On Mon, Mar 07, 2011 at 03:29:01PM +0800, Han Pingtian wrote: > On Fri, Mar 04, 2011 at 02:38:51AM -0800, Garrett Cooper wrote: > > On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <[email protected]> wrote: > > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > > > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > > > > > "Transparent hugepages can only be created if rmap is fully > > > functional. So we must prevent hugepages to be created while > > > is_vma_temporary_stack() is true." > > > > > > When running in a loop, it can trigger panic like this, if kernel > > > unpatched: > > > > > > kernel BUG at mm/huge_memory.c:1260! > > > invalid opcode: 0000 [#1] SMP > > > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > > > > ... > > > > > +static option_t options[] = { > > > + {NULL, NULL, NULL} > > > +}; > > > + > > > +static void usage(void) > > > +{ > > > + return; > > > +} > > > > You can delete this if you do what I suggest below... > > > > ... > > > > > + msg = parse_opts(argc, argv, options, usage); > > > + if (msg != NULL) > > > > `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred. > Thanks. I have updated this according to your suggestion. > > > > > + if (execve("/bin/true", c, c) == -1) > > > + tst_brkm(TBROK|TERRNO, NULL, > > > "execve"); > > > > Not all systems have /bin/true. It would be better to do: > > > > /bin/sh -c ':' > > > > etc, as we have code that depends on this type of shell-required POSIX > > behavior. > > > I'm sorry for I cannot figure out how to do this way. I tried, but > cannot crash unpatched kernel anymore. So I think the simple workaround > is checking if /bin/true installed in the program: > > + > + if (WEXITSTATUS(st) == 2) > + tst_brkm(TBROK, NULL, "Do you have > /bin/true installed?"); > + > Is this acceptable, please?
Thanks. > Please review the updated version. > > Thanks, > > -Garrett > > -- > Han Pingtian > Quality Engineer > hpt @ #kernel-qe > Red Hat, Inc > Freedom ... courage ... Commitment ... ACCOUNTABILITY > >From 38c3526fdb59c0b18015914745f2d43fc6c6b1a3 Mon Sep 17 00:00:00 2001 > From: Han Pingtian <[email protected]> > Date: Fri, 25 Feb 2011 17:51:24 +0800 > Subject: [PATCH] thp testcase come from CVE reproducer > > This is a reproducer of CVE-2011-0999, which fixed by mainline commit > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > > "Transparent hugepages can only be created if rmap is fully > functional. So we must prevent hugepages to be created while > is_vma_temporary_stack() is true." > > When running in a loop, it can trigger panic like this, if kernel > unpatched: > > kernel BUG at mm/huge_memory.c:1260! > invalid opcode: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > .... > > So I recommend to run it as 'thp01 -I xxx'. > > Signed-off-by: Han Pingtian <[email protected]> > --- > runtest/mm | 2 + > testcases/kernel/mem/thp/Makefile | 23 +++++++++ > testcases/kernel/mem/thp/thp01.c | 95 > +++++++++++++++++++++++++++++++++++++ > 3 files changed, 120 insertions(+), 0 deletions(-) > create mode 100644 testcases/kernel/mem/thp/Makefile > create mode 100644 testcases/kernel/mem/thp/thp01.c > > diff --git a/runtest/mm b/runtest/mm > index 1296e59..51cc82d 100644 > --- a/runtest/mm > +++ b/runtest/mm > @@ -85,3 +85,5 @@ oom01 oom01 > oom02 oom02 > oom03 oom03 > oom04 oom04 > + > +thp01 thp01 -I 600 > diff --git a/testcases/kernel/mem/thp/Makefile > b/testcases/kernel/mem/thp/Makefile > new file mode 100644 > index 0000000..dbfbc1b > --- /dev/null > +++ b/testcases/kernel/mem/thp/Makefile > @@ -0,0 +1,23 @@ > +# > +# Copyright (C) 2010 Red Hat, Inc. > +# > +# This program is free software; you can redistribute it and/or modify > +# it under the terms of the GNU General Public License as published by > +# the Free Software Foundation; either version 2 of the License, or (at > +# your option) any later version. > +# > +# This program is distributed in the hope that it will be useful, but > +# WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > +# General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program; if not, write to the Free Software > +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA > +# 02110-1301, USA. > +# > + > +top_srcdir ?