-
Notifications
You must be signed in to change notification settings - Fork 1k
/
Copy pathtimerfd_settime02.c
120 lines (98 loc) · 2.84 KB
/
timerfd_settime02.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 2020 SUSE LLC <mdoucha@suse.cz>
*
* CVE-2017-10661
*
* Test for race condition vulnerability in timerfd_settime(). Multiple
* concurrent calls of timerfd_settime() clearing the CANCEL_ON_SET flag may
* cause memory corruption. Fixed in:
*
* commit 1e38da300e1e395a15048b0af1e5305bd91402f6
* Author: Thomas Gleixner <tglx@linutronix.de>
* Date: Tue Jan 31 15:24:03 2017 +0100
*
* timerfd: Protect the might cancel mechanism proper
*/
#include <unistd.h>
#include "time64_variants.h"
#include "tst_timer.h"
#include "tst_safe_timerfd.h"
#include "tst_fuzzy_sync.h"
#define TIMERFD_FLAGS "timerfd_settime(TFD_TIMER_ABSTIME | TFD_TIMER_CANCEL_ON_SET)"
#ifndef TFD_TIMER_CANCEL_ON_SET
#define TFD_TIMER_CANCEL_ON_SET (1<<1)
#endif
static int fd = -1;
static struct tst_its its;
static struct tst_fzsync_pair fzsync_pair;
static struct time64_variants variants[] = {
#if (__NR_timerfd_settime != __LTP__NR_INVALID_SYSCALL)
{ .tfd_settime = sys_timerfd_settime, .ts_type = TST_KERN_OLD_TIMESPEC, .desc = "syscall with old kernel spec"},
#endif
#if (__NR_timerfd_settime64 != __LTP__NR_INVALID_SYSCALL)
{ .tfd_settime = sys_timerfd_settime64, .ts_type = TST_KERN_TIMESPEC, .desc = "syscall time64 with kernel spec"},
#endif
};
static void setup(void)
{
struct time64_variants *tv = &variants[tst_variant];
tst_res(TINFO, "Testing variant: %s", tv->desc);
its.type = tv->ts_type;
fd = SAFE_TIMERFD_CREATE(CLOCK_REALTIME, 0);
fzsync_pair.exec_loops = 1000000;
tst_fzsync_pair_init(&fzsync_pair);
}
static void cleanup(void)
{
if (fd >= 0)
SAFE_CLOSE(fd);
tst_fzsync_pair_cleanup(&fzsync_pair);
}
static int punch_clock(int flags)
{
return variants[tst_variant].tfd_settime(fd, flags, tst_its_get(&its),
NULL);
}
static void *thread_run(void *arg)
{
while (tst_fzsync_run_b(&fzsync_pair)) {
tst_fzsync_start_race_b(&fzsync_pair);
punch_clock(0);
tst_fzsync_end_race_b(&fzsync_pair);
}
return arg;
}
static void run(void)
{
tst_fzsync_pair_reset(&fzsync_pair, thread_run);
while (tst_fzsync_run_a(&fzsync_pair)) {
TEST(punch_clock(TFD_TIMER_ABSTIME | TFD_TIMER_CANCEL_ON_SET));
if (TST_RET == -1)
tst_brk(TBROK | TTERRNO, TIMERFD_FLAGS " failed");
if (TST_RET != 0)
tst_brk(TBROK | TTERRNO, "Invalid " TIMERFD_FLAGS
" return value");
tst_fzsync_start_race_a(&fzsync_pair);
punch_clock(0);
tst_fzsync_end_race_a(&fzsync_pair);
if (tst_taint_check()) {
tst_res(TFAIL, "Kernel is vulnerable");
return;
}
}
tst_res(TPASS, "Nothing bad happened, probably");
}
static struct tst_test test = {
.test_all = run,
.test_variants = ARRAY_SIZE(variants),
.setup = setup,
.cleanup = cleanup,
.taint_check = TST_TAINT_W | TST_TAINT_D,
.runtime = 150,
.tags = (const struct tst_tag[]) {
{"linux-git", "1e38da300e1e"},
{"CVE", "2017-10661"},
{}
}
};