LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-09-20 09:49:15 +03:00
Code Issues Packages Projects Releases Wiki Activity
28e1da344d
ladybird/Tests/Kernel
History
Ben Wiederhake 28e1da344d Kernel: Demonstrate race condition in clock_nanosleep 
This adds a test for the race condition in clock_nanosleep.
The crux is that clock_nanosleep verifies that the output buffer
is writable *before* sleeping, and writes to it *after* sleeping.
In the meantime, a concurrent thread can make the output buffer
unwritable, e.g. by deallocating it.

This testcase is needlessly complex because pthread_kill is
not implemented yet.  I tried to keep it as simple as possible.

Here is the relevant part of dmesg:
[nanosleep-race-outbuf-munmap(22:22)]: Unblock nanosleep-race-outbuf-munmap(20:20) due to signal
nanosleep-race-outbuf-munmap(20:20) Unrecoverable page fault, write to address 0x02130016
CRASH: Page Fault. Process: nanosleep-race-outbuf-munmap(20)
[nanosleep-race-outbuf-munmap(20:20)]: 0xc01160ff  memcpy +44
[nanosleep-race-outbuf-munmap(20:20)]: 0xc014de64  Kernel::Process::crash(int, unsigned int) +782
[nanosleep-race-outbuf-munmap(20:20)]: 0xc01191b5  illegal_instruction_handler +0
[nanosleep-race-outbuf-munmap(20:20)]: 0xc011965b  page_fault_handler +649
[nanosleep-race-outbuf-munmap(20:20)]: 0xc0117233  page_fault_asm_entry +22
[nanosleep-race-outbuf-munmap(20:20)]: 0xc011616b  copy_to_user +102
[nanosleep-race-outbuf-munmap(20:20)]: 0xc015911f  Kernel::Process::sys(Kernel::Syscall::SC_clock_nanosleep_params const*) +457
[nanosleep-race-outbuf-munmap(20:20)]: 0xc015daad  syscall_handler +1130
[nanosleep-race-outbuf-munmap(20:20)]: 0xc015d597  syscall_asm_entry +29
[nanosleep-race-outbuf-munmap(20:20)]: 0x08048437  main +146
[nanosleep-race-outbuf-munmap(20:20)]: 0x08048573  _start +94

Most importantly, note that it crashes *inside*
Kernel::Process::sys.
Instead, the correct behavior is to return -EFAULT.
2020-03-03 20:13:32 +01:00
..
bind-local-socket-to-symlink.cpp Kernel: Pass correct permission flags when opening files 2020-01-18 23:51:22 +01:00
bxvga-mmap-kernel-into-userspace.cpp Kernel: AnonymousVMObject::create_for_physical_range() should fail more 2020-01-28 20:48:07 +01:00
elf-execve-mmap-race.cpp Kernel: Enforce W^X between sys$mmap() and sys$execve() 2020-01-18 23:40:12 +01:00
elf-symbolication-kernel-read-exploit.cpp Kernel+LibELF: Don't blindly trust ELF symbol offsets in symbolication 2020-01-16 22:11:31 +01:00
mmap-write-into-running-programs-executable-file.cpp Kernel: Validate PROT_READ and PROT_WRITE against underlying file 2020-01-07 19:32:32 +01:00
nanosleep-race-outbuf-munmap.cpp Kernel: Demonstrate race condition in clock_nanosleep 2020-03-03 20:13:32 +01:00
null-deref-close-during-select.cpp Kernel: Ignore closed fd's when considering select() unblock 2020-01-09 12:36:42 +01:00
null-deref-crash-during-pthread_join.cpp Kernel: Fix kernel null deref on process crash during join_thread() 2020-01-10 19:23:45 +01:00
path-resolution-race.cpp Kernel: Make Inode::lookup() return a RefPtr<Inode> 2020-02-01 10:56:17 +01:00
uaf-close-while-blocked-in-read.cpp Kernel: Make Process::file_description() vend a RefPtr<FileDescription> 2020-01-07 15:53:42 +01:00