[LTP] [PATCH] thp testcase come from CVE reproducer

[LTP] [PATCH] thp testcase come from CVE reproducer

[Han Pingtian]

This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully
functional. So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

Signed-off-by: Han Pingtian <phan@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++++
 testcases/kernel/mem/thp/thp01.c  |   99 +++++++++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c

diff --git a/runtest/mm b/runtest/mm
index f097256..6b7e003 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -84,3 +84,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..dbfbc1b
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2010  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..b667b78
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,99 @@
+/*
+ * This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2010  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+static option_t options[] = {
+	{NULL, NULL, NULL}
+};
+
+static void usage(void)
+{
+    return;
+}
+
+int main(int argc, char **argv) {
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+	char *c[257];
+	char cc[32*4096];
+	struct rlimit rl = {
+		.rlim_cur =RLIM_INFINITY,
+		.rlim_max=RLIM_INFINITY,
+	};
+
+	msg = parse_opts(argc, argv, options, usage);
+	if (msg != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+			case -1:
+				tst_brkm(TBROK|TERRNO, NULL, "fork");
+			case 0:
+				memset(cc, 'c', 32*4096-1);
+				for (i=0;i<256;i++)
+					c[i] = cc;
+				if (setrlimit(RLIMIT_STACK, &rl) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
+				if (execve("/bin/true", c, c) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "execve");
+			default:
+				if (waitpid(pid, &st, 0) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
+
+				if (! WIFEXITED(st))
+					tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st));
+
+				tst_resm(TPASS, "thp01 pass");
+		}
+	}
+
+        tst_exit();
+}
-- 
1.7.1

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Garrett Cooper]

On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
>
> "Transparent hugepages can only be created if rmap is fully
> functional. So we must prevent hugepages to be created while
> is_vma_temporary_stack() is true."
>
> When running in a loop, it can trigger panic like this, if kernel
> unpatched:
>
> kernel BUG at mm/huge_memory.c:1260!
> invalid opcode: 0000 [#1] SMP
> last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map

...

> +static option_t options[] = {
> +       {NULL, NULL, NULL}
> +};
> +
> +static void usage(void)
> +{
> +    return;
> +}

You can delete this if you do what I suggest below...

...

> +       msg = parse_opts(argc, argv, options, usage);
> +       if (msg != NULL)

`if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred.

> +                               if (execve("/bin/true", c, c) == -1)
> +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");

Not all systems have /bin/true. It would be better to do:

/bin/sh -c ':'

etc, as we have code that depends on this type of shell-required POSIX behavior.

Thanks,
-Garrett

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Han Pingtian]

[-- Attachment #1: Type: text/plain, Size: 2047 bytes --]

On Fri, Mar 04, 2011 at 02:38:51AM -0800, Garrett Cooper wrote:
> On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> > This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> >
> > "Transparent hugepages can only be created if rmap is fully
> > functional. So we must prevent hugepages to be created while
> > is_vma_temporary_stack() is true."
> >
> > When running in a loop, it can trigger panic like this, if kernel
> > unpatched:
> >
> > kernel BUG at mm/huge_memory.c:1260!
> > invalid opcode: 0000 [#1] SMP
> > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> 
> ...
> 
> > +static option_t options[] = {
> > +       {NULL, NULL, NULL}
> > +};
> > +
> > +static void usage(void)
> > +{
> > +    return;
> > +}
> 
> You can delete this if you do what I suggest below...
> 
> ...
> 
> > +       msg = parse_opts(argc, argv, options, usage);
> > +       if (msg != NULL)
> 
> `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred.
Thanks. I have updated this according to your suggestion.
> 
> > +                               if (execve("/bin/true", c, c) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");
> 
> Not all systems have /bin/true. It would be better to do:
> 
> /bin/sh -c ':'
> 
> etc, as we have code that depends on this type of shell-required POSIX behavior.
> 
I'm sorry for I cannot figure out how to do this way. I tried, but
cannot crash unpatched kernel anymore. So I think the simple workaround
is checking if /bin/true installed in the program:

+
+                               if (WEXITSTATUS(st) == 2)
+                                       tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
+

Please review the updated version.
> Thanks,
> -Garrett

-- 
Han Pingtian
Quality Engineer
hpt @ #kernel-qe
Red Hat, Inc
Freedom ... courage ... Commitment ... ACCOUNTABILITY

[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/plain, Size: 5692 bytes --]

From 38c3526fdb59c0b18015914745f2d43fc6c6b1a3 Mon Sep 17 00:00:00 2001
From: Han Pingtian <phan@redhat.com>
Date: Fri, 25 Feb 2011 17:51:24 +0800
Subject: [PATCH] thp testcase come from CVE reproducer

This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully
functional. So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

Signed-off-by: Han Pingtian <phan@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++++
 testcases/kernel/mem/thp/thp01.c  |   95 +++++++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c

diff --git a/runtest/mm b/runtest/mm
index 1296e59..51cc82d 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -85,3 +85,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..dbfbc1b
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2010  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..0b6ec1a
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,95 @@
+/*
+ * This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2010  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+int main(int argc, char **argv) {
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+	char *c[257];
+	char cc[32*4096];
+	struct rlimit rl = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+			case -1:
+				tst_brkm(TBROK|TERRNO, NULL, "fork");
+			case 0:
+				memset(cc, 'c', 32*4096-1);
+				for (i=0;i<256;i++)
+					c[i] = cc;
+				if (setrlimit(RLIMIT_STACK, &rl) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
+				if (execve("/bin/true", c, c) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "execve");
+			default:
+				if (waitpid(pid, &st, 0) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
+
+				if (! WIFEXITED(st))
+					tst_brkm(TBROK, NULL, "child exits abnormally");
+
+				if (WEXITSTATUS(st) == 2)
+					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
+
+				if (WEXITSTATUS(st) != 0)
+					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");
+
+				tst_resm(TPASS, "thp01 pass");
+		}
+	}
+
+        tst_exit();
+}
-- 
1.7.1


