Date: Sun, 29 Jul 2018 19:12:06 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r336873 - stable/11/tests/sys/kern Message-ID: <201807291912.w6TJC65n042634@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Sun Jul 29 19:12:06 2018 New Revision: 336873 URL: https://svnweb.freebsd.org/changeset/base/336873 Log: MFC r336614: Add a regression test for PR 131876. PR: 131876 Modified: stable/11/tests/sys/kern/unix_passfd_test.c Directory Properties: stable/11/ (props changed) Modified: stable/11/tests/sys/kern/unix_passfd_test.c ============================================================================== --- stable/11/tests/sys/kern/unix_passfd_test.c Sun Jul 29 19:11:21 2018 (r336872) +++ stable/11/tests/sys/kern/unix_passfd_test.c Sun Jul 29 19:12:06 2018 (r336873) @@ -23,10 +23,11 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + #include <sys/types.h> #include <sys/socket.h> #include <sys/stat.h> @@ -100,6 +101,23 @@ dofstat(int fd, struct stat *sb) "fstat failed: %s", strerror(errno)); } +static int +getnfds(void) +{ + size_t len; + int mib[4], n, rc; + + len = sizeof(n); + mib[0] = CTL_KERN; + mib[1] = KERN_PROC; + mib[2] = KERN_PROC_NFDS; + mib[3] = 0; + + rc = sysctl(mib, 4, &n, &len, NULL, 0); + ATF_REQUIRE_MSG(rc != -1, "sysctl(KERN_PROC_NFDS) failed"); + return (n); +} + static void samefile(struct stat *sb1, struct stat *sb2) { @@ -129,7 +147,7 @@ sendfd_payload(int sockfd, int send_fd, void *payload, msghdr.msg_iov = &iovec; msghdr.msg_iovlen = 1; - cmsghdr = (struct cmsghdr *)(void*)message; + cmsghdr = (struct cmsghdr *)(void *)message; cmsghdr->cmsg_len = CMSG_LEN(sizeof(int)); cmsghdr->cmsg_level = SOL_SOCKET; cmsghdr->cmsg_type = SCM_RIGHTS; @@ -380,6 +398,55 @@ ATF_TC_BODY(rights_creds_payload, tc) closesocketpair(fd); } +/* + * Test for PR 131876. Receiver uses a control message buffer that is too + * small for the incoming SCM_RIGHTS message, so the message is truncated. + * The kernel must not leak the copied right into the receiver's namespace. + */ +ATF_TC_WITHOUT_HEAD(truncated_rights); +ATF_TC_BODY(truncated_rights, tc) +{ + struct iovec iovec; + struct msghdr msghdr; + char buf[16], message[CMSG_SPACE(0)]; + ssize_t len; + int fd[2], nfds, putfd; + + atf_tc_expect_fail("PR 131876: " + "FD leak when 'control' message is truncated"); + + memset(buf, 42, sizeof(buf)); + domainsocketpair(fd); + devnull(&putfd); + nfds = getnfds(); + + sendfd_payload(fd[0], putfd, buf, sizeof(buf)); + + bzero(&msghdr, sizeof(msghdr)); + bzero(message, sizeof(message)); + + iovec.iov_base = buf; + iovec.iov_len = sizeof(buf); + msghdr.msg_control = message; + msghdr.msg_controllen = sizeof(message); + msghdr.msg_iov = &iovec; + msghdr.msg_iovlen = 1; + + len = recvmsg(fd[1], &msghdr, 0); + ATF_REQUIRE_MSG(len != -1, "recvmsg failed: %s", strerror(errno)); + ATF_REQUIRE_MSG((size_t)len == sizeof(buf), + "recvmsg: %zd bytes received; expected %zd", len, sizeof(buf)); + for (size_t i = 0; i < sizeof(buf); i++) + ATF_REQUIRE_MSG(buf[i] == 42, "unexpected buffer contents"); + + ATF_REQUIRE_MSG((msghdr.msg_flags & MSG_CTRUNC) != 0, + "MSG_CTRUNC not set after truncation"); + ATF_REQUIRE(getnfds() == nfds); + + close(putfd); + closesocketpair(fd); +} + ATF_TP_ADD_TCS(tp) { @@ -391,6 +458,7 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, bundle_cancel); ATF_TP_ADD_TC(tp, devfs_orphan); ATF_TP_ADD_TC(tp, rights_creds_payload); + ATF_TP_ADD_TC(tp, truncated_rights); return (atf_no_error()); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807291912.w6TJC65n042634>