Commit Graph

3526 Commits

Author SHA1 Message Date
mrg
5d873ca56c make 'clean' and/or 'cleandir' actually clean all the things. 2018-05-31 09:08:25 +00:00
kamil
6abbe0506f Add a comment for the workaround in trigger_bus()
Explain PROT_READ|PROT_WRITE.
2018-05-30 17:48:13 +00:00
kamil
398835f368 Make the trigger_bus() test compatible with more CPUs (at least ALPHA)
If we write a byte character into a pointer, a compiler can emit a
read-modify-write operation, especially when a CPU cannot access directly
a character wide address.

In this scenario calling mmap(2) with PROT_WRITE, without PROT_READ will
emit unexpected trap.

There are two possible workarounds for this issue:
 - write register wide memory without rmw sequence,
 - mark the region with additional protection PROT_READ

Both work for NetBSD/alpha.

Go for the latter as perhaps more safe for dump compilers emitting rmw
sequences.

Investigated by <martin>
2018-05-30 17:31:34 +00:00
kre
64d884c8fc The bytes_transfer_piod_read_auxv test uses 4096 for the size param
to bytes_transfer() which asserted that the size is < the size of 512 AuxInfo
structs.   On a 32 bit system, an AuxInfo is 8 bytes, and 512 AuxInfo
structs is thus 4096 bytes, and 4096 is not < 4096, so the assertion
failed.   It would probably work as a <= assert, but I am not confident
enough with this test case to make that call, so instead increase the
array size to be 513 instead, 4096 is < 513*8 so happiness should return
and all should be right with the world.   At least for this one test.
(There was no problem on 64 bit systems as AuxInfo is bigger there.)
2018-05-30 05:09:11 +00:00
kamil
fa04ee6693 Add new ATF ptrace(2) tests verifying crash signal handling
Add new tests:
 - traceme_crash_trap
 - traceme_crash_segv
 - traceme_crash_ill (temporarily disabled)
 - traceme_crash_fpe
 - traceme_crash_bus
 - unrelated_tracer_sees_crash_trap
 - unrelated_tracer_sees_crash_segv
 - unrelated_tracer_sees_crash_ill (temporarily disabled)
 - unrelated_tracer_sees_crash_fpe
 - unrelated_tracer_sees_crash_bus

These tests verify two subtle kernel paths that differ internally:
 - for a tracer that is a parent of a traced program (and not vforked)
   real parent == tracer
 - for a tracer that is an unrelated process of a traced program
   real parent != tracer

Regressions in the signal code can cause to break one of the scenarios, and
keep working the other one. It might be propagated to a scenario like:
 - attaching to a process with a debugger (over pid)
 - starting a process inside a debugger

We can assert on the ATF level that both will be functional.

While there, cover all the crash signals as testing is done practically
for free. While the Machine Independent signal routing code for crash
signals is mostly the same in the kernel, we can verify whether Machine
Dependent parts works as expected emitting the proper signal number and
signal code (si_code).

There have been already caught an unexpected behavior on Alpha, that
instead of SIGBUS we receive SIGSEGV.

Another benefit is that it's easier to catch races, as they pop up more
frequently. (This already helped to catch bugs more quickly)

These tests will help assert correctness of future kernel changes in the
signal routines.

All tests pass.

Sponsored by <The NetBSD Foundation>
2018-05-29 10:40:54 +00:00
kamil
52922ac661 Correct the t_ptrace_wait*:signal5 ATF test case
This functionality now works.
Correct the code path in this test.
Add additional sanity check with PT_GET_SIGINFO and validating si_code.

Sponsored by <The NetBSD Foundation>
2018-05-28 11:35:50 +00:00
kamil
ccd167ce5f Drop trailing white space 2018-05-28 11:15:48 +00:00
martin
6ad8477b8b PR port-amd64/53316: two int don't make a long (when passed to
a C variadic function)
2018-05-28 07:55:56 +00:00
kamil
d93c7a0a6b Try to fool $CC harder in ATF ptrace(2) tests in trigger_fpe()
A function that returns a value that is not used, can be optimized out by
a compiler. Try to fool the compiler with calling libc functions that shall
trigger a division by zero crash.