[-- Attachment #3: Type: text/plain, Size: 309 bytes --]

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Han Pingtian]

On Mon, Mar 07, 2011 at 03:29:01PM +0800, Han Pingtian wrote:
> On Fri, Mar 04, 2011 at 02:38:51AM -0800, Garrett Cooper wrote:
> > On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> > > This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> > > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> > >
> > > "Transparent hugepages can only be created if rmap is fully
> > > functional. So we must prevent hugepages to be created while
> > > is_vma_temporary_stack() is true."
> > >
> > > When running in a loop, it can trigger panic like this, if kernel
> > > unpatched:
> > >
> > > kernel BUG at mm/huge_memory.c:1260!
> > > invalid opcode: 0000 [#1] SMP
> > > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> > 
> > ...
> > 
> > > +static option_t options[] = {
> > > +       {NULL, NULL, NULL}
> > > +};
> > > +
> > > +static void usage(void)
> > > +{
> > > +    return;
> > > +}
> > 
> > You can delete this if you do what I suggest below...
> > 
> > ...
> > 
> > > +       msg = parse_opts(argc, argv, options, usage);
> > > +       if (msg != NULL)
> > 
> > `if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)' is preferred.
> Thanks. I have updated this according to your suggestion.
> > 
> > > +                               if (execve("/bin/true", c, c) == -1)
> > > +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");
> > 
> > Not all systems have /bin/true. It would be better to do:
> > 
> > /bin/sh -c ':'
> > 
> > etc, as we have code that depends on this type of shell-required POSIX behavior.
> > 
> I'm sorry for I cannot figure out how to do this way. I tried, but
> cannot crash unpatched kernel anymore. So I think the simple workaround
> is checking if /bin/true installed in the program:
> 
> +
> +                               if (WEXITSTATUS(st) == 2)
> +                                       tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
> +
> 
Is this acceptable, please?

Thanks.
> Please review the updated version.
> > Thanks,
> > -Garrett
> 
> -- 
> Han Pingtian
> Quality Engineer
> hpt @ #kernel-qe
> Red Hat, Inc
> Freedom ... courage ... Commitment ... ACCOUNTABILITY

> >From 38c3526fdb59c0b18015914745f2d43fc6c6b1a3 Mon Sep 17 00:00:00 2001
> From: Han Pingtian <phan@redhat.com>
> Date: Fri, 25 Feb 2011 17:51:24 +0800
> Subject: [PATCH] thp testcase come from CVE reproducer
> 
> This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> 
> "Transparent hugepages can only be created if rmap is fully
> functional. So we must prevent hugepages to be created while
> is_vma_temporary_stack() is true."
> 
> When running in a loop, it can trigger panic like this, if kernel
> unpatched:
> 
> kernel BUG at mm/huge_memory.c:1260!
> invalid opcode: 0000 [#1] SMP
> last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> ....
> 
> So I recommend to run it as 'thp01 -I xxx'.
> 
> Signed-off-by: Han Pingtian <phan@redhat.com>
> ---
>  runtest/mm                        |    2 +
>  testcases/kernel/mem/thp/Makefile |   23 +++++++++
>  testcases/kernel/mem/thp/thp01.c  |   95 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 120 insertions(+), 0 deletions(-)
>  create mode 100644 testcases/kernel/mem/thp/Makefile
>  create mode 100644 testcases/kernel/mem/thp/thp01.c
> 
> diff --git a/runtest/mm b/runtest/mm
> index 1296e59..51cc82d 100644
> --- a/runtest/mm
> +++ b/runtest/mm
> @@ -85,3 +85,5 @@ oom01 oom01
>  oom02 oom02
>  oom03 oom03
>  oom04 oom04
> +
> +thp01 thp01 -I 600
> diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
> new file mode 100644
> index 0000000..dbfbc1b
> --- /dev/null
> +++ b/testcases/kernel/mem/thp/Makefile
> @@ -0,0 +1,23 @@
> +#
> +#  Copyright (C) 2010  Red Hat, Inc.
> +#
> +#  This program is free software; you can redistribute it and/or modify
> +#  it under the terms of the GNU General Public License as published by
> +#  the Free Software Foundation; either version 2 of the License, or (at
> +#  your option) any later version.
> +#
> +#  This program is distributed in the hope that it will be useful, but
> +#  WITHOUT ANY WARRANTY; without even the implied warranty of
> +#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +#  General Public License for more details.
> +#
> +#  You should have received a copy of the GNU General Public License
> +#  along with this program; if not, write to the Free Software
> +#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> +#  02110-1301, USA.
> +#
> +
> +top_srcdir              ?= ../../../..
> +
> +include $(top_srcdir)/include/mk/testcases.mk
> +include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
> new file mode 100644
> index 0000000..0b6ec1a
> --- /dev/null
> +++ b/testcases/kernel/mem/thp/thp01.c
> @@ -0,0 +1,95 @@
> +/*
> + * This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> + * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> + *
> + * "Transparent hugepages can only be created if rmap is fully
> + * functional. So we must prevent hugepages to be created while
> + * is_vma_temporary_stack() is true."
> + *
> + * It will cause a panic something like this, if the patch didn't get applied:
> + *
> + * kernel BUG at mm/huge_memory.c:1260!
> + * invalid opcode: 0000 [#1] SMP
> + * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> + * ....
> + *
> + * Copyright (C) 2010  Red Hat, Inc.
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + * Further, this software is distributed without any warranty that it
> + * is free of the rightful claim of any third person regarding
> + * infringement or the like.  Any license provided herein, whether
> + * implied or otherwise, applies only to this software file.  Patent
> + * licenses, if any, provided herein do not apply to combinations of
> + * this program with other software, or any other product whatsoever.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> + * 02110-1301, USA.
> + */
> +#include "test.h"
> +#include "usctest.h"
> +#include "config.h"
> +
> +char *TCID = "thp01";
> +int TST_TOTAL = 1;
> +
> +#include <stdio.h>
> +#include <unistd.h>
> +#include <string.h>
> +#include <sys/resource.h>
> +#include <sys/types.h>
> +#include <sys/wait.h>
> +
> +int main(int argc, char **argv) {
> +	int i, lc, st;
> +	pid_t pid;
> +	char *msg;
> +	char *c[257];
> +	char cc[32*4096];
> +	struct rlimit rl = {
> +		.rlim_cur = RLIM_INFINITY,
> +		.rlim_max = RLIM_INFINITY,
> +	};
> +
> +	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
> +		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> +
> +	for (lc = 0; TEST_LOOPING(lc); lc++) {
> +		switch (pid = fork()) {
> +			case -1:
> +				tst_brkm(TBROK|TERRNO, NULL, "fork");
> +			case 0:
> +				memset(cc, 'c', 32*4096-1);
> +				for (i=0;i<256;i++)
> +					c[i] = cc;
> +				if (setrlimit(RLIMIT_STACK, &rl) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
> +				if (execve("/bin/true", c, c) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "execve");
> +			default:
> +				if (waitpid(pid, &st, 0) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
> +
> +				if (! WIFEXITED(st))
> +					tst_brkm(TBROK, NULL, "child exits abnormally");
> +
> +				if (WEXITSTATUS(st) == 2)
> +					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
> +
> +				if (WEXITSTATUS(st) != 0)
> +					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");
> +
> +				tst_resm(TPASS, "thp01 pass");
> +		}
> +	}
> +
> +        tst_exit();
> +}
> -- 
> 1.7.1
> 

