Skip to content

Fix segment fault exe symbolic link then run ls cmd #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 2, 2024
Merged

Fix segment fault exe symbolic link then run ls cmd #35

merged 1 commit into from
Jan 2, 2024

Conversation

@RoyWFHuang
Copy link
Collaborator

@RoyWFHuang RoyWFHuang commented Jan 1, 2024

Description

When create a symbolic link and then execute 'ls' command, this will make the segmentation fault in user space

Root cause

By checking kernel log, we can see that
"usercopy: Kernel memory exposure attempt detected from SLUB object 'simplefs_cache' (offset 0, size 5)!", and by tracing kernel call, we also find call "readlink_copy" fail

In readlink_copy, this will copy data to user space, and the message shows kernel memoery exposure.

Fix solution

By kernel document
https://docs.kernel.org/core-api/memory-allocation.html?highlight=kmem_cache_create

"kmem_cache_create() or kmem_cache_create_usercopy() before it can be used. The second function should be used if a part of the cache might be copied to the userspace"

and readlink will copy the target name from simplefs inode link(inode->i_link) to the user space, so we replace kmem_cache_create to kmem_cache_create_usercopy

How has this been tested:

run make check

Testing cmd: ln file hdlink...Success
Testing cmd: mkdir dir/dir...Success
Testing cmd: ln -s file symlink...Success
Testing cmd: ls -lR...Success
Testing cmd: mkdir len_of_name_of_this_dir_is_29...Success
Testing cmd: touch len_of_name_of_the_file_is_29...Success
Testing cmd: ln -s dir len_of_name_of_the_link_is_29...Success
Testing cmd: echo abc > file...Success
Testing cmd: dd if=/dev/zero of=file bs=1M count=12 status=none...dd: error writing 'file': File too large
Check if exist: drwxr-xr-x 3 dir...Success
Check if exist: -rw-r--r-- 2 file...Success
Check if exist: -rw-r--r-- 2 hdlink...Success
Check if exist: drwxr-xr-x 2 dir...Success
Check if exist: lrwxrwxrwx 1 symlink...Success

Close #30

@RoyWFHuang
Fix segment fault exe symbolic link then run ls cmd
e87e4c8 
Description
-----------
When create a symbolic link and then execute 'ls' command,
this will make the segmentation fault in user space

Root cause
----------
By checking kernel log, we can see that
"usercopy: Kernel memory exposure attempt detected from SLUB object 'simplefs_cache' (offset 0, size 5)!",
and by tracing kernel call, we also find call "readlink_copy" fail

In readlink_copy, this will copy data to user space,
and the message shows kernel memoery exposure.

Fix solution
----------

By kernel document
https://docs.kernel.org/core-api/memory-allocation.html?highlight=kmem_cache_create

"kmem_cache_create() or kmem_cache_create_usercopy() before it can be used.
The second function should be used if a part of the cache might be copied to the userspace"

and readlink will copy the target name from simplefs inode link(inode->i_link) to the user space,
so we replace kmem_cache_create to kmem_cache_create_usercopy

How has this been tested:
----------
run make check

Testing cmd: ln file hdlink...Success
Testing cmd: mkdir dir/dir...Success
Testing cmd: ln -s file symlink...Success
Testing cmd: ls -lR...Success
Testing cmd: mkdir len_of_name_of_this_dir_is_29...Success
Testing cmd: touch len_of_name_of_the_file_is_29...Success
Testing cmd: ln -s dir len_of_name_of_the_link_is_29...Success
Testing cmd: echo abc > file...Success
Testing cmd: dd if=/dev/zero of=file bs=1M count=12 status=none...dd: error writing 'file': File too large
Check if exist: drwxr-xr-x 3 dir...Success
Check if exist: -rw-r--r-- 2 file...Success
Check if exist: -rw-r--r-- 2 hdlink...Success
Check if exist: drwxr-xr-x 2 dir...Success
Check if exist: lrwxrwxrwx 1 symlink...Success

Close sysprog21#30
@jserv
Copy link
Collaborator

jserv commented Jan 1, 2024

Can you provide the relevant test case?

@RoyWFHuang
Copy link
Collaborator Author

RoyWFHuang commented Jan 2, 2024

I run the "make check" and also use

#!/bin/bash
touch test/file1
cd test
ln -s file1 symlink
ls -lR

this bash script for test

@jserv
Copy link
Collaborator

jserv commented Jan 2, 2024

I run the "make check" and also use
[...]

Extend script/test.sh for automated tests.

@jserv
Copy link
Collaborator

jserv commented Jan 2, 2024

By the way, after resolving this issue, it is time to activate GitHub Actions for automated tests. See rv32emu workflows for example.

@RoyWFHuang
Copy link
Collaborator Author

RoyWFHuang commented Jan 2, 2024

I think it no needed to add the script into the scritp/test.sh file, beacuse this script is extracted from it

# create file
test_op 'touch file'
.....(skip)

# symbolic link
test_op 'ln -s file symlink'

# list directory contents
test_op 'ls -lR'

it's very similar with script/test.sh, I just skip the "touch a lot of file" testing

@jserv
Copy link
Collaborator

jserv commented Jan 2, 2024

I think it no needed to add the script into the scritp/test.sh file, beacuse this script is extracted from it

Then, we can move forward to GitHub Actions backed automations.

@jserv jserv merged commit e8d822e into sysprog21:master Jan 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Segmentation fault about execute symbolic link and then run ls commad.

2 participants

@RoyWFHuang @jserv