Sponsored by <The NetBSD Foundation>
2018-05-27 17:16:39 +00:00
kamil
49994bfcd7 Handle FPE and BUS scenarios in the ATF t_trapsignal tests
These crash signals are crucial for proper handling of abnormal conditions
in a program. The additional purpose of these tests it to assure the proper
handling of these signals for the coming ptrace(2)-related changes in the
signal routing code.

Add a stub for ILL scenarios.

All tests pass (on amd64).

The shell ATF script contains duplicated code. There should be a way to
deduplicate it, without rewrite to C.

Sponsored by <The NetBSD Foundation>
2018-05-27 17:04:45 +00:00
kamil
223c019e6d Fix ATF ptrace(2) bytes_transfer_piod_read_auxv test
Make the initial buffer larger to stop triggering the runtime assert about
its size.

Its size is probably larger than all real use cases, but it's good enough
for the purpose of ATF tests and immune of potential AUXV size.

Sponsored by <The NetBSD Foundation>
2018-05-27 08:08:24 +00:00
christos
d25ad815ca alloca, bad; stack protector, good. 2018-05-27 00:36:56 +00:00
kamil
4ee7ae6051 Port the CVE 2018-8897 mitigation to i386 ATF ptrace(2) tests
On i386 there is no need to switch execution mode.
Use 0x23 SS selector for i386, amd64 used 0x4f.

Based on pointers from <maxv>.

Sponsored by <The NetBSD Foundation>
2018-05-26 20:27:48 +00:00
kamil
1aca04ce92 Refactor the PT_WRITE*/PT_READ* and PIOD_* ATF ptrace(2) tests
Merge all the PT_WRITE*/PT_READ* and PIOD_* the test cases into the common
body.

Changes:
 - treat D and I variations exactly the same
 - stop testing 2-3-4 attempts to perform the same read/write operation
 - stop testing interlocked (handshake) read/write operations
 - rename the tests
 - test write to .text section (with D and I type of operations)

New tests:
 - bytes_transfer_piod_read_d_8
 - bytes_transfer_piod_read_d_16
 - bytes_transfer_piod_read_d_32
 - bytes_transfer_piod_read_d_64
 - bytes_transfer_piod_read_i_8
 - bytes_transfer_piod_read_i_16
 - bytes_transfer_piod_read_i_32
 - bytes_transfer_piod_read_i_64
 - bytes_transfer_piod_write_d_8
 - bytes_transfer_piod_write_d_16
 - bytes_transfer_piod_write_d_32
 - bytes_transfer_piod_write_d_64
 - bytes_transfer_piod_write_i_8
 - bytes_transfer_piod_write_i_16
 - bytes_transfer_piod_write_i_32
 - bytes_transfer_piod_write_i_64
 - bytes_transfer_read_d
 - bytes_transfer_read_i
 - bytes_transfer_write_d
 - bytes_transfer_write_i
 - bytes_transfer_piod_read_d_8_text
 - bytes_transfer_piod_read_d_16_text
 - bytes_transfer_piod_read_d_32_text
 - bytes_transfer_piod_read_d_64_text
 - bytes_transfer_piod_read_i_8_text
 - bytes_transfer_piod_read_i_16_text
 - bytes_transfer_piod_read_i_32_text
 - bytes_transfer_piod_read_i_64_text
 - bytes_transfer_piod_write_d_8_text
 - bytes_transfer_piod_write_d_16_text
 - bytes_transfer_piod_write_d_32_text
 - bytes_transfer_piod_write_d_64_text
 - bytes_transfer_piod_write_i_8_text
 - bytes_transfer_piod_write_i_16_text
 - bytes_transfer_piod_write_i_32_text
 - bytes_transfer_piod_write_i_64_text
 - bytes_transfer_read_d_text
 - bytes_transfer_read_i_text
 - bytes_transfer_write_d_text
 - bytes_transfer_write_i_text
 - bytes_transfer_piod_read_auxv

These tests are now covering all usual code paths.

