/* * Check decoding of select/_newselect syscalls. * * Copyright (c) 2015-2018 Dmitry V. Levin <ldv@altlinux.org> * Copyright (c) 2015-2017 The strace developers. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* * Based on test by Dr. David Alan Gilbert <dave@treblig.org> */ #include <errno.h> #include <limits.h> #include <stdint.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/select.h> static const char *errstr; static long xselect(const kernel_ulong_t nfds, const kernel_ulong_t rs, const kernel_ulong_t ws, const kernel_ulong_t es, const kernel_ulong_t tv) #ifndef xselect { long rc = syscall(TEST_SYSCALL_NR, F8ILL_KULONG_MASK | nfds, rs, ws, es, tv); errstr = sprintrc(rc); return rc; } #else ; #endif #define XSELECT(expected_, ...) \ do { \ long rc = xselect(__VA_ARGS__); \ if (rc != (expected_)) \ perror_msg_and_fail(TEST_SYSCALL_STR \ ": expected %d" \ ", returned %ld", \ (expected_), rc); \ } while (0) \ /* End of XSELECT definition. */ int main(void) { #ifdef PATH_TRACING_FD skip_if_unavailable("/proc/self/fd/"); #endif for (int i = 3; i < FD_SETSIZE; ++i) { #ifdef PATH_TRACING_FD if (i == PATH_TRACING_FD) continue; #endif (void) close(i); } int fds[2]; if (pipe(fds)) perror_msg_and_fail("pipe"); static const int smallset_size = sizeof(kernel_ulong_t) * 8; const int nfds = fds[1] + 1; if (nfds > smallset_size) error_msg_and_fail("nfds[%d] > smallset_size[%d]\n", nfds, smallset_size); struct timeval tv_in = { 0, 123 }; struct timeval *const tv = tail_memdup(&tv_in, sizeof(tv_in)); const uintptr_t a_tv = (uintptr_t) tv; TAIL_ALLOC_OBJECT_VAR_PTR(kernel_ulong_t, l_rs); fd_set *const rs = (void *) l_rs; const uintptr_t a_rs = (uintptr_t) rs; TAIL_ALLOC_OBJECT_VAR_PTR(kernel_ulong_t, l_ws); fd_set *const ws = (void *) l_ws; const uintptr_t a_ws = (uintptr_t) ws; TAIL_ALLOC_OBJECT_VAR_PTR(kernel_ulong_t, l_es); fd_set *const es = (void *) l_es; const uintptr_t a_es = (uintptr_t) es; long rc; /* * An equivalent of nanosleep. */ if (xselect(0, 0, 0, 0, a_tv)) { if (errno == ENOSYS) perror_msg_and_skip(TEST_SYSCALL_STR); else perror_msg_and_fail(TEST_SYSCALL_STR); } #ifndef PATH_TRACING_FD printf("%s(0, NULL, NULL, NULL, {tv_sec=%lld, tv_usec=%llu})" " = 0 (Timeout)\n", TEST_SYSCALL_STR, (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec)); #endif /* EFAULT on tv argument */ XSELECT(-1, 0, 0, 0, 0, a_tv + 1); #ifndef PATH_TRACING_FD printf("%s(0, NULL, NULL, NULL, %#lx) = %s\n", TEST_SYSCALL_STR, (unsigned long) a_tv + 1, errstr); #endif /* * Start with a nice simple select with the same set. */ for (int i = nfds; i <= smallset_size; ++i) { *l_rs = (1UL << fds[0]) | (1UL << fds[1]); XSELECT(1, i, a_rs, a_rs, a_rs, 0); #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], [%d %d], NULL) = 1 ()\n", TEST_SYSCALL_STR, i, fds[0], fds[1], fds[0], fds[1], fds[0], fds[1]); #else *l_rs = (1UL << fds[0]) | (1UL << fds[1]) | (1UL << PATH_TRACING_FD); XSELECT(i > PATH_TRACING_FD ? 