> ------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d

> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list


-- 
Han Pingtian
Quality Engineer
hpt @ #kernel-qe
Red Hat, Inc
Freedom ... courage ... Commitment ... ACCOUNTABILITY

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Cyril Hrubis]

Hi!
> > Not all systems have /bin/true. It would be better to do:
> > 
> > /bin/sh -c ':'
> > 
> > etc, as we have code that depends on this type of shell-required POSIX behavior.
> > 
> I'm sorry for I cannot figure out how to do this way. I tried, but
> cannot crash unpatched kernel anymore. So I think the simple workaround
> is checking if /bin/true installed in the program:

It should as simple as execve("/bin/sh -c ':'", c, c), or that didn't work?

What about "/bin/sh -c ''" ?

> +#include <stdio.h>
> +#include <unistd.h>
> +#include <string.h>
> +#include <sys/resource.h>
> +#include <sys/types.h>
> +#include <sys/wait.h>
> +
> +int main(int argc, char **argv) {

The curly bracked should be on new line here.

> +	int i, lc, st;
> +	pid_t pid;
> +	char *msg;
> +	char *c[257];
> +	char cc[32*4096];
> +	struct rlimit rl = {
> +		.rlim_cur = RLIM_INFINITY,
> +		.rlim_max = RLIM_INFINITY,
> +	};
> +
> +	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
> +		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> +
> +	for (lc = 0; TEST_LOOPING(lc); lc++) {
> +		switch (pid = fork()) {
> +			case -1:
> +				tst_brkm(TBROK|TERRNO, NULL, "fork");
> +			case 0:
> +				memset(cc, 'c', 32*4096-1);

Hmm should not the cc actually be C string and so terminated with '\0'?

> +				for (i=0;i<256;i++)
> +					c[i] = cc;
> +				if (setrlimit(RLIMIT_STACK, &rl) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
> +				if (execve("/bin/true", c, c) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "execve");
> +			default:
> +				if (waitpid(pid, &st, 0) == -1)
> +					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
> +
> +				if (! WIFEXITED(st))
> +					tst_brkm(TBROK, NULL, "child exits abnormally");

Please don't add space after ! here.

> +				if (WEXITSTATUS(st) == 2)
> +					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
> +
> +				if (WEXITSTATUS(st) != 0)
> +					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");
> +
> +				tst_resm(TPASS, "thp01 pass");
> +		}
> +	}
> +
> +        tst_exit();
> +}

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Garrett Cooper]

I'm going to be more anal retentive with this review than I was previously.

On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
>
> "Transparent hugepages can only be created if rmap is fully
> functional. So we must prevent hugepages to be created while
> is_vma_temporary_stack() is true."
>
> When running in a loop, it can trigger panic like this, if kernel
> unpatched:
>
> kernel BUG at mm/huge_memory.c:1260!
> invalid opcode: 0000 [#1] SMP
> last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map