All tests pass.
The PaX MPROTECT violating ones automatically detect whether to be skipped.

Eliminated 4x more code than removed.

Sponsored by <The NetBSD Foundation>
2018-05-26 15:32:31 +00:00
kamil
49ea5747bf Introduce can_we_write_to_text() to ATF ptrace(2) tests
The purpose of this function is to detect whether a tracer can write to the
.text section of its tracee.

Sponsored by <The NetBSD Foundation>
2018-05-26 15:15:17 +00:00
martin
14167a96a3 Fix typo in local macro name, pointed out by uwe 2018-05-25 16:30:03 +00:00
martin
b11873986d Add a test to verify syscall() and/or __syscall() are working.
This used to trigger a panic (see PR kern/53261) on arm.
2018-05-25 15:42:30 +00:00
kamil
5b4f05b5be Try to fix 32-bit build
Cast pointer to uintptr_t rather than uintmax_t.
2018-05-24 08:28:40 +00:00
kamil
e73d44d16d Merge the eventmask[1-6] ATF ptrace(2) tests into a shared function body
While there, rename the tests to:
 - eventmask_preserved_empty
 - eventmask_preserved_fork
 - eventmask_preserved_lwp_create
 - eventmask_preserved_lwp_exit
 - eventmask_preserved_vfork
 - eventmask_preserved_vfork_done

Sponsored by <The NetBSD Foundation>
2018-05-23 23:56:07 +00:00
kamil
7060760a3a Extend traceme_vfork_breakpoint in ATF ptrace(2) tests for more scenarios
traceme_vfork_breakpoint used to test SIGTRAP event. Reuse its code for:
SIGSEGV, SIGILL, SIGFPE and SIGBUS.

The SIGILL case is disabled as of now as it required addition of
PTRACE_ILLEGAL_ASM in MD ptrace(2) headers.

Added tests:
 - traceme_vfork_crash_trap
 - traceme_vfork_crash_segv (renamed from traceme_vfork_breakpoint)
 - traceme_vfork_crash_ill (disabled)
 - traceme_vfork_crash_fpe
 - traceme_vfork_crash_bus

All enabled tests pass.

Sponsored by <The NetBSD Foundation>
2018-05-23 13:51:27 +00:00
kamil
20c82f105a Add new auxiliary functions in ATF ptrace(2) tests
Introduce:
 - trigger_trap()
 - trigger_segv()
 - trigger_ill()
 - trigger_fpe()
 - trigger_bus()

These functions generate appropriate signals caused by crashes.

A debugger is required to collect the crashes regardless of signal masking,
catching or ignoring rules.

While there, append __used argument to can_we_set_dbregs().

Sponsored by <The NetBSD Foundation>
2018-05-23 13:18:09 +00:00
kamil
9b1435470a Refactor the attach[1-8] and race1 ATF t_ptrace_wait* tests
Share code in: attach1, attach2 and race1 in the same function body.
Rename thsee tests to more verbose names:
 - tracer_sees_terminaton_before_the_parent
 - tracer_sysctl_lookup_without_duplicates
 - unrelated_tracer_sees_terminaton_before_the_parent

Rename attach3 to parent_attach_to_its_child.

Rename attach4 to child_attach_to_its_parent.

Share code in attach5, attach6 and attach7 in the same function body and
reanem the tests to:
 - tracee_sees_its_original_parent_getppid
 - tracee_sees_its_original_parent_sysctl_kinfo_proc2
 - tracee_sees_its_original_parent_procfs_status

Reduce the code by around 50%.

No functional change intended. All tests pass.

