The branch main has been updated by oshogbo:
URL:
https://cgit.FreeBSD.org/src/commit/?id=241a7ddd7112982ed41ccdd047c1dad59ee0256e
commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e
Author: Mariusz Zaborski <osho...@freebsd.org>
AuthorDate: 2024-08-29 13:46:01 +0000
Commit: Mariusz Zaborski <osho...@freebsd.org>
CommitDate: 2024-09-04 11:43:16 +0000
libnv: add tests to verify potential overflow issues
Differential Revision: https://reviews.freebsd.org/D46131
---
lib/libnv/tests/Makefile | 10 ++
lib/libnv/tests/nvlist_send_recv_test.c | 193 ++++++++++++++++++++++++++++++++
sys/contrib/libnv/nv_impl.h | 8 ++
sys/contrib/libnv/nvlist.c | 7 --
4 files changed, 211 insertions(+), 7 deletions(-)
diff --git a/lib/libnv/tests/Makefile b/lib/libnv/tests/Makefile
index 2e6563a83077..aea416539c4a 100644
--- a/lib/libnv/tests/Makefile
+++ b/lib/libnv/tests/Makefile
@@ -1,6 +1,16 @@
+.include <src.opts.mk>
+
ATF_TESTS_C= \
nvlist_send_recv_test
+.PATH: ${SRCTOP}/lib/libnv
+SRCS.nvlist_send_recv_test= msgio.c nvlist_send_recv_test.c
+CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/sys/contrib/libnv
+CFLAGS.nvlist_send_recv_test+=-I${SRCTOP}/lib/libnv
+.if ${MK_ASAN} != "yes"
+CFLAGS.nvlist_send_recv_test+=-DNO_ASAN
+.endif
+
ATF_TESTS_CXX= \
cnv_tests \
dnv_tests \
diff --git a/lib/libnv/tests/nvlist_send_recv_test.c
b/lib/libnv/tests/nvlist_send_recv_test.c
index f060ee2684d5..79297dfe2043 100644
--- a/lib/libnv/tests/nvlist_send_recv_test.c
+++ b/lib/libnv/tests/nvlist_send_recv_test.c
@@ -43,6 +43,9 @@
#include <atf-c.h>
+#include <nv_impl.h>
+#include <msgio.h>
+
#define ALPHABET "abcdefghijklmnopqrstuvwxyz"
#define fd_is_valid(fd) (fcntl((fd), F_GETFL) != -1 || errno != EBADF)
@@ -542,6 +545,192 @@ ATF_TC_BODY(nvlist_send_recv__send_closed_fd__stream, tc)
nvlist_send_recv__send_closed_fd(SOCK_STREAM);
}
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_header_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc)
+{
+ nvlist_t *nvl;
+ void *packed;
+ size_t packed_size;
+ struct nvlist_header *header;
+ int fd, socks[2], status;
+ pid_t pid;
+
+#ifdef NO_ASAN
+ atf_tc_skip("This test requires ASAN");
+#endif
+
+ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
+
+ pid = fork();
+ ATF_REQUIRE(pid >= 0);
+
+ if (pid == 0) {
+ /* Child. */
+ fd = socks[0];
+ close(socks[1]);
+
+ nvl = nvlist_create(0);
+ ATF_REQUIRE(nvl != NULL);
+ ATF_REQUIRE(nvlist_empty(nvl));
+
+ packed = nvlist_pack(nvl, &packed_size);
+ ATF_REQUIRE(packed != NULL);
+ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
+
+ header = (struct nvlist_header *)packed;
+ header->nvlh_size = SIZE_MAX - sizeof(struct nvlist_header) + 2;
+
+ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
+ (ssize_t)sizeof(struct nvlist_header));
+
+ nvlist_destroy(nvl);
+ free(packed);
+
+ exit(0);
+ } else {
+ /* Parent */
+ fd = socks[1];
+ close(socks[0]);
+
+ errno = 0;
+ nvl = nvlist_recv(fd, 0);
+ ATF_REQUIRE(nvl == NULL);
+
+ /*
+ * Make sure it has failed on EINVAL, and not on
+ * errors returned by malloc or recv.