= ../../../.. > + > +include $(top_srcdir)/include/mk/testcases.mk > +include $(top_srcdir)/include/mk/generic_leaf_target.mk > diff --git a/testcases/kernel/mem/thp/thp01.c > b/testcases/kernel/mem/thp/thp01.c > new file mode 100644 > index 0000000..0b6ec1a > --- /dev/null > +++ b/testcases/kernel/mem/thp/thp01.c > @@ -0,0 +1,95 @@ > +/* > + * This is a reproducer of CVE-2011-0999, which fixed by mainline commit > + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31: > + * > + * "Transparent hugepages can only be created if rmap is fully > + * functional. So we must prevent hugepages to be created while > + * is_vma_temporary_stack() is true." > + * > + * It will cause a panic something like this, if the patch didn't get > applied: > + * > + * kernel BUG at mm/huge_memory.c:1260! > + * invalid opcode: 0000 [#1] SMP > + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > + * .... > + * > + * Copyright (C) 2010 Red Hat, Inc. > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of version 2 of the GNU General Public > + * License as published by the Free Software Foundation. > + * > + * This program is distributed in the hope that it would be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > + * > + * Further, this software is distributed without any warranty that it > + * is free of the rightful claim of any third person regarding > + * infringement or the like. Any license provided herein, whether > + * implied or otherwise, applies only to this software file. Patent > + * licenses, if any, provided herein do not apply to combinations of > + * this program with other software, or any other product whatsoever. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, write the Free Software > + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA > + * 02110-1301, USA. > + */ > +#include "test.h" > +#include "usctest.h" > +#include "config.h" > + > +char *TCID = "thp01"; > +int TST_TOTAL = 1; > + > +#include <stdio.h> > +#include <unistd.h> > +#include <string.h> > +#include <sys/resource.h> > +#include <sys/types.h> > +#include <sys/wait.h> > + > +int main(int argc, char **argv) { > + int i, lc, st; > + pid_t pid; > + char *msg; > + char *c[257]; > + char cc[32*4096]; > + struct rlimit rl = { > + .rlim_cur = RLIM_INFINITY, > + .rlim_max = RLIM_INFINITY, > + }; > + > + if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL) > + tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg); > + > + for (lc = 0; TEST_LOOPING(lc); lc++) { > + switch (pid = fork()) { > + case -1: > + tst_brkm(TBROK|TERRNO, NULL, "fork"); > + case 0: > + memset(cc, 'c', 32*4096-1); > + for (i=0;i<256;i++) > + c[i] = cc; > + if (setrlimit(RLIMIT_STACK, &rl) == -1) > + tst_brkm(TBROK|TERRNO, NULL, > "setrlimit"); > + if (execve("/bin/true", c, c) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "execve"); > + default: > + if (waitpid(pid, &st, 0) == -1) > + tst_brkm(TBROK|TERRNO, NULL, "waitpid"); > + > + if (! WIFEXITED(st)) > + tst_brkm(TBROK, NULL, "child exits > abnormally"); > + > + if (WEXITSTATUS(st) == 2) > + tst_brkm(TBROK, NULL, "Do you have > /bin/true installed?"); > + > + if (WEXITSTATUS(st) != 0) > + tst_brkm(TBROK, NULL, "chaild exits > with non-zero value"); > + > + tst_resm(TPASS, "thp01 pass"); > + } > + } > + > + tst_exit(); > +} > -- > 1.7.1 > > ------------------------------------------------------------------------------ > What You Don't Know About Data Connectivity CAN Hurt You > This paper provides an overview of data connectivity, details > its effect on application quality, and explores various alternative > solutions. http://p.sf.net/sfu/progress-d2d > _______________________________________________ > Ltp-list mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/ltp-list -- Han Pingtian Quality Engineer hpt @ #kernel-qe Red Hat, Inc Freedom ... courage ... Commitment ... ACCOUNTABILITY ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