Sponsored by <The NetBSD Foundation>
2018-05-23 01:29:43 +00:00
kamil
7cc9be7372 Add new ATF ptrace(2) tests: traceme_sendsignal_{masked,ignored}[1-3]
These tests emit signal from a tracer/parent to the child and verify the
behavior in the case of SIG_BLOCK (masked) and SIG_IGN (ignored).

The signal is not reported by the child process.

These tests pass.

While there, rename for consistency with other tests:
 - traceme_sighandler_catch[1-3] -> traceme_sendsignal_handle[1-3]
 - traceme_signal_nohandler[1-5] -> traceme_sendsignal_simple[1-5]

Sponsored by <The NetBSD Foundation>
2018-05-22 10:48:06 +00:00
kamil
aaef92583a Extend ATF tests in t_trapsignal.sh to verify software breakpoint traps
There are at least four types of SIGTRAP events:
 - software/hardware single step (trace trap)
 - software breakpoint
 - hardware breakpoint/watchpoint
 - kernel event (exec, fork, vfork, vfork-done, lwp-create, lwp-exit)

A program can execute software breakpoint without the context of being
traced and this is a regular crash signal emitting SIGTRAP (TRAP_BRKPT).

Rename original trap_* tests (trap_simple, trap_handle, trap_mask,
trap_handle_recurse and trap_ignore) to segv_* tests and restrict them for
SIGSEGV.

Add new tests: trap_* testing the same scenarios as segv_ ones, however
verifying the software breakpoint trap (SIGTRAP).

Keep the original name of h_segv.c, and extend it for software breakpoint
events.

The purpose of these tests is to verify SIGTRAP kernel paths without the
ptrace(2) context.

All tests pass.

Sponsored by <The NetBSD Foundation>
2018-05-22 04:32:56 +00:00
kamil
5607b39231 Add new ATF test: t_trapsignal:trap_ignore
Test ignored trap with right exit code.

This test passes.

Sponsored by <The NetBSD Foundation>
2018-05-21 08:49:03 +00:00
kamil
8e107b0ecc Refactor and enable the signal3 ATF ptrace(2) test
Adapt the test to be independent from the software breakpoint trap
behavior, whether the Program Counter is moved or not. Just kill the
process after catching the expected signal, instead of pretending to resume
it.

This test passes.

Sponsored by <The NetBSD Foundation>
2018-05-20 23:47:16 +00:00
kamil
7f2cb72e7e Fix and enable traceme_signal_nohandler2 in ATF ptrace(2) tests
traceme_signal_nohandler2 checks emitting SIGSTOP to a traced process
with the PT_CONTINUE operation.

The expected behavior is to simulate a behavior of receiving SIGSTOP,
generating SIGCHLD to its parent (in this case the debugger) and ability
to call wait(2)-like function receiving the stopped child event.

The previous behavior was unstopping the process and it has been adjusted
in the kernel code.

FreeBSD keeps unstopping a process for emitting SIGSTOP.
Linux handles this scenario in the same way as NetBSD now.

While there, implement the missing bits in the userland ATF test for
traceme_signal_nohandler2: receiving and validating 2nd SIGSTOP event and
continuing the process, followed by its normal termination.

Sponsored by <The NetBSD Foundation>
2018-05-20 03:51:31 +00:00
kamil
2a5f5c09bb Cover SIGTSTP, SIGTTIN and SIGTTOU in traceme_vfork_raise ATF tests
SIGTSTP, SIGTTIN and SIGTTOU are special case signals ignored in a
vfork(2)ed child. Assert the behavior of raise(2) after calling
PT_TRACE_ME.

Renumber existing traceme_vfork_raise tests.

Sponsored by <The NetBSD Foundation>
2018-05-19 05:25:21 +00:00
kamil
aa6024affb Reflect reality in the comment
The watcher process is emitting SIGKILL, not SIGTERM.

Sponsored by <The NetBSD Foundation>
2018-05-19 05:10:16 +00:00
kamil
8c5954ee47 Enable traceme_vfork_raise2 in ATF ptrace(2) tests
raise(SIGSTOP) is now handled correctly by the kernel, in a child that
vfork(2)ed and called PT_TRACE_ME.

