
178 kill(child_pids[i], SIGKILL);
179 tst_resm(TBROK | TERRNO, "couldn't set semval to 0");
180 }
181
182 for (i = 0; i < child_count; i++) {
183 if (waitpid(child_pids[i], &status, 0) == -1)
184 tst_resm(TBROK | TERRNO, "waitpid for %d failed",
185 child_pids[i]);
186 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
187 tst_resm(TFAIL, "child %d returns %d", i, status);
188 }
189 free(child_pids);
190 }
191
help(void)192 static void help(void)
193 {
194 printf(" -s NUM Number of seconds to run.\n");
195 }
196
main(int argc,char * argv[])197 int main(int argc, char *argv[])
198 {
199 int lc;
200 long seconds;
201
202 tst_parse_opts(argc, argv, options, &help);
203 setup();
204
205 seconds = tflag ? SAFE_STRTOL(NULL, t_opt, 1, LONG_MAX) : 15;
206 for (lc = 0; TEST_LOOPING(lc); lc++)
207 reproduce(seconds);
208 tst_resm(TPASS, "finished after %ld seconds", seconds);
209
210 cleanup();
211 tst_exit();
212 }
213
setup(void)214 static void setup(void)
215 {
216 tst_require_root();
217 tst_tmpdir();
218
219 sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT | S_IRWXU);
220 if (sem_id == -1)
221 tst_brkm(TBROK | TERRNO, NULL, "Couldn't allocate semaphore");
222
223 TEST_PAUSE;
224 }
225
cleanup(void)226 static void cleanup(void)
227 {
228 semctl(sem_id, 0, IPC_RMID);
229 tst_rmdir();
230 }
231