3 : 1, i, a_rs, a_rs, a_rs, 0); if (i > PATH_TRACING_FD) { printf("%s(%d, [%d %d %d], [%d %d %d], [%d %d %d]" ", NULL) = 3 ()\n", TEST_SYSCALL_STR, i, fds[0], fds[1], PATH_TRACING_FD, fds[0], fds[1], PATH_TRACING_FD, fds[0], fds[1], PATH_TRACING_FD); } #endif } /* * Odd timeout. */ *l_rs = (1UL << fds[0]) | (1UL << fds[1]); tv_in.tv_sec = 0xdeadbeefU; tv_in.tv_usec = 0xfacefeedU; memcpy(tv, &tv_in, sizeof(tv_in)); rc = xselect(nfds, a_rs, a_rs, a_rs, a_tv); if (rc < 0) { #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], [%d %d]" ", {tv_sec=%lld, tv_usec=%llu}) = %s\n", TEST_SYSCALL_STR, nfds, fds[0], fds[1], fds[0], fds[1], fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), errstr); #endif /* !PATH_TRACING_FD */ } else { #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], [%d %d]" ", {tv_sec=%lld, tv_usec=%llu}) = %ld" " (left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, nfds, fds[0], fds[1], fds[0], fds[1], fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), rc, (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); #endif /* !PATH_TRACING_FD */ } /* * Very odd timeout. */ *l_rs = (1UL << fds[0]) | (1UL << fds[1]); tv_in.tv_sec = (time_t) 0xcafef00ddeadbeefLL; tv_in.tv_usec = (suseconds_t) 0xbadc0dedfacefeedLL; memcpy(tv, &tv_in, sizeof(tv_in)); rc = xselect(nfds, a_rs, a_rs, a_rs, a_tv); if (rc < 0) { #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], [%d %d]" ", {tv_sec=%lld, tv_usec=%llu}) = %s\n", TEST_SYSCALL_STR, nfds, fds[0], fds[1], fds[0], fds[1], fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), errstr); #endif /* PATH_TRACING_FD */ } else { #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], [%d %d]" ", {tv_sec=%lld, tv_usec=%llu}) = %ld" " (left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, nfds, fds[0], fds[1], fds[0], fds[1], fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), rc, (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); #endif /* PATH_TRACING_FD */ } /* * Another simple one, with a timeout. */ for (int i = nfds; i <= smallset_size; ++i) { *l_rs = (1UL << fds[0]) | (1UL << fds[1]); *l_ws = (1UL << 1) | (1UL << 2) | (1UL << fds[0]) | (1UL << fds[1]); *l_es = 0; tv_in.tv_sec = 0xc0de1; tv_in.tv_usec = 0xc0de2; memcpy(tv, &tv_in, sizeof(tv_in)); XSELECT(3, i, a_rs, a_ws, a_es, a_tv); #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d %d %d], []" ", {tv_sec=%lld, tv_usec=%llu}) = 3 (out [1 2 %d]" ", left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, i, fds[0], fds[1], 1, 2, fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), fds[1], (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); #else *l_rs = (1UL << fds[0]) | (1UL << fds[1]) | (1UL << PATH_TRACING_FD); *l_ws = (1UL << 1) | (1UL << 2) | (1UL << fds[0]) | (1UL << fds[1]); tv_in.tv_sec = 0xc0de1; tv_in.tv_usec = 0xc0de2; memcpy(tv, &tv_in, sizeof(tv_in)); XSELECT(3 + (i > PATH_TRACING_FD), i, a_rs, a_ws, a_es, a_tv); if (i > PATH_TRACING_FD) { printf("%s(%d, [%d %d %d], [%d %d %d %d], []" ", {tv_sec=%lld, tv_usec=%llu})" " = 4 (in [%d], out [1 2 %d]" ", left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, i, fds[0], fds[1], PATH_TRACING_FD, 1, 2, fds[0], fds[1], (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), PATH_TRACING_FD, fds[1], (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); } *l_rs = (1UL << fds[0]) | (1UL << fds[1]); *l_ws = (1UL << 1) | (1UL << 2) | (1UL << fds[0]) | (1UL << fds[1]) | (1UL << PATH_TRACING_FD); tv_in.tv_sec = 0xc0de1; tv_in.tv_usec = 0xc0de2; memcpy(tv, &tv_in, sizeof(tv_in)); XSELECT(3 + (i > PATH_TRACING_FD), i, a_rs, a_ws, a_es, a_tv); if (i > PATH_TRACING_FD) { printf("%s(%d, [%d %d], [%d %d %d %d %d], []" ", {tv_sec=%lld, tv_usec=%llu})" " = 4 (out [1 2 %d %d]" ", left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, i, fds[0], fds[1], 1, 2, fds[0], fds[1], PATH_TRACING_FD, (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), fds[1], PATH_TRACING_FD, (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); } *l_rs = (1UL << fds[0]) | (1UL << fds[1]); *l_ws = (1UL << 1) | (1UL << 2) | (1UL << fds[0]) | (1UL << fds[1]); *l_es = (1UL << PATH_TRACING_FD); tv_in.tv_sec = 0xc0de1; tv_in.tv_usec = 0xc0de2; memcpy(tv, &tv_in, sizeof(tv_in)); XSELECT(3, i, a_rs, a_ws, a_es, a_tv); if (i > PATH_TRACING_FD) { printf("%s(%d, [%d %d], [%d %d %d %d], [%d]" ", {tv_sec=%lld, tv_usec=%llu}) = 3 (out [1 2 %d]" ", left {tv_sec=%lld, tv_usec=%llu})\n", TEST_SYSCALL_STR, i, fds[0], fds[1], 1, 2, fds[0], fds[1], PATH_TRACING_FD, (long long) tv_in.tv_sec, zero_extend_signed_to_ull(tv_in.tv_usec), fds[1], (long long) tv->tv_sec, zero_extend_signed_to_ull(tv->tv_usec)); } #endif /* PATH_TRACING_FD */ } /* * Now the crash case that trinity found, negative nfds * but with a pointer to a large chunk of valid memory. */ static fd_set set[0x1000000 / sizeof(fd_set)]; FD_SET(fds[1], set); XSELECT(-1, -1U, 0, (uintptr_t) set, 0, 0); #ifndef PATH_TRACING_FD printf("%s(-1, NULL, %p, NULL, NULL) = %s\n", TEST_SYSCALL_STR, set, errstr); #endif /* * Big sets, nfds exceeds FD_SETSIZE limit. */ const size_t big_size = sizeof(fd_set) + sizeof(long); fd_set *const big_rs = tail_alloc(big_size); const uintptr_t a_big_rs = (uintptr_t) big_rs; fd_set *const big_ws = tail_alloc(big_size); const uintptr_t a_big_ws = (uintptr_t) big_ws; for (unsigned int i = FD_SETSIZE; i <= big_size * 8; ++i) { memset(big_rs, 0, big_size); memset(big_ws, 0, big_size); FD_SET(fds[0], big_rs); tv->tv_sec = 0; tv->tv_usec = 10 + (i - FD_SETSIZE); XSELECT(0, i, a_big_rs, a_big_ws, 0, a_tv); #ifndef PATH_TRACING_FD printf("%s(%d, [%d], [], NULL, {tv_sec=0, tv_usec=%d})" " = 0 (Timeout)\n", TEST_SYSCALL_STR, i, fds[0], 10 + (i - FD_SETSIZE)); #else FD_SET(fds[0], big_rs); FD_SET(PATH_TRACING_FD, big_rs); tv->tv_sec = 0; tv->tv_usec = 10 + (i - FD_SETSIZE); XSELECT(1, i, a_big_rs, a_big_ws, 0, a_tv); printf("%s(%d, [%d %d], [], NULL, {tv_sec=0, tv_usec=%d})" " = 1 (in [%d], left {tv_sec=0, tv_usec=%llu})\n", TEST_SYSCALL_STR, i, fds[0], PATH_TRACING_FD, 