* [LTP] Testcase approach for MAP_GROWSDOWN
@ 2020-06-18 6:15 Pravin Raghul
2020-06-18 11:56 ` Jan Stancek
2020-06-18 12:24 ` Helge Deller
0 siblings, 2 replies; 3+ messages in thread
From: Pravin Raghul @ 2020-06-18 6:15 UTC (permalink / raw)
To: ltp
We are planning to add the following testcases for MAP_GROWSDOWN, please
let us know your thoughts on this.
We assign the memory region allocated using MAP_GROWSDOWN to a thread,
as a stack, to test the effect of MAP_GROWSDOWN. This is because the
kernel only grows the memory region when the stack pointer, is within
guard page, when the guard page is touched.
Test Case 1: Grow into an unmapped region
1. Map an anyonymous memory region of size X, and unmap it.
2. Split the unmapped memory region into two.
3. The lower memory region is left unmapped.
4. The higher memory region is mapped for use as stack, using MAP_FIXED
| MAP_GROWSDOWN.
5. The higher memory region is provided as stack to a thread, where a
recursive function is invoked.
6. The stack grows beyond the allocated region, into the lower memory area.
7. If this results in the memory region being extended, into the
unmapped region, the test is considered to have passed.
Test Case 2: Grow into a mapped region
1. Map an anonymous memory area.
2. Split the memory area into two by mapping them into two areas.
3. The lower memory area is mapped using MAP_FIXED.
4. The higher memory area is mapped for use as stack, using MAP_FIXED |
MAP_GROWSDOWN.
5. The higher memory area is provided as stack to a thread, where a
recursive function is invoked.
6. The stack grows beyond the allocated area, into the lower memory area.
7. If this results in a segmentation fault, the test is considered to
have passed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20200618/702244fe/attachment.htm>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [LTP] Testcase approach for MAP_GROWSDOWN
2020-06-18 6:15 [LTP] Testcase approach for MAP_GROWSDOWN Pravin Raghul
@ 2020-06-18 11:56 ` Jan Stancek
2020-06-18 12:24 ` Helge Deller
1 sibling, 0 replies; 3+ messages in thread
From: Jan Stancek @ 2020-06-18 11:56 UTC (permalink / raw)
To: ltp
----- Original Message -----
>
>
> We are planning to add the following testcases for MAP_GROWSDOWN, please let
> us know your thoughts on this.
Sounds similar to test for CVE-2017-1000364 ./testcases/cve/stack_clash.c
Can you have a look if it covers at least test case 2 below?
>
> We assign the memory region allocated using MAP_GROWSDOWN to a thread, as a
> stack, to test the effect of MAP_GROWSDOWN. This is because the kernel only
> grows the memory region when the stack pointer, is within guard page, when
> the guard page is touched. Test Case 1: Grow into an unmapped region
>
>
> 1. Map an anyonymous memory region of size X, and unmap it.
> 2. Split the unmapped memory region into two.
> 3. The lower memory region is left unmapped.
> 4. The higher memory region is mapped for use as stack, using MAP_FIXED |
> MAP_GROWSDOWN.
> 5. The higher memory region is provided as stack to a thread, where a
> recursive function is invoked.
> 6. The stack grows beyond the allocated region, into the lower memory
> area.
> 7. If this results in the memory region being extended, into the unmapped
> region, the test is considered to have passed.
> Test Case 2: Grow into a mapped region
>
>
> 1. Map an anonymous memory area.
> 2. Split the memory area into two by mapping them into two areas.
> 3. The lower memory area is mapped using MAP_FIXED.
> 4. The higher memory area is mapped for use as stack, using MAP_FIXED |
> MAP_GROWSDOWN.
> 5. The higher memory area is provided as stack to a thread, where a
> recursive function is invoked.
> 6. The stack grows beyond the allocated area, into the lower memory area.
> 7. If this results in a segmentation fault, the test is considered to
> have passed.
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [LTP] Testcase approach for MAP_GROWSDOWN
2020-06-18 6:15 [LTP] Testcase approach for MAP_GROWSDOWN Pravin Raghul
2020-06-18 11:56 ` Jan Stancek
@ 2020-06-18 12:24 ` Helge Deller
1 sibling, 0 replies; 3+ messages in thread
From: Helge Deller @ 2020-06-18 12:24 UTC (permalink / raw)
To: ltp
On 18.06.20 08:15, Pravin Raghul wrote:
> We are planning to add the following testcases for MAP_GROWSDOWN, please let us know your thoughts on this.
>
> We assign the memory region allocated using MAP_GROWSDOWN to a thread, as a stack, to test the effect of MAP_GROWSDOWN. This is because the kernel only grows the memory region when the stack pointer, is within guard page, when the guard page is touched.
>
>
> Test Case 1: Grow into an unmapped region
>
> 1. Map an anyonymous memory region of size X, and unmap it.
> 2. Split the unmapped memory region into two.
> 3. The lower memory region is left unmapped.
> 4. The higher memory region is mapped for use as stack, using MAP_FIXED | MAP_GROWSDOWN.
> 5. The higher memory region is provided as stack to a thread, where a recursive function is invoked.
> 6. The stack grows beyond the allocated region, into the lower memory area.
For architectures where the stack grows up (e.g. parisc), you need to start from lower memory region
and grow up into the higher one. I can test on parisc hardware or give you access if needed.
Helge
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-18 12:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-18 6:15 [LTP] Testcase approach for MAP_GROWSDOWN Pravin Raghul
2020-06-18 11:56 ` Jan Stancek
2020-06-18 12:24 ` Helge Deller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.