...
>
> So I recommend to run it as 'thp01 -I xxx'.
> +static option_t options[] = {
> +       {NULL, NULL, NULL}
> +};
> +
> +static void usage(void)
> +{
> +    return;
> +}
> +
> +int main(int argc, char **argv) {
> +       int i, lc, st;
> +       pid_t pid;
> +       char *msg;
> +       char *c[257];
> +       char cc[32*4096];
> +       struct rlimit rl = {
> +               .rlim_cur =RLIM_INFINITY,
> +               .rlim_max=RLIM_INFINITY,
> +       };
> +
> +       msg = parse_opts(argc, argv, options, usage);
> +       if (msg != NULL)
> +               tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> +
> +       for (lc = 0; TEST_LOOPING(lc); lc++) {
> +               switch (pid = fork()) {
> +                       case -1:
> +                               tst_brkm(TBROK|TERRNO, NULL, "fork");
> +                       case 0:
> +                               memset(cc, 'c', 32*4096-1);
> +                               for (i=0;i<256;i++)
> +                                       c[i] = cc;
> +                               if (setrlimit(RLIMIT_STACK, &rl) == -1)
> +                                       tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
> +                               if (execve("/bin/true", c, c) == -1)
> +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");

I would just do perror("execve"), etc, because this is a child process
and according to the style guide you shouldn't use tst_resm in child
processes (I recommended that in the style guide for a very good
reason that you should understand).

> +                       default:
> +                               if (waitpid(pid, &st, 0) == -1)
> +                                       tst_brkm(TBROK|TERRNO, NULL, "waitpid");
> +
> +                               if (! WIFEXITED(st))
> +                                       tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st));

I agree with what Cyril said before about whitespace.

...

-Garrett

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Cyril Hrubis]

Hi!
> >> > Not all systems have /bin/true. It would be better to do:
> >> >
> >> > /bin/sh -c ':'
> >> >
> >> > etc, as we have code that depends on this type of shell-required POSIX behavior.
> >> >
> >> I'm sorry for I cannot figure out how to do this way. I tried, but
> >> cannot crash unpatched kernel anymore. So I think the simple workaround
> >> is checking if /bin/true installed in the program:
> >
> > It should as simple as execve("/bin/sh -c ':'", c, c), or that didn't work?
> 
> execve doesn't work that way. It should be:
> 
> execve("/bin/sh", "sh", "-c", ":");

Ahh, right, so it's difficuilt in this case as it seems that trigger is
particulary big argv and envp (at least it seems so from the source,
some better description wouldn't harm too).

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Han Pingtian]

[-- Attachment #1: Type: text/plain, Size: 3496 bytes --]

I have updated the patch based on your suggestions. Please review.

Thanks.

Han Pingtian
On Wed, Apr 06, 2011 at 11:57:51PM -0700, Garrett Cooper wrote:
> I'm going to be more anal retentive with this review than I was previously.
> 
> On Fri, Feb 25, 2011 at 2:36 AM, Han Pingtian <phan@redhat.com> wrote:
> > This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
> > a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> >
> > "Transparent hugepages can only be created if rmap is fully
> > functional. So we must prevent hugepages to be created while
> > is_vma_temporary_stack() is true."
> >
> > When running in a loop, it can trigger panic like this, if kernel
> > unpatched:
> >
> > kernel BUG at mm/huge_memory.c:1260!
> > invalid opcode: 0000 [#1] SMP
> > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> 
> ...
> >
> > So I recommend to run it as 'thp01 -I xxx'.
> > +static option_t options[] = {
> > +       {NULL, NULL, NULL}
> > +};
> > +
> > +static void usage(void)
> > +{
> > +    return;
> > +}
> > +
> > +int main(int argc, char **argv) {
> > +       int i, lc, st;
> > +       pid_t pid;
> > +       char *msg;
> > +       char *c[257];
> > +       char cc[32*4096];
> > +       struct rlimit rl = {
> > +               .rlim_cur =RLIM_INFINITY,
> > +               .rlim_max=RLIM_INFINITY,
> > +       };
> > +
> > +       msg = parse_opts(argc, argv, options, usage);
> > +       if (msg != NULL)
> > +               tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> > +
> > +       for (lc = 0; TEST_LOOPING(lc); lc++) {
> > +               switch (pid = fork()) {
> > +                       case -1:
> > +                               tst_brkm(TBROK|TERRNO, NULL, "fork");
> > +                       case 0:
> > +                               memset(cc, 'c', 32*4096-1);
> > +                               for (i=0;i<256;i++)
> > +                                       c[i] = cc;
> > +                               if (setrlimit(RLIMIT_STACK, &rl) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "setrlimit");
> > +                               if (execve("/bin/true", c, c) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "execve");
> 
> I would just do perror("execve"), etc, because this is a child process
> and according to the style guide you shouldn't use tst_resm in child
> processes (I recommended that in the style guide for a very good
> reason that you should understand).
> 
> > +                       default:
> > +                               if (waitpid(pid, &st, 0) == -1)
> > +                                       tst_brkm(TBROK|TERRNO, NULL, "waitpid");
> > +
> > +                               if (! WIFEXITED(st))
> > +                                       tst_brkm(TBROK, NULL, "child exit status is %d", WEXITSTATUS(st));
> 
> I agree with what Cyril said before about whitespace.
> 
> ...
> 
> -Garrett
> 
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list

[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/plain, Size: 5727 bytes --]

From 0e226273edd93e50afdf5d698bfc000cc9823a8c Mon Sep 17 00:00:00 2001
From: Han Pingtian <phan@redhat.com>
Date: Fri, 25 Feb 2011 17:51:24 +0800
Subject: [PATCH] thp testcase come from CVE reproducer

This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully
functional. So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

