From patchwork Thu Dec 20 09:08:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li Wang X-Patchwork-Id: 1016670 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43L5XG4Wvxz9s7W for ; Thu, 20 Dec 2018 20:08:30 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id D2A263E773A for ; Thu, 20 Dec 2018 10:08:27 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [IPv6:2001:4b78:1:20::4]) by picard.linux.it (Postfix) with ESMTP id EDA0E3E7462 for ; Thu, 20 Dec 2018 10:08:21 +0100 (CET) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 6BD971000AC4 for ; Thu, 20 Dec 2018 10:08:21 +0100 (CET) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E3951C057E3F for ; Thu, 20 Dec 2018 09:08:19 +0000 (UTC) Received: from dhcp-12-173.nay.redhat.com (dhcp-12-173.nay.redhat.com [10.66.12.173]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FF8168D27; Thu, 20 Dec 2018 09:08:17 +0000 (UTC) From: Li Wang To: ltp@lists.linux.it Date: Thu, 20 Dec 2018 17:08:11 +0800 Message-Id: <20181220090811.21514-2-liwang@redhat.com> In-Reply-To: <20181220090811.21514-1-liwang@redhat.com> References: <20181220090811.21514-1-liwang@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 20 Dec 2018 09:08:19 +0000 (UTC) X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-4.smtp.seeweb.it Cc: Scott Mayhew , Dave Chinner Subject: [LTP] [PATCH 2/2] readdir02: use invalid DIR stream descriptor X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Issue: On ppc64le and aarch64, when testing in NFS mountpoint, test process receives SIGSEGV when calling readdir on a DIR which has just been closed by closedir(). Unfortunately, ltp/readdir02.c handles SIGSEGV. This makes it hits SIGSEGV again in its cleanup function. So readdir02 hangs there hitting SEGV endlessly. That's because a DIR * is NOT a file descriptor. It's memory allocated by opendir() that contains libc internal information about the directory. closedir(test_dir) frees any memory associated with the open directory pointer test_dir. To then pass the freed dir pointer to readdir() is a use-after-free. It probably won't return EBADF, it will dereference freed memory and whatever happens after that is undefined. In this patch, I simply modify the test to use an exist FILE * stream to simulate the invalid directory stream descriptor. Then it won't hit the use-after-free issue any more. Also, the sighandler function has been dropped. Reported-by: Xiong Zhou Signed-off-by: Li Wang Cc: Dave Chinner Cc: Scott Mayhew --- testcases/kernel/syscalls/readdir/readdir02.c | 64 +++++++++++---------------- 1 file changed, 25 insertions(+), 39 deletions(-) diff --git a/testcases/kernel/syscalls/readdir/readdir02.c b/testcases/kernel/syscalls/readdir/readdir02.c index 441c4b431..21d00cb0a 100644 --- a/testcases/kernel/syscalls/readdir/readdir02.c +++ b/testcases/kernel/syscalls/readdir/readdir02.c @@ -36,59 +36,45 @@ #include #include "tst_test.h" +#include "tst_safe_stdio.h" + +#define TEST_FILE "readdir_file.txt" static void verify_readdir(void) { + FILE *fp; DIR *test_dir; struct dirent *dptr; - if ((test_dir = opendir(".")) == NULL) { - tst_res(TFAIL, "opendir(\".\") Failed, errno=%d : %s", - errno, strerror(errno)); - } else { - if (closedir(test_dir) < 0) { + fp = SAFE_FOPEN(TEST_FILE, "ab+"); + /* regard FILE * as an invalid directory stream descriptor */ + test_dir = (DIR *)fp; + + dptr = readdir(test_dir); + switch (errno) { + case EBADF: + tst_res(TPASS, + "expected failure - errno = %d : %s", + errno, strerror(errno)); + break; + default: + if (dptr != NULL) { tst_res(TFAIL, - "closedir(\".\") Failed, errno=%d : %s", - errno, strerror(errno)); + "call failed with an " + "unexpected error - %d : %s", + errno, + strerror(errno)); } else { - dptr = readdir(test_dir); - switch (errno) { - case EBADF: - tst_res(TPASS, - "expected failure - errno = %d : %s", - errno, strerror(errno)); - break; - default: - if (dptr != NULL) { - tst_brk(TFAIL, - "call failed with an " - "unexpected error - %d : %s", - errno, - strerror(errno)); - } else { - tst_res(TINFO, - "readdir() is not _required_ to fail, " - "errno = %d ", errno); - } - } + tst_res(TINFO, + "readdir() is not _required_ to fail, " + "errno = %d ", errno); } } -} -static void sighandler(int sig LTP_ATTRIBUTE_UNUSED) -{ - tst_res(TCONF, - "This system's implementation of closedir() " - "will not allow this test to execute properly."); -} - -static void setup(void) -{ - SAFE_SIGNAL(SIGSEGV, sighandler); + SAFE_FCLOSE(fp); } static struct tst_test test = { .needs_tmpdir = 1, - .setup = setup, .test_all = verify_readdir, };