* [LTP] [PATCH 1/2] Add test for CVE 2020-25704
@ 2021-08-02 16:09 Martin Doucha
2021-08-02 16:09 ` [LTP] [PATCH 2/2] perf_event_open02: Use common perf_event_open() wrapper Martin Doucha
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Martin Doucha @ 2021-08-02 16:09 UTC (permalink / raw)
To: ltp
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
runtest/cve | 2 +
runtest/syscalls | 3 +
.../syscalls/perf_event_open/.gitignore | 1 +
.../perf_event_open/perf_event_open.h | 39 ++++++++
.../perf_event_open/perf_event_open03.c | 96 +++++++++++++++++++
5 files changed, 141 insertions(+)
create mode 100644 testcases/kernel/syscalls/perf_event_open/perf_event_open.h
create mode 100644 testcases/kernel/syscalls/perf_event_open/perf_event_open03.c
diff --git a/runtest/cve b/runtest/cve
index 8aa048a40..d2d2ee103 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -66,3 +66,5 @@ cve-2020-25705 icmp_rate_limit01
cve-2020-29373 io_uring02
cve-2021-3444 bpf_prog05
cve-2021-26708 vsock01
+# Tests below may cause kernel memory leak
+cve-2020-25704 perf_event_open03
diff --git a/runtest/syscalls b/runtest/syscalls
index b379b2d90..5e3ac517f 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1737,3 +1737,6 @@ membarrier01 membarrier01
io_uring01 io_uring01
io_uring02 io_uring02
+
+# Tests below may cause kernel memory leak
+perf_event_open03 perf_event_open03
diff --git a/testcases/kernel/syscalls/perf_event_open/.gitignore b/testcases/kernel/syscalls/perf_event_open/.gitignore
index 057690063..a1e5987b6 100644
--- a/testcases/kernel/syscalls/perf_event_open/.gitignore
+++ b/testcases/kernel/syscalls/perf_event_open/.gitignore
@@ -1,2 +1,3 @@
/perf_event_open01
/perf_event_open02
+/perf_event_open03
diff --git a/testcases/kernel/syscalls/perf_event_open/perf_event_open.h b/testcases/kernel/syscalls/perf_event_open/perf_event_open.h
new file mode 100644
index 000000000..02f0dd72e
--- /dev/null
+++ b/testcases/kernel/syscalls/perf_event_open/perf_event_open.h
@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (c) 2021 SUSE LLC <mdoucha@suse.cz>
+ *
+ * Common definitions for perf_event_open tests
+ */
+
+#ifndef _PERF_EVENT_OPEN_H
+#define _PERF_EVENT_OPEN_H
+
+#include <linux/types.h>
+#include <linux/perf_event.h>
+#include <inttypes.h>
+
+static int perf_event_open(struct perf_event_attr *event, pid_t pid,
+ int cpu, int group_fd, unsigned long flags)
+{
+ int ret;
+
+ ret = tst_syscall(__NR_perf_event_open, event, pid, cpu,
+ group_fd, flags);
+
+ if (ret != -1)
+ return ret;
+
+ tst_res(TINFO, "%s event.type: %"PRIu32
+ ", event.config: %"PRIu64, __func__, (uint32_t)event->type,
+ (uint64_t)event->config);
+ if (errno == ENOENT || errno == ENODEV) {
+ tst_brk(TCONF | TERRNO, "%s type/config not supported",
+ __func__);
+ }
+ tst_brk(TBROK | TERRNO, "%s failed", __func__);
+
+ /* unreachable */
+ return -1;
+}
+
+#endif /* _PERF_EVENT_OPEN_H */
diff --git a/testcases/kernel/syscalls/perf_event_open/perf_event_open03.c b/testcases/kernel/syscalls/perf_event_open/perf_event_open03.c
new file mode 100644
index 000000000..7d03823e6
--- /dev/null
+++ b/testcases/kernel/syscalls/perf_event_open/perf_event_open03.c
@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2021 SUSE LLC <mdoucha@suse.cz>
+ *
+ * CVE-2020-25704
+ *
+ * Check for memory leak in PERF_EVENT_IOC_SET_FILTER ioctl command. Fixed in:
+ *
+ * commit 7bdb157cdebbf95a1cd94ed2e01b338714075d00
+ * Author: kiyin(??) <kiyin@tencent.com>
+ * Date: Wed Nov 4 08:23:22 2020 +0300
+ *
+ * perf/core: Fix a memory leak in perf_event_parse_addr_filter()