Signed-off-by: Han Pingtian <phan@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 ++++++++
 testcases/kernel/mem/thp/thp01.c  |  102 +++++++++++++++++++++++++++++++++++++
 3 files changed, 127 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..dded529 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..dbfbc1b
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2010  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..4c94031
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,102 @@
+/*
+ * This is a reproducer of  CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2010  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+	char *c[257];
+	char cc[32*4096];
+	struct rlimit rl = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+			case -1:
+				tst_brkm(TBROK|TERRNO, NULL, "fork");
+			case 0:
+				memset(cc, 'c', 32*4096-1);
+				cc[32*4096-1] = '\0';
+
+				for (i=0;i<256;i++)
+					c[i] = cc;
+				if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+					perror("setrlimit");
+					exit(1);
+				}
+				if (execve("/bin/true", c, c) == -1) {
+					perror("execve");
+					exit(2);
+				}
+			default:
+				if (waitpid(pid, &st, 0) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
+
+				if (!WIFEXITED(st))
+					tst_brkm(TBROK, NULL, "child exits abnormally");
+
+				if (WEXITSTATUS(st) == 2)
+					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");
+
+				if (WEXITSTATUS(st) != 0)
+					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");
+
+				tst_resm(TPASS, "thp01 pass");
+		}
+	}
+
+        tst_exit();
+}
-- 
1.7.4.2


[-- Attachment #3: Type: text/plain, Size: 250 bytes --]

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH] thp testcase come from CVE reproducer

[Garrett Cooper]

On Fri, Apr 8, 2011 at 8:23 PM, Han Pingtian <phan@redhat.com> wrote:
> I have updated the patch based on your suggestions. Please review.
>
> Thanks.

An inline diff would have been nice. Anyhow..

...

+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/resource.h>
+#include <sys/types.h>
+#include <sys/wait.h>

Please read the style guide and the example code I've provided in the
style guide. This doesn't conform to those examples.

+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+	char *c[257];
+	char cc[32*4096];
+	struct rlimit rl = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	if ((msg = parse_opts(argc, argv, NULL, NULL)) != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+			case -1:

Unnecessary indentation.

+				tst_brkm(TBROK|TERRNO, NULL, "fork");
+			case 0:
+				memset(cc, 'c', 32*4096-1);
+				cc[32*4096-1] = '\0';

Make the magic number (32*4096-1) a number. BTW -- did you derive this
from a pagesize or something? If so, you should really use the sysconf
function to derive _SC_PAGESIZE.

+				for (i=0;i<256;i++)

[Lack of] whitespace.

+					c[i] = cc;
+				if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+					perror("setrlimit");
+					exit(1);
+				}
+				if (execve("/bin/true", c, c) == -1) {
+					perror("execve");
+					exit(2);
+				}

So, this isn't supposed to exit I assume? Seems kind of funky (i.e.
would run out of processes).

+			default:
+				if (waitpid(pid, &st, 0) == -1)
+					tst_brkm(TBROK|TERRNO, NULL, "waitpid");
+
+				if (!WIFEXITED(st))
+					tst_brkm(TBROK, NULL, "child exits abnormally");

*exited.

+				if (WEXITSTATUS(st) == 2)
+					tst_brkm(TBROK, NULL, "Do you have /bin/true installed?");

Add a check at the beginning of the test to ensure (via stat) that
/bin/true exists. That way you can skip this check.

+				if (WEXITSTATUS(st) != 0)
+					tst_brkm(TBROK, NULL, "chaild exits with non-zero value");

You didn't do a proper exit(0). How is this possible (unless the
forked child runs to completion and exits the loop first which just
seems like a bad idea because you're executing tst_exit() at the
bottom)?

+				tst_resm(TPASS, "thp01 pass");

How do you know it passes from just one run when it could cascade over
several iterations? My gut feeling is that this really should be moved
somewhere else.

+		}
+	}
+
+        tst_exit();

Indentation is off.

+}

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

[LTP] [PATCH v3] thp testcase come from CVE reproducer

[Caspar Zhang]

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]


This is a reproducer of CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully functional.
So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

v2 & v3: update code style

Signed-off-by: Pingtian Han <phan@redhat.com>
Signed-off-by: Caspar Zhang <czhang@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++
 testcases/kernel/mem/thp/thp01.c  |  127 +++++++++++++++++++++++++++++++++++++
 3 files changed, 152 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4972 bytes --]

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..dded529 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..d43511a
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2011  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..a1d248f
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,127 @@
+/*
+ * This is a reproducer of CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get
+ * applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2011  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#define ARRAY_SZ	256
+
+static int ps;
+static long length;
+static char *array[ARRAY_SZ];
+static char *arg;
+
+struct rlimit rl = {
+	.rlim_cur = RLIM_INFINITY,
+	.rlim_max = RLIM_INFINITY,
+};
+
+static void setup(void);
+static void cleanup(void);
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+
+	msg = parse_opts(argc, argv, NULL, NULL);
+	if (msg != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	setup();
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+		case -1:
+			tst_brkm(TBROK|TERRNO, cleanup, "fork");
+		case 0:
+			memset(arg, 'c', length - 1);
+			arg[length - 1] = '\0';
+			for (i = 0; i < ARRAY_SZ; i++)
+				array[i] = arg;
+			if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+				perror("setrlimit");
+				exit(1);
+			}
+			if (execve("/bin/true", array, array) == -1) {
+				perror("execve");
+				exit(1);
+			}
+		default:
+			if (waitpid(pid, &st, 0) == -1)
+				tst_brkm(TBROK|TERRNO, cleanup, "waitpid");
+			if (!WIFEXITED(st) || WEXITSTATUS(st) != 0)
+				tst_brkm(TBROK, cleanup,
+					"child exited abnormally");
+		}
+	}
+	tst_resm(TPASS, "system didn't crash, pass.");
+	cleanup();
+	tst_exit();
+}
+
+static void setup()
+{
+	if (access("/bin/true", F_OK) == -1)
+		tst_brkm(TBROK, NULL, "/bin/true not exist");
+
+	ps = sysconf(_SC_PAGESIZE);
+	length = 32 * ps;
+	arg = malloc(length * sizeof(char));
+	if (arg == NULL)
+		tst_brkm(TBROK|TERRNO, NULL, "malloc");
+
+	tst_sig(FORK, DEF_HANDLER, cleanup);
+	TEST_PAUSE;
+}
+
+static void cleanup()
+{
+	TEST_CLEANUP;
+}

