xref: /aosp_15_r20/external/ltp/testcases/kernel/mem/ksm/ksm05.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1*49cdfc7eSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0-or-later
2*49cdfc7eSAndroid Build Coastguard Worker /*
3*49cdfc7eSAndroid Build Coastguard Worker  * Copyright (C) 2011-2017  Red Hat, Inc.
4*49cdfc7eSAndroid Build Coastguard Worker  *
5*49cdfc7eSAndroid Build Coastguard Worker  * KSM - NULL pointer dereference in ksm_do_scan() (CVE-2011-2183)
6*49cdfc7eSAndroid Build Coastguard Worker  *
7*49cdfc7eSAndroid Build Coastguard Worker  * This is a testcase from upstream commit:
8*49cdfc7eSAndroid Build Coastguard Worker  * 2b472611a32a72f4a118c069c2d62a1a3f087afd.
9*49cdfc7eSAndroid Build Coastguard Worker  *
10*49cdfc7eSAndroid Build Coastguard Worker  * an exiting task can race against ksmd::scan_get_next_rmap_item
11*49cdfc7eSAndroid Build Coastguard Worker  * (http://lkml.org/lkml/2011/6/1/742) easily triggering a NULL pointer
12*49cdfc7eSAndroid Build Coastguard Worker  * dereference in ksmd.
13*49cdfc7eSAndroid Build Coastguard Worker  * ksm_scan.mm_slot == &ksm_mm_head with only one registered mm
14*49cdfc7eSAndroid Build Coastguard Worker  *
15*49cdfc7eSAndroid Build Coastguard Worker  * CPU 1 (__ksm_exit)          CPU 2 (scan_get_next_rmap_item)
16*49cdfc7eSAndroid Build Coastguard Worker  *                             list_empty() is false
17*49cdfc7eSAndroid Build Coastguard Worker  * lock                        slot == &ksm_mm_head
18*49cdfc7eSAndroid Build Coastguard Worker  * list_del(slot->mm_list)
19*49cdfc7eSAndroid Build Coastguard Worker  * (list now empty)
20*49cdfc7eSAndroid Build Coastguard Worker  * unlock
21*49cdfc7eSAndroid Build Coastguard Worker  *                              lock
22*49cdfc7eSAndroid Build Coastguard Worker  *                              slot = list_entry(slot->mm_list.next)
23*49cdfc7eSAndroid Build Coastguard Worker  *                              (list is empty, so slot is still ksm_mm_head)
24*49cdfc7eSAndroid Build Coastguard Worker  *                              unlock
25*49cdfc7eSAndroid Build Coastguard Worker  *                              slot->mm == NULL ... Oops
26*49cdfc7eSAndroid Build Coastguard Worker  *
27*49cdfc7eSAndroid Build Coastguard Worker  * Close this race by revalidating that the new slot is not simply the list
28*49cdfc7eSAndroid Build Coastguard Worker  * head again.
29*49cdfc7eSAndroid Build Coastguard Worker  *
30*49cdfc7eSAndroid Build Coastguard Worker  * Test Prerequisites:
31*49cdfc7eSAndroid Build Coastguard Worker  *
32*49cdfc7eSAndroid Build Coastguard Worker  * *) ksm and ksmtuned daemons need to be disabled. Otherwise, it could
33*49cdfc7eSAndroid Build Coastguard Worker  *    distrub the testing as they also change some ksm tunables depends
34*49cdfc7eSAndroid Build Coastguard Worker  *    on current workloads.
35*49cdfc7eSAndroid Build Coastguard Worker  */
36*49cdfc7eSAndroid Build Coastguard Worker 
37*49cdfc7eSAndroid Build Coastguard Worker #include <sys/wait.h>
38*49cdfc7eSAndroid Build Coastguard Worker #include <signal.h>
39*49cdfc7eSAndroid Build Coastguard Worker #include <stdlib.h>
40*49cdfc7eSAndroid Build Coastguard Worker #include <errno.h>
41*49cdfc7eSAndroid Build Coastguard Worker #include "tst_test.h"
42*49cdfc7eSAndroid Build Coastguard Worker #include "mem.h"
43*49cdfc7eSAndroid Build Coastguard Worker 
44*49cdfc7eSAndroid Build Coastguard Worker #ifdef HAVE_DECL_MADV_MERGEABLE
45*49cdfc7eSAndroid Build Coastguard Worker 
46*49cdfc7eSAndroid Build Coastguard Worker static void sighandler(int sig);
47*49cdfc7eSAndroid Build Coastguard Worker 
test_ksm(void)48*49cdfc7eSAndroid Build Coastguard Worker static void test_ksm(void)
49*49cdfc7eSAndroid Build Coastguard Worker {
50*49cdfc7eSAndroid Build Coastguard Worker 	int status;
