1 /* 2 * Copyright (C) 2013 Linux Test Project 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it would be useful, 9 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 11 * 12 * Further, this software is distributed without any warranty that it 13 * is free of the rightful claim of any third person regarding 14 * infringement or the like. Any license provided herein, whether 15 * implied or otherwise, applies only to this software file. Patent 16 * licenses, if any, provided herein do not apply to combinations of 17 * this program with other software, or any other product whatsoever. 18 * 19 * You should have received a copy of the GNU General Public License 20 * along with this program; if not, write the Free Software 21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 22 * 02110-1301, USA. 23 */ 24 /* 25 * reproducer for: 26 * BUG: unable to handle kernel NULL ptr deref in selinux_socket_unix_may_send 27 * fixed in 3.9.0-0.rc5: 28 * commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0 29 * Author: Paul Moore <pmoore (at) redhat.com> 30 * Date: Mon Mar 25 03:18:33 2013 +0000 31 * unix: fix a race condition in unix_release() 32 */ 33 34 #define _GNU_SOURCE 35 #include <sys/ipc.h> 36 #include <sys/stat.h> 37 #include <sys/sem.h> 38 #include <sys/socket.h> 39 #include <sys/types.h> 40 #include <sys/un.h> 41 #include <sys/wait.h> 42 #include <errno.h> 43 #include <signal.h> 44 #include <limits.h> 45 #include "config.h" 46 #include "test.h" 47 #include "safe_macros.h" 48 #include "lapi/semun.h" 49 50 char *TCID = "sendmsg02"; 51 52 static int sem_id; 53 static int tflag; 54 static char *t_opt; 55 static option_t options[] = { 56 {"s:", &tflag, &t_opt}, 57 {NULL, NULL, NULL} 58 }; 59 60 static void setup(void); 61 static void cleanup(void); 62 63 static void client(int id, int pipefd[]) 64 { 65 int fd, semval; 66 char data[] = "123456789"; 67 struct iovec w; 68 struct sockaddr_un sa; 69 struct msghdr mh; 70 struct cmsghdr cmh; 71 72 close(pipefd[0]); 73 74 memset(&sa, 0, sizeof(sa)); 75 sa.sun_family = AF_UNIX; 76 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id); 77 78 w.iov_base = data; 79 w.iov_len = 10; 80 81 memset(&cmh, 0, sizeof(cmh)); 82 mh.msg_control = &cmh; 83 mh.msg_controllen = sizeof(cmh); 84 85 memset(&mh, 0, sizeof(mh)); 86 mh.msg_name = &sa; 87 mh.msg_namelen = sizeof(struct sockaddr_un); 88 mh.msg_iov = &w; 89 mh.msg_iovlen = 1; 90 91 do { 92 fd = socket(AF_UNIX, SOCK_DGRAM, 0); 93 write(pipefd[1], &fd, 1); 94 sendmsg(fd, &mh, MSG_NOSIGNAL); 95 close(fd); 96 semval = semctl(sem_id, 0, GETVAL); 97 } while (semval != 0); 98 close(pipefd[1]); 99 } 100 101 static void server(int id, int pipefd[]) 102 { 103 int fd, semval; 104 struct sockaddr_un sa; 105 106 close(pipefd[1]); 107 108 memset(&sa, 0, sizeof(sa)); 109 sa.sun_family = AF_UNIX; 110 snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id); 111 112 do { 113 fd = socket(AF_UNIX, SOCK_DGRAM, 0); 114 unlink(sa.sun_path); 115 bind(fd, (struct sockaddr *) &sa, sizeof(struct sockaddr_un)); 116 read(pipefd[0], &fd, 1); 117 close(fd); 118 semval = semctl(sem_id, 0, GETVAL); 119 } while (semval != 0); 120 close(pipefd[0]); 121 } 122 123 static void reproduce(int seconds) 124 { 125 int i, status, pipefd[2]; 126 int child_pairs = sysconf(_SC_NPROCESSORS_ONLN)*4; 127 int child_count = 0; 128 int *child_pids; 129 int child_pid; 130 union semun u; 131 132 child_pids = SAFE_MALLOC(cleanup, sizeof(int) * child_pairs * 2); 133 134 u.val = 1; 135 if (semctl(sem_id, 0, SETVAL, u) == -1) 136 tst_brkm(TBROK | TERRNO, cleanup, "couldn't set semval to 1"); 137 138 /* fork child for each client/server pair */ 139 for (i = 0; i < child_pairs*2; i++) { 140 if (i%2 == 0) { 141 if (pipe(pipefd) < 0) { 142 tst_resm(TBROK | TERRNO, "pipe failed"); 143 break; 144 } 145 } 146 147 child_pid = fork(); 148 switch (child_pid) { 149 case -1: 150 tst_resm(TBROK | TERRNO, "fork"); 151 break; 152 case 0: 153 if (i%2 == 0) 154 server(i, pipefd); 155 else 156 client(i-1, pipefd); 157 exit(0); 158 default: 159 child_pids[child_count++] = child_pid; 160 }; 161 162 /* this process can close the pipe now */ 163 if (i%2 == 0) { 164 close(pipefd[0]); 165 close(pipefd[1]); 166 } 167 } 168 169 /* let clients/servers run for a while, then clear semval to signal 170 * they should stop running now */ 171 if (child_count == child_pairs*2) 172 sleep(seconds); 173 174 u.val = 0; 175 if (semctl(sem_id, 0, SETVAL, u) == -1) { 176 /* kill children if setting semval failed */ 177 for (i = 0; i < child_count; i++) 178 kill(child_pids[i], SIGKILL); 179 tst_resm(TBROK | TERRNO, "couldn't set semval to 0"); 180 } 181 182 for (i = 0; i < child_count; i++) { 183 if (waitpid(child_pids[i], &status, 0) == -1) 184 tst_resm(TBROK | TERRNO, "waitpid for %d failed", 185 child_pids[i]); 186 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) 187 tst_resm(TFAIL, "child %d returns %d", i, status); 188 } 189 free(child_pids); 190 } 191 192 static void help(void) 193 { 194 printf(" -s NUM Number of seconds to run.\n"); 195 } 196 197 int main(int argc, char *argv[]) 198 { 199 int lc; 200 long seconds; 201 202 tst_parse_opts(argc, argv, options, &help); 203 setup(); 204 205 seconds = tflag ? SAFE_STRTOL(NULL, t_opt, 1, LONG_MAX) : 15; 206 for (lc = 0; TEST_LOOPING(lc); lc++) 207 reproduce(seconds); 208 tst_resm(TPASS, "finished after %ld seconds", seconds); 209 210 cleanup(); 211 tst_exit(); 212 } 213 214 static void setup(void) 215 { 216 tst_require_root(); 217 tst_tmpdir(); 218 219 sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT | S_IRWXU); 220 if (sem_id == -1) 221 tst_brkm(TBROK | TERRNO, NULL, "Couldn't allocate semaphore"); 222 223 TEST_PAUSE; 224 } 225 226 static void cleanup(void) 227 { 228 semctl(sem_id, 0, IPC_RMID); 229 tst_rmdir(); 230 } 231