Hi On 6/21/19 11:36 AM, Dave Martin wrote:
On Thu, Jun 13, 2019 at 12:13:34PM +0100, Cristian Marussi wrote:Added a simple fake_sigreturn testcase which builds a ucontext_t with a badly sized magic0 header and place it onto the stack. Expects a SIGSEGV on test PASS. Signed-off-by: Cristian Marussi <cristian.marussi@xxxxxxx> --- .../arm64/signal/testcases/.gitignore | 1 + .../fake_sigreturn_bad_size_for_magic0.c | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c diff --git a/tools/testing/selftests/arm64/signal/testcases/.gitignore b/tools/testing/selftests/arm64/signal/testcases/.gitignore index 9ad1735e0018..66ba865b3b7e 100644 --- a/tools/testing/selftests/arm64/signal/testcases/.gitignore +++ b/tools/testing/selftests/arm64/signal/testcases/.gitignore @@ -9,3 +9,4 @@ mangle_pstate_ssbs_regs fake_sigreturn_misaligned fake_sigreturn_bad_magic fake_sigreturn_bad_size +fake_sigreturn_bad_size_for_magic0 diff --git a/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c new file mode 100644 index 000000000000..703909959473 --- /dev/null +++ b/tools/testing/selftests/arm64/signal/testcases/fake_sigreturn_bad_size_for_magic0.c @@ -0,0 +1,44 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* Copyright (C) 2019 ARM Limited */ + +#include <asm/sigcontext.h> +#include <ucontext.h> +#include <stdio.h> + +#include "test_signals_utils.h" +#include "testcases.h" + +struct a_sigframe sf; + +static int fake_sigreturn_bad_size_for_magic0_run(struct tdescr *td, + siginfo_t *si, ucontext_t *uc) +{ + struct _aarch64_ctx *head = GET_SF_RESV_HEAD(sf); + + /* just to fill the ucontext_t with something real */ + if (!get_current_context(td, &sf.uc)) + return 1; + + /* + * Jump to the free slot...we must preserve existing + * magics like fpsimd in order no to SEGV anyway + */ + head = get_terminator(head, GET_SF_RESV_SIZE(sf), NULL); + if (head) { + head->magic = 0; + head->size = 256;What if this overruns the signal frame? We want to know that the kernel is rejecting the terminator because its size is wrong, not because the size overruns the frame or is invalid is some other way. For example, if the kernel code were refactored to check that the record fits in the frame first, before looking at the magic, then this test could pass for the wrong reason.
Right. Fixed in V2 to account of available space and avoding overrun (throwing away EXTRA if neeeded): moreover bad size is now 16 aligned to avoid crashing out in size % 16 chcecks
Thanks Cristian
[...] Cheers ---Dave