51*49cdfc7eSAndroid Build Coastguard Worker 	long ps;
52*49cdfc7eSAndroid Build Coastguard Worker 	pid_t pid;
53*49cdfc7eSAndroid Build Coastguard Worker 	void *ptr;
54*49cdfc7eSAndroid Build Coastguard Worker 	struct sigaction sa;
55*49cdfc7eSAndroid Build Coastguard Worker 
56*49cdfc7eSAndroid Build Coastguard Worker 	memset (&sa, '\0', sizeof(sa));
57*49cdfc7eSAndroid Build Coastguard Worker 	sa.sa_handler = sighandler;
58*49cdfc7eSAndroid Build Coastguard Worker 	sa.sa_flags = 0;
59*49cdfc7eSAndroid Build Coastguard Worker 	TEST(sigaction(SIGSEGV, &sa, NULL));
60*49cdfc7eSAndroid Build Coastguard Worker 	if (TST_RET == -1)
61*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK | TRERRNO,
62*49cdfc7eSAndroid Build Coastguard Worker 				"SIGSEGV signal setup failed");
63*49cdfc7eSAndroid Build Coastguard Worker 
64*49cdfc7eSAndroid Build Coastguard Worker 	ps = sysconf(_SC_PAGESIZE);
65*49cdfc7eSAndroid Build Coastguard Worker 
66*49cdfc7eSAndroid Build Coastguard Worker 	pid = SAFE_FORK();
67*49cdfc7eSAndroid Build Coastguard Worker 	if (pid == 0) {
68*49cdfc7eSAndroid Build Coastguard Worker 		ptr = SAFE_MEMALIGN(ps, ps);
69*49cdfc7eSAndroid Build Coastguard Worker 		if (madvise(ptr, ps, MADV_MERGEABLE) < 0)
70*49cdfc7eSAndroid Build Coastguard Worker 			tst_brk(TBROK | TERRNO, "madvise");
71*49cdfc7eSAndroid Build Coastguard Worker 		*(volatile char *)NULL = 0; /* SIGSEGV occurs as expected. */
72*49cdfc7eSAndroid Build Coastguard Worker 	}
73*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_WAITPID(pid, &status, WUNTRACED | WCONTINUED);
74*49cdfc7eSAndroid Build Coastguard Worker 	if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
75*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK, "invalid signal received: %d", status);
76*49cdfc7eSAndroid Build Coastguard Worker 
77*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TPASS, "still alive.");
78*49cdfc7eSAndroid Build Coastguard Worker }
79*49cdfc7eSAndroid Build Coastguard Worker 
sighandler(int sig)80*49cdfc7eSAndroid Build Coastguard Worker static void sighandler(int sig)
81*49cdfc7eSAndroid Build Coastguard Worker {
82*49cdfc7eSAndroid Build Coastguard Worker 	_exit((sig == SIGSEGV) ? 0 : sig);
83*49cdfc7eSAndroid Build Coastguard Worker }
84*49cdfc7eSAndroid Build Coastguard Worker 
85*49cdfc7eSAndroid Build Coastguard Worker static struct tst_test test = {
86*49cdfc7eSAndroid Build Coastguard Worker 	.needs_root = 1,
87*49cdfc7eSAndroid Build Coastguard Worker 	.forks_child = 1,
88*49cdfc7eSAndroid Build Coastguard Worker 	.test_all = test_ksm,
89*49cdfc7eSAndroid Build Coastguard Worker 	.save_restore = (const struct tst_path_val[]) {
90*49cdfc7eSAndroid Build Coastguard Worker 		{"/sys/kernel/mm/ksm/run", "1", TST_SR_TBROK},
91*49cdfc7eSAndroid Build Coastguard Worker 		{"/sys/kernel/mm/ksm/smart_scan", "0",
92*49cdfc7eSAndroid Build Coastguard Worker 			TST_SR_SKIP_MISSING | TST_SR_TBROK_RO},
93*49cdfc7eSAndroid Build Coastguard Worker 		{}
94*49cdfc7eSAndroid Build Coastguard Worker 	},
95*49cdfc7eSAndroid Build Coastguard Worker 	.needs_kconfigs = (const char *const[]){
96*49cdfc7eSAndroid Build Coastguard Worker 		"CONFIG_KSM=y",
97*49cdfc7eSAndroid Build Coastguard Worker 		NULL
98*49cdfc7eSAndroid Build Coastguard Worker 	},
99*49cdfc7eSAndroid Build Coastguard Worker 	.tags = (const struct tst_tag[]) {
100*49cdfc7eSAndroid Build Coastguard Worker 		{"CVE", "2011-2183"},
101*49cdfc7eSAndroid Build Coastguard Worker 		{}
102*49cdfc7eSAndroid Build Coastguard Worker 	}
103*49cdfc7eSAndroid Build Coastguard Worker };
104*49cdfc7eSAndroid Build Coastguard Worker 
105*49cdfc7eSAndroid Build Coastguard Worker #else
106*49cdfc7eSAndroid Build Coastguard Worker 	TST_TEST_TCONF("no MADV_MERGEABLE found.");
107*49cdfc7eSAndroid Build Coastguard Worker #endif
108