[-- Attachment #3: Type: text/plain, Size: 355 bytes --]

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v3] thp testcase come from CVE reproducer

[Cyril Hrubis]

Hi!
> +#include <sys/types.h>
> +#include <sys/resource.h>
> +#include <sys/wait.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include "test.h"
> +#include "usctest.h"
> +#include "config.h"
> +
> +char *TCID = "thp01";
> +int TST_TOTAL = 1;
> +
> +#define ARRAY_SZ	256
> +
> +static int ps;
> +static long length;
> +static char *array[ARRAY_SZ];
> +static char *arg;
> +
> +struct rlimit rl = {
> +	.rlim_cur = RLIM_INFINITY,
> +	.rlim_max = RLIM_INFINITY,
> +};

Perhaps static struct rlimit just to be consistent.

> +static void setup(void);
> +static void cleanup(void);
> +
> +int main(int argc, char **argv)
> +{
> +	int i, lc, st;
> +	pid_t pid;
> +	char *msg;
> +
> +	msg = parse_opts(argc, argv, NULL, NULL);
> +	if (msg != NULL)
> +		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
> +
> +	setup();
> +
> +	for (lc = 0; TEST_LOOPING(lc); lc++) {
> +		switch (pid = fork()) {
> +		case -1:
> +			tst_brkm(TBROK|TERRNO, cleanup, "fork");
> +		case 0:
> +			memset(arg, 'c', length - 1);
> +			arg[length - 1] = '\0';
> +			for (i = 0; i < ARRAY_SZ; i++)
> +				array[i] = arg;
> +			if (setrlimit(RLIMIT_STACK, &rl) == -1) {
> +				perror("setrlimit");
> +				exit(1);
> +			}
> +			if (execve("/bin/true", array, array) == -1) {
> +				perror("execve");
> +				exit(1);
> +			}
> +		default:
> +			if (waitpid(pid, &st, 0) == -1)
> +				tst_brkm(TBROK|TERRNO, cleanup, "waitpid");
> +			if (!WIFEXITED(st) || WEXITSTATUS(st) != 0)
> +				tst_brkm(TBROK, cleanup,
> +					"child exited abnormally");
> +		}
> +	}
> +	tst_resm(TPASS, "system didn't crash, pass.");
> +	cleanup();
> +	tst_exit();
> +}
> +
> +static void setup()
> +{

Please void into prototypes here as well eg: static void setup(void)

> +	if (access("/bin/true", F_OK) == -1)
> +		tst_brkm(TBROK, NULL, "/bin/true not exist");

Should rather be "/bin/true does not exists" and maybe TCONF rather than
TBROK.

> +	ps = sysconf(_SC_PAGESIZE);
> +	length = 32 * ps;
> +	arg = malloc(length * sizeof(char));

sizeof(char) is 1 by definition

> +	if (arg == NULL)
> +		tst_brkm(TBROK|TERRNO, NULL, "malloc");
> +
> +	tst_sig(FORK, DEF_HANDLER, cleanup);
> +	TEST_PAUSE;
> +}
> +
> +static void cleanup()

Here void as vell.

> +{
> +	TEST_CLEANUP;
> +}

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

[LTP] [PATCH v4] thp testcase come from CVE reproducer

[Caspar Zhang]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]


This is a reproducer of CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully functional.
So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

Signed-off-by: Pingtian Han <phan@redhat.com>
Signed-off-by: Caspar Zhang <czhang@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++
 testcases/kernel/mem/thp/thp01.c  |  126 +++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4975 bytes --]

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..dded529 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..d43511a
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2011  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..bcb03e6
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,126 @@
+/*
+ * This is a reproducer of CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get
+ * applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2011  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#define ARRAY_SZ	256
+
+static int ps;
+static long length;
+static char *array[ARRAY_SZ];
+static char *arg;
+static struct rlimit rl = {
+	.rlim_cur = RLIM_INFINITY,
+	.rlim_max = RLIM_INFINITY,
+};
+
+static void setup(void);
+static void cleanup(void);
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+
+	msg = parse_opts(argc, argv, NULL, NULL);
+	if (msg != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	setup();
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+		case -1:
+			tst_brkm(TBROK|TERRNO, cleanup, "fork");
+		case 0:
+			memset(arg, 'c', length - 1);
+			arg[length - 1] = '\0';
+			for (i = 0; i < ARRAY_SZ; i++)
+				array[i] = arg;
+			if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+				perror("setrlimit");
+				exit(1);
+			}
+			if (execve("/bin/true", array, array) == -1) {
+				perror("execve");
+				exit(1);
+			}
+		default:
+			if (waitpid(pid, &st, 0) == -1)
+				tst_brkm(TBROK|TERRNO, cleanup, "waitpid");
+			if (!WIFEXITED(st) || WEXITSTATUS(st) != 0)
+				tst_brkm(TBROK, cleanup,
+					"child exited abnormally");
+		}
+	}
+	tst_resm(TPASS, "system didn't crash, pass.");
+	cleanup();
+	tst_exit();
+}
+
+static void setup(void)
+{
+	if (access("/bin/true", F_OK) == -1)
+		tst_brkm(TCONF, NULL, "/bin/true does not exist");
+
+	ps = sysconf(_SC_PAGESIZE);
+	length = 32 * ps;
+	arg = malloc(length);
+	if (arg == NULL)
+		tst_brkm(TBROK|TERRNO, NULL, "malloc");
+
+	tst_sig(FORK, DEF_HANDLER, cleanup);
+	TEST_PAUSE;
+}
+
+static void cleanup(void)
+{
+	TEST_CLEANUP;
+}