Implement a helper process emitting SIGKILL to a stopped child of a
vfork(2)ed process.

Sponsored by <The NetBSD Foundation>
2018-05-19 05:07:42 +00:00
kamil
c1819337b0 Add new auxiliary functions in t_ptrace_wait.h
New functions:
 - FORKEE_ASSERT_NEQ()
 - await_stopped_child()

Both will be used soon in a new ATF ptrace(2) test.

Sponsored by <The NetBSD Foundation>
2018-05-19 05:04:09 +00:00
kamil
73bcea99d7 Stop masking SIGSTOP in a vfork(2)ed child
Keep the traditional BSD behavior masking SIGTSTP, SIGTTIN and SIGTTOU in
a vfork(2)ed child before exec(3)/exit(3). This is useful in shells and
prevents deadlocking, when a parent cannot unstop the sleeping child.

Change the behavior for SIGSTOP. This signal is by design not maskable and
this property shall be obeyed without exceptions. The STOP behavior is
expected in the context of debuggers and useful in standalone programs.

It is still possible to stop a vfork(2)ed child, however it requires
proc.curproc.stopfork=1, but it is not a flexible solution.

FreeBSD and OpenBSD keep masking SIGSTOP in a vfork(2)ed child.
Linux does not mask stop signals in the same scenarios.

This fixes ATF test: t_vfork:raise2.
No known regressions reported in the existing ATF tests.

Discussed with <kre>

Sponsored by <The NetBSD Foundation>
2018-05-19 02:42:58 +00:00
kamil
497013ad4b Add new ATF tests: t_fork and t_vfork
Test behavior of raise(signal) in either fork(2)ed or vfork(2)ed child.

Tests:
 - raise1 SIGKILL
 - raise2 SIGSTOP
 - raise3 SIGTSTP
 - raise4 SIGTTIN
 - raise5 SIGTTOU
 - raise6 SIGABRT
 - raise7 SIGHUP
 - raise8 SIGCONT

t_vfork:raise2 fails ignoring non-maskable SIGSTOP.

The remaining ones pass.

Sponsored by <The NetBSD Foundation>
2018-05-18 06:39:58 +00:00
kamil
ed68aafd9d Correct assert in ATF t_zombie test
A failure is reported with -1, not 1.

Sponsored by <The NetBSD Foundation>
2018-05-18 00:25:30 +00:00
kamil
ea78951cdc Add extra asserts in three ATF ptrace(2) tests
In traceme* tests after validate_status_stopped() include additional check
the verify the received signal with PT_GET_SIGINFO.

All tests passes.

Sponsored by <The NetBSD Foundation>
2018-05-16 03:52:35 +00:00
kamil
fee84111f1 Improve the description of traceme_vfork_breakpoint (ATF ptrace(2) test)
Sponsored by <The NetBSD Foundation>
2018-05-16 03:18:38 +00:00
kamil
98c4cd6bac Add a new ATF ptrace(2) test: traceme_vfork_exec
Verify PT_TRACE_ME followed by exec(3) in a vfork(2)ed child.

This tests passes correctly.

Sponsored by <The NetBSD Foundation>
2018-05-16 02:47:25 +00:00
kamil
983fb9900d Improve the description of traceme_vfork_raise in ATF ptrace(2) tests
Set new description to:
 - "Verify PT_TRACE_ME followed by raise of " #sig " in a vfork(2)ed "
   "child"

The previous one was copy pasted from a different ATF test and not changed.

Sponsored by <The NetBSD Foundation>
2018-05-16 01:36:29 +00:00
kamil
78ed479f2f Add a new ATF ptrace(2) test: traceme_vfork_breakpoint
Verify software breakpoint in a vfork(2)ed child.

The expected behavior is not to route this signal to the parent, even if
that parent is a tracer. The parent cannot handle it and it would lead to
the deadlock.

