mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 21:57:43 +00:00
Code Issues Releases Wiki Activity
linux-stable/tools
History
Christian Brauner 6abc20f8f8
selftests/core: add regression test for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC 
This test is a minimalized version of the reproducer given by syzbot
(cf. [1]).

After introducing CLOSE_RANGE_CLOEXEC syzbot reported a crash when
CLOSE_RANGE_CLOEXEC is specified in conjunction with
CLOSE_RANGE_UNSHARE. When CLOSE_RANGE_UNSHARE is specified the caller
will receive a private file descriptor table in case their file
descriptor table is currently shared.
For the case where the caller has requested all file descriptors to be
actually closed via e.g. close_range(3, ~0U, 0) the kernel knows that
the caller does not need any of the file descriptors anymore and will
optimize the close operation by only copying all files in the range from
0 to 3 and no others.

However, if the caller requested CLOSE_RANGE_CLOEXEC together with
CLOSE_RANGE_UNSHARE the caller wants to still make use of the file
descriptors so the kernel needs to copy all of them and can't optimize.

The original patch didn't account for this and thus could cause oopses
as evidenced by the syzbot report. Add tests for this regression.

We first create a huge gap in the fd table. When we now call
CLOSE_RANGE_UNSHARE with a shared fd table and and with ~0U as upper
bound the kernel will only copy up to fd1 file descriptors into the new
fd table. If the kernel is buggy and doesn't handle CLOSE_RANGE_CLOEXEC
correctly it will not have copied all file descriptors and we will oops!

This test passes on a fixed kernel and will trigger an oops on a buggy
kernel.

[1]: https://syzkaller.appspot.com/text?tag=KernelConfig&x=db720fe37a6a41d8

Cc: Giuseppe Scrivano <gscrivan@redhat.com>
Cc: linux-fsdevel@vger.kernel.org
Link: syzbot+96cfd2b22b3213646a93@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20201218145415.801063-4-christian.brauner@ubuntu.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2020-12-19 16:23:19 +01:00
..
accounting
arch x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes 2020-12-06 09:58:13 +01:00
bootconfig tools/bootconfig: Store size and checksum in footer as le32 2020-11-30 23:22:11 -05:00
bpf Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-11 22:29:38 -08:00
build Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-11-14 09:13:41 -08:00
cgroup
debugging docs: Update documentation to reflect what TAINT_CPU_OUT_OF_SPEC means 2020-12-08 10:53:58 -07:00
edid
firewire
firmware
gpio tools: gpio: add debounce support to gpio-event-mon 2020-09-30 10:57:30 +02:00
hv
iio
include Networking updates for 5.11 2020-12-15 13:22:29 -08:00
io_uring
kvm/kvm_stat tools/kvm_stat: Exempt time-based counters 2020-12-11 19:18:51 -05:00
laptop
leds
lib Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-12-14 15:34:36 -08:00
memory-model tools/memory-model: Label MP tests' producers and consumers 2020-11-06 17:25:17 -08:00
objtool tools: Factor HOSTCC, HOSTLD, HOSTAR definitions 2020-11-11 12:18:22 -08:00
pci
pcmcia
perf Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-12-03 15:44:09 -08:00
power Power management updates for 5.11-rc1 2020-12-15 16:30:31 -08:00
scripts tools: Factor HOSTCC, HOSTLD, HOSTAR definitions 2020-11-11 12:18:22 -08:00
spi
testing selftests/core: add regression test for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC 2020-12-19 16:23:19 +01:00
thermal/tmon
time
usb
virtio
vm
wmi
Makefile