[-- Attachment #3: Type: text/plain, Size: 355 bytes --]

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v4] thp testcase come from CVE reproducer

[Mike Frysinger]

[-- Attachment #1.1: Type: Text/Plain, Size: 97 bytes --]

dont hard depend on /bin/true.  simply execute it through $PATH ... i.e. use 
execvp().
-mike

[-- Attachment #1.2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

[-- Attachment #2: Type: text/plain, Size: 355 bytes --]

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

[-- Attachment #3: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

[LTP] [PATCH v5] thp testcase come from CVE reproducer

[Caspar Zhang]

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]


This is a reproducer of CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully functional.
So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

v5: not using hard depend on /bin/true, use execvp() and "true" instead.

Signed-off-by: Pingtian Han <phan@redhat.com>
Signed-off-by: Caspar Zhang <czhang@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++
 testcases/kernel/mem/thp/thp01.c  |  124 +++++++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/x-patch; name="0001-thp-testcase-come-from-CVE-reproducer.patch", Size: 4904 bytes --]

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..dded529 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 600
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..d43511a
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2011  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..4432150
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,124 @@
+/*
+ * This is a reproducer of CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get
+ * applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2011  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#define ARRAY_SZ	256
+
+static int ps;
+static long length;
+static char *array[ARRAY_SZ];
+static char *arg;
+static struct rlimit rl = {
+	.rlim_cur = RLIM_INFINITY,
+	.rlim_max = RLIM_INFINITY,
+};
+
+static void setup(void);
+static void cleanup(void);
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+
+	msg = parse_opts(argc, argv, NULL, NULL);
+	if (msg != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	setup();
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+		case -1:
+			tst_brkm(TBROK|TERRNO, cleanup, "fork");
+		case 0:
+			memset(arg, 'c', length - 1);
+			arg[length - 1] = '\0';
+			for (i = 0; i < ARRAY_SZ - 1; i++)
+				array[i] = arg;
+			array[ARRAY_SZ - 1] = NULL;
+			if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+				perror("setrlimit");
+				exit(1);
+			}
+			if (execvp("true", array) == -1) {
+				perror("execvp");
+				exit(1);
+			}
+		default:
+			if (waitpid(pid, &st, 0) == -1)
+				tst_brkm(TBROK|TERRNO, cleanup, "waitpid");
+			if (!WIFEXITED(st) || WEXITSTATUS(st) != 0)
+				tst_brkm(TBROK, cleanup,
+					"child exited abnormally");
+		}
+	}
+	tst_resm(TPASS, "system didn't crash, pass.");
+	cleanup();
+	tst_exit();
+}
+
+static void setup(void)
+{
+	ps = sysconf(_SC_PAGESIZE);
+	length = 32 * ps;
+	arg = malloc(length);
+	if (arg == NULL)
+		tst_brkm(TBROK|TERRNO, NULL, "malloc");
+
+	tst_sig(FORK, DEF_HANDLER, cleanup);
+	TEST_PAUSE;
+}
+
+static void cleanup(void)
+{
+	TEST_CLEANUP;
+}

[-- Attachment #3: Type: text/plain, Size: 355 bytes --]

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v5] thp testcase come from CVE reproducer

[Caspar Zhang]

On 04/30/2011 04:46 PM, Caspar Zhang wrote:
> 
> This is a reproducer of CVE-2011-0999, which fixed by mainline commit
> a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
> 
> "Transparent hugepages can only be created if rmap is fully functional.
> So we must prevent hugepages to be created while
> is_vma_temporary_stack() is true."
> 
> When running in a loop, it can trigger panic like this, if kernel
> unpatched:
> 
> kernel BUG at mm/huge_memory.c:1260!
> invalid opcode: 0000 [#1] SMP
> last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
> ....
> 
> So I recommend to run it as 'thp01 -I xxx'.
> 
> v5: not using hard depend on /bin/true, use execvp() and "true" instead.
> 
> Signed-off-by: Pingtian Han <phan@redhat.com>
> Signed-off-by: Caspar Zhang <czhang@redhat.com>
> ---
>  runtest/mm                        |    2 +
>  testcases/kernel/mem/thp/Makefile |   23 +++++++
>  testcases/kernel/mem/thp/thp01.c  |  124 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 149 insertions(+), 0 deletions(-)
>  create mode 100644 testcases/kernel/mem/thp/Makefile
>  create mode 100644 testcases/kernel/mem/thp/thp01.c
> 

Hi all, I've modified the patch as suggested and tested it. Any comments
on this new case?

Thanks,
Caspar

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v5] thp testcase come from CVE reproducer

[Cyril Hrubis]

Hi!
> diff --git a/runtest/mm b/runtest/mm
> index f2d50d6..dded529 100644
> --- a/runtest/mm
> +++ b/runtest/mm
> @@ -78,3 +78,5 @@ oom01 oom01
>  oom02 oom02
>  oom03 oom03
>  oom04 oom04
> +
> +thp01 thp01 -I 600

On my machine this runs for 10 minutes (-I 1 runs for more than
second). Is this amount of iterations really needed?

The rest looks good enough.