This test passes correctly.

Sponsored by <The NetBSD Foundation>
2018-05-16 01:27:27 +00:00
kamil
108bf35cd1 Correct handling of: vfork(2) + PT_TRACE_ME + raise(2)
Follow the FreeBSD approach of not routing signals to the parent that is
a became tracer after calling PT_TRACE_ME by the vfork(2)ed child (before
exec(3)/exit(3)).

Now if a child calls raise(3), the signal is processed directly to this
child.

Add new ATF ptrace(2) tests:
 - traceme_vfork_raise1 (SIGKILL)
 - traceme_vfork_raise2 (SIGSTOP) // temporarily disabled
 - traceme_vfork_raise3 (SIGABRT)
 - traceme_vfork_raise4 (SIGHUP)
 - traceme_vfork_raise5 (SIGCONT)

The FreeBSD implementation introduces P_PPTRACE for this special case.
Right know keep opencoding check of this case in the kernel. It might be
refactored in future.

The Linux kernel does not follow this approach and causes dead locking of
the processes (parent and child).

Defer handling SIGSTOP into future.

This is an intermediate step towards correct handling of fork(2) and
vfork(2) in the context of ptrace(2).

All new tests pass.
There are no regressions in existing ATF ptrace(2) tests.

Sponsored by <The NetBSD Foundation>
2018-05-16 00:42:15 +00:00
kamil
a312b16739 Revert previous change in t_ptrace.c
By a mistake this file started to include <sys/mman.h>
This is not needed.

The include was intended to be add just in t_ptrace_wait.c.

Sponsored by <The NetBSD Foundation>
2018-05-14 12:44:40 +00:00
kamil
ca1c59ed43 Simplify the x86_64_cve_2018_8897 ATF ptrace(2) test
Do not call _exit() from the child, ad this code shall not be reached.
Put there assert().

No functional change. The test still passes.

Sponsored by <The NetBSD Foundation>
2018-05-14 12:42:34 +00:00
kamil
334427c45d Add a new ptrace(2) ATF exploit for: CVE-2018-8897 (POP SS debug exception)
The original expolit and mitigation have been developed by Maxime Villard.

I've reworked the shared code and adapted for the ATF context.
I've included PIE-aware version (RIP/EIP relative) and introduced
additional comments to the explanation how to trigger the flaw.

This test passes on NetBSD/8.99.17.

Sponsored by <The NetBSD Foundation>
2018-05-13 23:14:47 +00:00
kamil
2439331646 Refactor code in ATF ptrace(2) tests
Move the can_we_set_dbregs() auxiliary function from t_ptrace_x86_wait.h
to a common file t_ptrace_wait.h. This allows using this function for
checking whether the DBREGS set operations in ptrace(2) are accessible for
a user.

Sponsored by <The NetBSD Foundation>
2018-05-13 23:01:25 +00:00
joerg
b5dbde748d Handle the GCC restriction like the set list by explicitly checking for
HAVE_GCC. When using EXTERNAL_TOOLCHAIN with LLVM, it would still be
picked up otherwise.
2018-05-09 13:18:02 +00:00
mrg
2fc9ba62ad don't print "long" with "%zu". 2018-05-09 08:45:03 +00:00
martin
3198bde1a4 Make the getrusage_maxrss test more stable by preventing the compiler to
optimize out a dummy loop. While there print more details when failing.
2018-05-09 06:32:52 +00:00
christos
ccca93f2fc add tests for maxrss, msgsnd 2018-05-08 01:02:38 +00:00
kamil
410141583e Improve wording for non-native speakers of English
Improve wording in t_ubsan tests in for c++.

No functional change intended.

Follow the changed in cc/ by <martin>
2018-05-04 12:51:18 +00:00
kamil
1560a24938 Explain VLA in c++/t_ubsan_vla_out_of_bounds.sh (ATF test)
VLA - Variable Length Array

Requested by <martin>
2018-05-04 12:27:58 +00:00