On Thu, Jun 13, 2019 at 12:13:34PM +0100, Cristian Marussi wrote:
> Added a simple fake_sigreturn testcase which builds a ucontext_t
> with a badly sized magic0 header and place it onto the stack.
> Expects a SIGSEGV on test PASS.
>
> Signed-off-by: Cristian Marussi <cristian.marussi@xxxxxxx>
> ---
> .../arm64/signal/testcases/.gitignore | 1 +
> .../fake_sigreturn_bad_size_for_magic0.c | 44 +++++++++++++++++++
> 2 files changed, 45 insertions(+)
> create mode 100644 tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c
>
> diff --git a/tools/testing/selftests/arm64/signal/testcases/.gitignore b/tools/testing/selftests/arm64/signal/testcases/.gitignore
> index 9ad1735e0018..66ba865b3b7e 100644
> --- a/tools/testing/selftests/arm64/signal/testcases/.gitignore
> +++ b/tools/testing/selftests/arm64/signal/testcases/.gitignore
> @@ -9,3 +9,4 @@ mangle_pstate_ssbs_regs
> fake_sigreturn_misaligned
> fake_sigreturn_bad_magic
> fake_sigreturn_bad_size
> +fake_sigreturn_bad_size_for_magic0
> diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c
> new file mode 100644
> index 000000000000..703909959473
> --- /dev/null
> +++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c
> @@ -0,0 +1,44 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/* Copyright (C) 2019 ARM Limited */
> +
> +#include <asm/sigcontext.h>
> +#include <ucontext.h>
> +#include <stdio.h>
> +
> +#include "test_signals_utils.h"
> +#include "testcases.h"
> +
> +struct a_sigframe sf;
> +
> +static int fake_sigreturn_bad_size_for_magic0_run(struct tdescr *td,
> + siginfo_t *si, ucontext_t *uc)
> +{
> + struct _aarch64_ctx *head = GET_SF_RESV_HEAD(sf);
> +
> + /* just to fill the ucontext_t with something real */
> + if (!get_current_context(td, &sf.uc))
> + return 1;
> +
> + /*
> + * Jump to the free slot...we must preserve existing
> + * magics like fpsimd in order no to SEGV anyway
> + */
> + head = get_terminator(head, GET_SF_RESV_SIZE(sf), NULL);
> + if (head) {
> + head->magic = 0;
> + head->size = 256;
What if this overruns the signal frame? We want to know that the kernel
is rejecting the terminator because its size is wrong, not because the
size overruns the frame or is invalid is some other way.
For example, if the kernel code were refactored to check that the record
fits in the frame first, before looking at the magic, then this test
could pass for the wrong reason.
[...]
Cheers
---Dave