+ */
+
+#include "config.h"
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+
+#if HAVE_PERF_EVENT_ATTR
+#include "perf_event_open.h"
+
+#define INTEL_PT_PATH "/sys/bus/event_source/devices/intel_pt/type"
+
+static int fd = -1;
+
+static void setup(void)
+{
+ struct perf_event_attr ev = {
+ .size = sizeof(struct perf_event_attr),
+ .exclude_kernel = 1,
+ .exclude_hv = 1,
+ .exclude_idle = 1
+ };
+
+ /* intel_pt is currently the only event source that supports filters */
+ if (access(INTEL_PT_PATH, F_OK))
+ tst_brk(TCONF, "intel_pt is not available");
+
+ SAFE_FILE_SCANF(INTEL_PT_PATH, "%d", &ev.type);
+ fd = perf_event_open(&ev, getpid(), -1, -1, 0);
+}
+
+static void run(void)
+{
+ struct sysinfo info1, info2;
+ unsigned long diff, memunit;
+ int i;
+
+ SAFE_SYSINFO(&info1);
+
+ /* leak about 100MB of RAM */
+ for (i = 0; i < 12000000; i++)
+ ioctl(fd, PERF_EVENT_IOC_SET_FILTER, "filter,0/0@abcd");
+
+ SAFE_SYSINFO(&info2);
+ memunit = info1.mem_unit;
+
+ /* sysinfo(2) man page does not guarantee consistent mem_unit... */
+ if (info1.mem_unit > info2.mem_unit) {
+ diff = info1.mem_unit / info2.mem_unit;
+ info2.freeram /= diff;
+ } else if (info1.mem_unit < info2.mem_unit) {
+ diff = info2.mem_unit / info1.mem_unit;
+ info1.freeram /= diff;
+ memunit = info2.mem_unit;
+ }
+
+ if (info1.freeram > info2.freeram + 50 * 1024 * 1024 / memunit)
+ tst_res(TFAIL, "Likely kernel memory leak detected");
+ else
+ tst_res(TPASS, "No memory leak found");
+}
+
+static void cleanup(void)
+{
+ if (fd >= 0)
+ SAFE_CLOSE(fd);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_root = 1,
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "7bdb157cdebb"},
+ {"CVE", "2020-25704"},
+ {}
+ }
+};
+
+#else /* HAVE_PERF_EVENT_ATTR */
+TST_TEST_TCONF("This system doesn't have <linux/perf_event.h> or "
+ "struct perf_event_attr is not defined.");
+#endif
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [LTP] [PATCH 2/2] perf_event_open02: Use common perf_event_open() wrapper
2021-08-02 16:09 [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
@ 2021-08-02 16:09 ` Martin Doucha
2021-08-02 16:12 ` [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
2021-08-03 14:52 ` Cyril Hrubis
2 siblings, 0 replies; 4+ messages in thread
From: Martin Doucha @ 2021-08-02 16:09 UTC (permalink / raw)
To: ltp
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
.../perf_event_open/perf_event_open02.c | 28 +------------------
1 file changed, 1 insertion(+), 27 deletions(-)
diff --git a/testcases/kernel/syscalls/perf_event_open/perf_event_open02.c b/testcases/kernel/syscalls/perf_event_open/perf_event_open02.c
index eead421ac..7200d35e3 100644
--- a/testcases/kernel/syscalls/perf_event_open/perf_event_open02.c
+++ b/testcases/kernel/syscalls/perf_event_open/perf_event_open02.c
@@ -29,7 +29,6 @@
#define _GNU_SOURCE
#include <errno.h>
-#include <inttypes.h>
#include <sched.h>
#include <signal.h>
#include <stddef.h>
@@ -47,8 +46,7 @@
#include "lapi/syscalls.h"
#if HAVE_PERF_EVENT_ATTR
-#include <linux/types.h>
-#include <linux/perf_event.h>
+#include "perf_event_open.h"
#define MAX_CTRS 1000
@@ -67,30 +65,6 @@ static int tsk0 = -1, hwfd[MAX_CTRS], tskfd[MAX_CTRS];
static int volatile work_done;
static unsigned int est_loops;
-static int perf_event_open(struct perf_event_attr *event, pid_t pid,
- int cpu, int group_fd, unsigned long flags)
-{
- int ret;
-
- ret = tst_syscall(__NR_perf_event_open, event, pid, cpu,
- group_fd, flags);
-
- if (ret != -1)
- return ret;
-
- tst_res(TINFO, "perf_event_open event.type: %"PRIu32