10 + (i - FD_SETSIZE), PATH_TRACING_FD, zero_extend_signed_to_ull(tv->tv_usec)); #endif /* PATH_TRACING_FD */ } /* * Huge sets, nfds equals to INT_MAX. */ FD_SET(fds[0], set); FD_SET(fds[1], set); tv->tv_sec = 0; tv->tv_usec = 123; XSELECT(0, INT_MAX, (uintptr_t) set, (uintptr_t) &set[1], (uintptr_t) &set[2], a_tv); #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [], [], {tv_sec=0, tv_usec=123})" " = 0 (Timeout)\n", TEST_SYSCALL_STR, INT_MAX, fds[0], fds[1]); #else FD_SET(fds[0], set); FD_SET(fds[1], set); FD_SET(PATH_TRACING_FD, set); tv->tv_sec = 0; tv->tv_usec = 123; XSELECT(1, INT_MAX, (uintptr_t) set, (uintptr_t) &set[1], (uintptr_t) &set[2], a_tv); printf("%s(%d, [%d %d %d], [], [], {tv_sec=0, tv_usec=123})" " = 1 (in [%d], left {tv_sec=0, tv_usec=%llu})\n", TEST_SYSCALL_STR, INT_MAX, fds[0], fds[1], PATH_TRACING_FD, PATH_TRACING_FD, zero_extend_signed_to_ull(tv->tv_usec)); #endif /* PATH_TRACING_FD */ /* * Small sets, nfds exceeds FD_SETSIZE limit. * The kernel seems to be fine with it but strace cannot follow. */ *l_rs = (1UL << fds[0]) | (1UL << fds[1]) #ifdef PATH_TRACING_FD | (1UL << PATH_TRACING_FD) #endif ; *l_ws = (1UL << fds[0]); *l_es = (1UL << fds[0]) | (1UL << fds[1]) #ifdef PATH_TRACING_FD | (1UL << PATH_TRACING_FD) #endif ; tv->tv_sec = 0; tv->tv_usec = 123; rc = xselect(FD_SETSIZE + 1, a_rs, a_ws, a_es, a_tv); if (rc < 0) { #ifndef PATH_TRACING_FD printf("%s(%d, %p, %p, %p, {tv_sec=0, tv_usec=123}) = %s\n", TEST_SYSCALL_STR, FD_SETSIZE + 1, rs, ws, es, errstr); #endif } else { #ifndef PATH_TRACING_FD printf("%s(%d, %p, %p, %p, {tv_sec=0, tv_usec=123})" " = 0 (Timeout)\n", TEST_SYSCALL_STR, FD_SETSIZE + 1, rs, ws, es); #endif } /* * Small sets, one of allocated descriptors exceeds smallset_size. */ if (dup2(fds[1], smallset_size) != smallset_size) perror_msg_and_fail("dup2"); #ifdef PATH_TRACING_FD FD_SET(PATH_TRACING_FD, rs); FD_SET(PATH_TRACING_FD, ws); FD_SET(PATH_TRACING_FD, es); #endif XSELECT(-1, smallset_size + 1, a_rs, a_ws, a_es, 0); #ifndef PATH_TRACING_FD printf("%s(%d, %p, %p, %p, NULL) = %s\n", TEST_SYSCALL_STR, smallset_size + 1, rs, ws, es, errstr); #endif /* * Small and big sets, * one of allocated descriptors exceeds smallset_size. */ memset(big_rs, 0, big_size); FD_SET(fds[0], big_rs); FD_SET(smallset_size, big_rs); memset(big_ws, 0, big_size); FD_SET(fds[1], big_ws); FD_SET(smallset_size, big_ws); XSELECT(-1, smallset_size + 1, a_big_rs, a_big_ws, a_es, 0); #ifndef PATH_TRACING_FD printf("%s(%d, [%d %d], [%d %d], %p, NULL) = %s\n", TEST_SYSCALL_STR, smallset_size + 1, fds[0], smallset_size, fds[1], smallset_size, es, errstr); #endif /* !PATH_TRACING_FD */ XSELECT(-1, smallset_size + 1, a_es, a_big_ws, a_big_rs, 0); #ifndef PATH_TRACING_FD printf("%s(%d, %p, [%d %d], [%d %d], NULL) = %s\n", TEST_SYSCALL_STR, smallset_size + 1, es, fds[1], smallset_size, fds[0], smallset_size, errstr); #endif /* !PATH_TRACING_FD */ puts("+++ exited with 0 +++"); return 0; }