From owner-svn-src-head@freebsd.org Sun Jul 22 18:07:09 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ADCF91051CBA; Sun, 22 Jul 2018 18:07:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 616F67E3DF; Sun, 22 Jul 2018 18:07:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 42AA611661; Sun, 22 Jul 2018 18:07:09 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6MI79nf091185; Sun, 22 Jul 2018 18:07:09 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6MI79E0091184; Sun, 22 Jul 2018 18:07:09 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201807221807.w6MI79E0091184@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Sun, 22 Jul 2018 18:07:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336614 - head/tests/sys/kern X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: head/tests/sys/kern X-SVN-Commit-Revision: 336614 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 18:07:10 -0000 Author: markj Date: Sun Jul 22 18:07:08 2018 New Revision: 336614 URL: https://svnweb.freebsd.org/changeset/base/336614 Log: Add a regression test for PR 131876. PR: 131876 MFC after: 1 week Modified: head/tests/sys/kern/unix_passfd_test.c Modified: head/tests/sys/kern/unix_passfd_test.c ============================================================================== --- head/tests/sys/kern/unix_passfd_test.c Sun Jul 22 18:06:42 2018 (r336613) +++ head/tests/sys/kern/unix_passfd_test.c Sun Jul 22 18:07:08 2018 (r336614) @@ -23,10 +23,11 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ +#include +__FBSDID("$FreeBSD$"); + #include #include #include @@ -100,6 +101,23 @@ dofstat(int fd, struct stat *sb) "fstat failed: %s", strerror(errno)); } +static int +getnfds(void) +{ + size_t len; + int mib[4], n, rc; + + len = sizeof(n); + mib[0] = CTL_KERN; + mib[1] = KERN_PROC; + mib[2] = KERN_PROC_NFDS; + mib[3] = 0; + + rc = sysctl(mib, 4, &n, &len, NULL, 0); + ATF_REQUIRE_MSG(rc != -1, "sysctl(KERN_PROC_NFDS) failed"); + return (n); +} + static void samefile(struct stat *sb1, struct stat *sb2) { @@ -129,7 +147,7 @@ sendfd_payload(int sockfd, int send_fd, void *payload, msghdr.msg_iov = &iovec; msghdr.msg_iovlen = 1; - cmsghdr = (struct cmsghdr *)(void*)message; + cmsghdr = (struct cmsghdr *)(void *)message; cmsghdr->cmsg_len = CMSG_LEN(sizeof(int)); cmsghdr->cmsg_level = SOL_SOCKET; cmsghdr->cmsg_type = SCM_RIGHTS; @@ -380,6 +398,55 @@ ATF_TC_BODY(rights_creds_payload, tc) closesocketpair(fd); } +/* + * Test for PR 131876. Receiver uses a control message buffer that is too + * small for the incoming SCM_RIGHTS message, so the message is truncated. + * The kernel must not leak the copied right into the receiver's namespace. + */ +ATF_TC_WITHOUT_HEAD(truncated_rights); +ATF_TC_BODY(truncated_rights, tc) +{ + struct iovec iovec; + struct msghdr msghdr; + char buf[16], message[CMSG_SPACE(0)]; + ssize_t len; + int fd[2], nfds, putfd; + + atf_tc_expect_fail("PR 131876: " + "FD leak when 'control' message is truncated"); + + memset(buf, 42, sizeof(buf)); + domainsocketpair(fd); + devnull(&putfd); + nfds = getnfds(); + + sendfd_payload(fd[0], putfd, buf, sizeof(buf)); + + bzero(&msghdr, sizeof(msghdr)); + bzero(message, sizeof(message)); + + iovec.iov_base = buf; + iovec.iov_len = sizeof(buf); + msghdr.msg_control = message; + msghdr.msg_controllen = sizeof(message); + msghdr.msg_iov = &iovec; + msghdr.msg_iovlen = 1; + + len = recvmsg(fd[1], &msghdr, 0); + ATF_REQUIRE_MSG(len != -1, "recvmsg failed: %s", strerror(errno)); + ATF_REQUIRE_MSG((size_t)len == sizeof(buf), + "recvmsg: %zd bytes received; expected %zd", len, sizeof(buf)); + for (size_t i = 0; i < sizeof(buf); i++) + ATF_REQUIRE_MSG(buf[i] == 42, "unexpected buffer contents"); + + ATF_REQUIRE_MSG((msghdr.msg_flags & MSG_CTRUNC) != 0, + "MSG_CTRUNC not set after truncation"); + ATF_REQUIRE(getnfds() == nfds); + + close(putfd); + closesocketpair(fd); +} + ATF_TP_ADD_TCS(tp) { @@ -391,6 +458,7 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, bundle_cancel); ATF_TP_ADD_TC(tp, devfs_orphan); ATF_TP_ADD_TC(tp, rights_creds_payload); + ATF_TP_ADD_TC(tp, truncated_rights); return (atf_no_error()); }