From patchwork Sat Mar  7 01:06:57 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@gmail.com>
X-Patchwork-Id: 447515
Return-Path: 
 <libc-alpha-return-57740-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 309FA1400EA
	for <incoming@patchwork.ozlabs.org>;
	Sat,  7 Mar 2015 12:07:36 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass
	reason="1024-bit key; unprotected key"
	header.d=sourceware.org header.i=@sourceware.org header.b=LWnQ41+f;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=ftvn/zt4aZuMGKHKt4iQpRP0sVVNd
	BDigvhF6dPbLhldnUilQ9O+cOLCEbmWaPDTfzBIIg/XwvmI7PkRpbaOrIvCrm7+T
	RqVKdX/32uxTCna9Qoj9zw6jmvg/KqmsIS+ghp54ZaD3I0LQ2yUBqcj/H9YjChcf
	HEo9dw8wAL46+g=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=dOayfavkOtzbfgRtGsaDc2m9Tw0=; b=LWn
	Q41+fxruYetbjyrx6FVR+eoB1Bgdg/ocrXUMMg3VoNlMGG9S4Nu17TxEFh52qDqA
	CpFsH/s88cydfY/jBu4pXRehsUFyiYKem0BzT2QPxR7s+3mEbkBU6zH/+g/JBpVr
	uOMDis890ERxOPg06t0BC8zn+rGsCWI8iljs2HVM=
Received: (qmail 128865 invoked by alias); 7 Mar 2015 01:07:31 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 128853 invoked by uid 89); 7 Mar 2015 01:07:30 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.5 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW,
	SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mail-oi0-f41.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to:content-type;
	bh=S49txmaI+kgfUzIxjvcrKcpPrqDhVeAWfcjpJnMDKUk=;
	b=cpM01MMMiOTbsofiY5KOKvTpkO2OrKexU40lTlA0RJpxpp9pwoVhoSnBAtd37b3uCP
	AmsINEwxgZyqithIgJCKJ6mXkhDHHSg1w9zyo97xU5QSzAwloBkqFMedcQRtNe6ZHM6/
	1Q1QvnK8rjXtgeMFNfLI9nBCoZ91WLR2Ps3/PuvW7CERCNeuAJBCC8vvKDoUpXwtvt7a
	xbKnrDSrunXopIKXWBfVDw8L4exEQptqb7NOJzBJGMNakaAN5JIqSV3fPpEB4EikFH95
	OlQXGhCu8QB+ggr8GX7ZrE6bnmkt/gARWbJk3ZSDjnwZRr4w2u3+4w1iX8EjFg76dTpn
	2Qog==
X-Gm-Message-State: 
 ALoCoQm6g4pHjfaG2ngSdA6DpTDz160NDS+xpV5/QZo5gzpMj7WYV7HA/OHTXAoAx3VvlNN5sFll
X-Received: by 10.60.222.71 with SMTP id qk7mr13174077oec.37.1425690447881;
	Fri, 06 Mar 2015 17:07:27 -0800 (PST)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Fri, 6 Mar 2015 17:06:57 -0800
Message-ID: 
 <CALoOobPa9ZqLJ=YaG3PJ10py51G+juH_QED6xmcfDhMNKACkHw@mail.gmail.com>
Subject: [patch] Refactor wordexp-test
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,

This patch modifies wordexp-test.c such that words always ends at the
edge of unreadable page.

This makes it easy to catch overflows, such as BZ #18043 (and BZ #18042).

Tested: reverted fix for BZ #18043 in wordexp.c and verified that the
test for it fails with expected SIGSEGV.


Thanks,

2015-03-06  Paul Pluzhnikov  <ppluzhnikov@google.com>

        * posix/wordexp-test.c (test_case): Add test for BZ #18043
        (do_bz18043): Delete.
        (at_page_end): New.
        (testit): Refactor to have words at the edge of unreadable page.

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 137044e..b71352d 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -233,6 +233,8 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },  /* BZ 18043  */
+
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
 
@@ -250,33 +252,6 @@ command_line_test (const char *words)
     printf ("we_wordv[%d] = \"%s\"\n", i, we.we_wordv[i]);
 }
 
-static int
-do_bz18043 (void)
-{
-  const int pagesize = getpagesize ();
-  char *start = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
-		      MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
-
-  if (start == MAP_FAILED)
-    return 1;
-
-  if (mprotect (start + pagesize, pagesize, PROT_NONE))
-    return 2;
-
-  const char word[] = "${";
-  char *word_start = start + pagesize - sizeof (word);
-  memcpy (word_start, word, sizeof (word));
-
-  wordexp_t w;
-  if (wordexp (word_start, &w, 0) != WRDE_SYNTAX)
-    return 3;
-
-  if (munmap (start, 2 * pagesize) != 0)
-    return 4;
-
-  return 0;
-}
-
 int
 main (int argc, char *argv[])
 {
@@ -398,12 +373,32 @@ main (int argc, char *argv[])
 
   printf ("tests failed: %d\n", fail);
 
-  if (do_bz18043 ())
-    ++fail;
-
   return fail != 0;
 }
 
+static const char *
+at_page_end (const char *words)
+{
+  const int pagesize = getpagesize ();
+  char *start = mmap (0, 2 * pagesize, PROT_READ|PROT_WRITE,
+		      MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+  if (start == MAP_FAILED)
+    return start;
+
+  if (mprotect (start + pagesize, pagesize, PROT_NONE))
+    {
+      munmap (start, 2 * pagesize);
+      return MAP_FAILED;
+    }
+
+  /* Includes terminating NUL.  */
+  const size_t words_size = strlen (words) + 1;
+  char *words_start = start + pagesize - words_size;
+  memcpy (words_start, words, words_size);
+
+  return words_start;
+}
 
 static int
 testit (struct test_case_struct *tc)
@@ -431,6 +426,8 @@ testit (struct test_case_struct *tc)
   we = sav_we;
 
   printf ("Test %d (%s): ", ++tests, tc->words);
+  fflush (NULL);
+  const char *words = at_page_end (tc->words);
 
   if (tc->flags & WRDE_NOCMD)
     registered_forks = 0;
@@ -444,7 +441,7 @@ testit (struct test_case_struct *tc)
 	  return 1;
 	}
     }
-  retval = wordexp (tc->words, &we, tc->flags);
+  retval = wordexp (words, &we, tc->flags);
 
   if ((tc->flags & WRDE_NOCMD)
       && (registered_forks > 0))
@@ -508,5 +505,11 @@ testit (struct test_case_struct *tc)
   if (retval == 0 || retval == WRDE_NOSPACE)
     wordfree (&we);
 
+  const int page_size = getpagesize ();
+  char *start = (char *) (((uintptr_t) words) & ~(page_size - 1));
+  if (munmap (start, 2 * page_size) != 0)
+    return 1;
+
+  fflush (NULL);
   return bzzzt;
 }