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

[LTP] [PATCH v6] mm: thp testcase come from CVE reproducer

[Caspar Zhang]

[-- Attachment #1: Type: text/plain, Size: 1079 bytes --]


This is a reproducer of CVE-2011-0999, which fixed by mainline commit
a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:

"Transparent hugepages can only be created if rmap is fully functional.
So we must prevent hugepages to be created while
is_vma_temporary_stack() is true."

When running in a loop, it can trigger panic like this, if kernel
unpatched:

kernel BUG at mm/huge_memory.c:1260!
invalid opcode: 0000 [#1] SMP
last sysfs file:
/sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
....

So I recommend to run it as 'thp01 -I xxx'.

v5: not using hard depend on /bin/true, use execvp() and "true" instead.
v6: set testing time to 2 min.

Signed-off-by: Pingtian Han <phan@redhat.com>
Signed-off-by: Caspar Zhang <czhang@redhat.com>
---
 runtest/mm                        |    2 +
 testcases/kernel/mem/thp/Makefile |   23 +++++++
 testcases/kernel/mem/thp/thp01.c  |  124 +++++++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/mem/thp/Makefile
 create mode 100644 testcases/kernel/mem/thp/thp01.c


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-mm-thp-testcase-come-from-CVE-reproducer.patch --]
[-- Type: text/x-patch; name="0001-mm-thp-testcase-come-from-CVE-reproducer.patch", Size: 4904 bytes --]

diff --git a/runtest/mm b/runtest/mm
index f2d50d6..df7d0cb 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -78,3 +78,5 @@ oom01 oom01
 oom02 oom02
 oom03 oom03
 oom04 oom04
+
+thp01 thp01 -I 120
diff --git a/testcases/kernel/mem/thp/Makefile b/testcases/kernel/mem/thp/Makefile
new file mode 100644
index 0000000..d43511a
--- /dev/null
+++ b/testcases/kernel/mem/thp/Makefile
@@ -0,0 +1,23 @@
+#
+#  Copyright (C) 2011  Red Hat, Inc.
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or (at
+#  your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful, but
+#  WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+#  02110-1301, USA.
+#
+
+top_srcdir              ?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/mem/thp/thp01.c b/testcases/kernel/mem/thp/thp01.c
new file mode 100644
index 0000000..6c7cce3
--- /dev/null
+++ b/testcases/kernel/mem/thp/thp01.c
@@ -0,0 +1,124 @@
+/*
+ * This is a reproducer of CVE-2011-0999, which fixed by mainline commit
+ * a7d6e4ecdb7648478ddec76d30d87d03d6e22b31:
+ *
+ * "Transparent hugepages can only be created if rmap is fully
+ * functional. So we must prevent hugepages to be created while
+ * is_vma_temporary_stack() is true."
+ *
+ * It will cause a panic something like this, if the patch didn't get
+ * applied:
+ *
+ * kernel BUG at mm/huge_memory.c:1260!
+ * invalid opcode: 0000 [#1] SMP
+ * last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
+ * ....
+ *
+ * Copyright (C) 2011  Red Hat, Inc.
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include "test.h"
+#include "usctest.h"
+#include "config.h"
+
+char *TCID = "thp01";
+int TST_TOTAL = 1;
+
+#define ARRAY_SZ	256
+
+static int ps;
+static long length;
+static char *array[ARRAY_SZ];
+static char *arg;
+static struct rlimit rl = {
+	.rlim_cur = RLIM_INFINITY,
+	.rlim_max = RLIM_INFINITY,
+};
+
+static void setup(void);
+static void cleanup(void);
+
+int main(int argc, char **argv)
+{
+	int i, lc, st;
+	pid_t pid;
+	char *msg;
+
+	msg = parse_opts(argc, argv, NULL, NULL);
+	if (msg != NULL)
+		tst_brkm(TBROK, NULL, "OPTION PARSING ERROR - %s", msg);
+
+	setup();
+
+	for (lc = 0; TEST_LOOPING(lc); lc++) {
+		switch (pid = fork()) {
+		case -1:
+			tst_brkm(TBROK|TERRNO, cleanup, "fork");
+		case 0:
+			memset(arg, 'c', length - 1);
+			arg[length - 1] = '\0';
+			for (i = 0; i < ARRAY_SZ - 1; i++)
+				array[i] = arg;
+			array[ARRAY_SZ - 1] = NULL;
+			if (setrlimit(RLIMIT_STACK, &rl) == -1) {
+				perror("setrlimit");
+				exit(1);
+			}
+			if (execvp("true", array) == -1) {
+				perror("execvp");
+				exit(1);
+			}
+		default:
+			if (waitpid(pid, &st, 0) == -1)
+				tst_brkm(TBROK|TERRNO, cleanup, "waitpid");
+			if (!WIFEXITED(st) || WEXITSTATUS(st) != 0)
+				tst_brkm(TBROK, cleanup,
+					"child exited abnormally");
+		}
+	}
+	tst_resm(TPASS, "system didn't crash, pass.");
+	cleanup();
+	tst_exit();
+}
+
+static void setup(void)
+{
+	ps = sysconf(_SC_PAGESIZE);
+	length = 32 * ps;
+	arg = malloc(length);
+	if (arg == NULL)
+		tst_brkm(TBROK|TERRNO, NULL, "malloc");
+
+	tst_sig(FORK, DEF_HANDLER, cleanup);
+	TEST_PAUSE;
+}
+
+static void cleanup(void)
+{
+	TEST_CLEANUP;
+}

[-- Attachment #3: Type: text/plain, Size: 335 bytes --]

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

[-- Attachment #4: Type: text/plain, Size: 155 bytes --]

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v6] mm: thp testcase come from CVE reproducer

[Cyril Hrubis]

Hi!
Commited, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger. 
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today. 
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list