+ */
+ ATF_REQUIRE(errno == EINVAL);
+
+ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
+ ATF_REQUIRE(status == 0);
+ close(fd);
+ }
+}
+
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
+ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
+{
+ nvlist_t *nvl;
+ void *packed;
+ size_t packed_size;
+ struct nvlist_header *header;
+ int fd, socks[2], status;
+ pid_t pid;
+
+ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
+
+ pid = fork();
+ ATF_REQUIRE(pid >= 0);
+
+ if (pid == 0) {
+ /* Child. */
+ fd = socks[0];
+ close(socks[1]);
+
+ nvl = nvlist_create(0);
+ ATF_REQUIRE(nvl != NULL);
+ ATF_REQUIRE(nvlist_empty(nvl));
+
+ nvlist_add_string(nvl, "nvl/string", "test");
+ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
+
+ packed = nvlist_pack(nvl, &packed_size);
+ ATF_REQUIRE(packed != NULL);
+ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
+
+ header = (struct nvlist_header *)packed;
+ header->nvlh_descriptors = 0x20;
+
+ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
+ (ssize_t)packed_size);
+
+ nvlist_destroy(nvl);
+ free(packed);
+
+ exit(0);
+ } else {
+ /* Parent */
+ fd = socks[1];
+ close(socks[0]);
+
+ nvl = nvlist_recv(fd, 0);
+ ATF_REQUIRE(nvl == NULL);
+
+ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
+ ATF_REQUIRE(status == 0);
+ }
+
+ close(fd);
+}
+
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_fd_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_fd_size, tc)
+{
+ nvlist_t *nvl;
+ void *packed;
+ size_t packed_size;
+ struct nvlist_header *header;
+ int fd, socks[2], fds[1], status;
+ pid_t pid;
+
+ ATF_REQUIRE_EQ(socketpair(PF_UNIX, SOCK_STREAM, 0, socks), 0);
+
+ pid = fork();
+ ATF_REQUIRE(pid >= 0);
+
+ if (pid == 0) {
+ /* Child. */
+ fd = socks[0];
+ close(socks[1]);
+
+ nvl = nvlist_create(0);
+ ATF_REQUIRE(nvl != NULL);
+ ATF_REQUIRE(nvlist_empty(nvl));
+
+ nvlist_add_string(nvl, "nvl/string", "test");
+ ATF_REQUIRE_EQ(nvlist_error(nvl), 0);
+
+ packed = nvlist_pack(nvl, &packed_size);
+ ATF_REQUIRE(packed != NULL);
+ ATF_REQUIRE(packed_size >= sizeof(struct nvlist_header));
+
+ header = (struct nvlist_header *)packed;
+ header->nvlh_descriptors = 0x4000000000000002;
+
+ ATF_REQUIRE_EQ(write(fd, packed, packed_size),
+ (ssize_t)packed_size);
+
+ fds[0] = dup(STDERR_FILENO);
+ ATF_REQUIRE(fds[0] >= 0);
+ ATF_REQUIRE_EQ(fd_send(fd, fds, 1), 0);
+
+ nvlist_destroy(nvl);
+ free(packed);
+
+ close(fds[0]);
+ close(fd);
+
+ exit(0);
+ } else {
+ /* Parent */
+ fd = socks[1];
+ close(socks[0]);
+
+ nvl = nvlist_recv(fd, 0);
+ ATF_REQUIRE(nvl == NULL);
+
+ /* Make sure that fd was not parsed by nvlist */
+ ATF_REQUIRE(fd_recv(fd, fds, 1) == 0);
+
+ ATF_REQUIRE(waitpid(pid, &status, 0) == pid);
+ ATF_REQUIRE(status == 0);
+
+ close(fds[0]);
+ close(fd);
+ }
+}
+
ATF_TP_ADD_TCS(tp)
{
@@ -552,5 +741,9 @@ ATF_TP_ADD_TCS(tp)
ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__dgram);
ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
+ ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);
+
return (atf_no_error());
}
diff --git a/sys/contrib/libnv/nv_impl.h b/sys/contrib/libnv/nv_impl.h
index e9cd3ffabc3f..4ac57fc7b497 100644
--- a/sys/contrib/libnv/nv_impl.h
+++ b/sys/contrib/libnv/nv_impl.h
@@ -42,6 +42,14 @@ struct nvpair;
typedef struct nvpair nvpair_t;
#endif
+struct nvlist_header {
+ uint8_t nvlh_magic;
+ uint8_t nvlh_version;
+ uint8_t nvlh_flags;
+ uint64_t nvlh_descriptors;
+ uint64_t nvlh_size;
+} __packed;
+
#define NV_TYPE_NVLIST_ARRAY_NEXT 254
#define NV_TYPE_NVLIST_UP 255
diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c
index 64078b10973e..1dc0bb8c1141 100644
--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@@ -118,13 +118,6 @@ MALLOC_DEFINE(M_NVLIST, "nvlist", "kernel nvlist");
#define NVLIST_HEADER_MAGIC 0x6c
#define NVLIST_HEADER_VERSION 0x00
-struct nvlist_header {
- uint8_t nvlh_magic;
- uint8_t nvlh_version;
- uint8_t nvlh_flags;
- uint64_t nvlh_descriptors;
- uint64_t nvlh_size;
-} __packed;
nvlist_t *
nvlist_create(int flags)