- ", event.config: %"PRIu64, (uint32_t)event->type,
- (uint64_t)event->config);
- if (errno == ENOENT || errno == ENODEV) {
- tst_brk(TCONF | TERRNO,
- "perf_event_open type/config not supported");
- }
- tst_brk(TBROK | TERRNO, "perf_event_open failed");
-
- /* unreachable */
- return -1;
-}
-
static void all_counters_set(int state)
{
if (prctl(state) == -1)
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [LTP] [PATCH 1/2] Add test for CVE 2020-25704
2021-08-02 16:09 [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
2021-08-02 16:09 ` [LTP] [PATCH 2/2] perf_event_open02: Use common perf_event_open() wrapper Martin Doucha
@ 2021-08-02 16:12 ` Martin Doucha
2021-08-03 14:52 ` Cyril Hrubis
2 siblings, 0 replies; 4+ messages in thread
From: Martin Doucha @ 2021-08-02 16:12 UTC (permalink / raw)
To: ltp
On 02. 08. 21 18:09, Martin Doucha wrote:
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
I forgot to add "Fixes #740" to the commit message in patch 1...
--
Martin Doucha mdoucha@suse.cz
QA Engineer for Software Maintenance
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LTP] [PATCH 1/2] Add test for CVE 2020-25704
2021-08-02 16:09 [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
2021-08-02 16:09 ` [LTP] [PATCH 2/2] perf_event_open02: Use common perf_event_open() wrapper Martin Doucha
2021-08-02 16:12 ` [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
@ 2021-08-03 14:52 ` Cyril Hrubis
2 siblings, 0 replies; 4+ messages in thread
From: Cyril Hrubis @ 2021-08-03 14:52 UTC (permalink / raw)
To: ltp
Hi!
> +static void run(void)
> +{
> + struct sysinfo info1, info2;
> + unsigned long diff, memunit;
> + int i;
> +
> + SAFE_SYSINFO(&info1);
> +
> + /* leak about 100MB of RAM */
> + for (i = 0; i < 12000000; i++)
> + ioctl(fd, PERF_EVENT_IOC_SET_FILTER, "filter,0/0@abcd");
> +
> + SAFE_SYSINFO(&info2);
> + memunit = info1.mem_unit;
> +
> + /* sysinfo(2) man page does not guarantee consistent mem_unit... */
> + if (info1.mem_unit > info2.mem_unit) {
> + diff = info1.mem_unit / info2.mem_unit;
> + info2.freeram /= diff;
> + } else if (info1.mem_unit < info2.mem_unit) {
> + diff = info2.mem_unit / info1.mem_unit;
> + info1.freeram /= diff;
> + memunit = info2.mem_unit;
> + }
I guess that SAFE_READ_MEMINFO() would be much easier to use with:
memfree_before = SAFE_READ_MEMINFO("MemFree:");
// do the test
memfree_after = SAFE_READ_MEMINFO("MemFree:");
And the result is conviniently in kilobytes.
> + if (info1.freeram > info2.freeram + 50 * 1024 * 1024 / memunit)
> + tst_res(TFAIL, "Likely kernel memory leak detected");
> + else
> + tst_res(TPASS, "No memory leak found");
> +}
> +
> +static void cleanup(void)
> +{
> + if (fd >= 0)
> + SAFE_CLOSE(fd);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .cleanup = cleanup,
> + .needs_root = 1,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "7bdb157cdebb"},
> + {"CVE", "2020-25704"},
> + {}
> + }
> +};
> +
> +#else /* HAVE_PERF_EVENT_ATTR */
> +TST_TEST_TCONF("This system doesn't have <linux/perf_event.h> or "
> + "struct perf_event_attr is not defined.");
> +#endif
> --
> 2.32.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-03 14:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-02 16:09 [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
2021-08-02 16:09 ` [LTP] [PATCH 2/2] perf_event_open02: Use common perf_event_open() wrapper Martin Doucha
2021-08-02 16:12 ` [LTP] [PATCH 1/2] Add test for CVE 2020-25704 Martin Doucha
2021-08-03 14:52 ` Cyril Hrubis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.