[compiler-rt] r303132 - [asan] make asan under sandboxes more robust
Peter Collingbourne via llvm-commits
llvm-commits at lists.llvm.org
Mon May 15 17:06:57 PDT 2017
I think it's not just a matter of a new enough kernel but the fact that
some Linux distributions disable user namespaces for security reasons, e.g.
Arch Linux: https://bugs.archlinux.org/task/36969
Peter
On Mon, May 15, 2017 at 5:03 PM, Kostya Serebryany <kcc at google.com> wrote:
> Yea, probably.
> Will this include fresh enough kernels that we care about?
>
> On Mon, May 15, 2017 at 4:54 PM, Peter Collingbourne <peter at pcc.me.uk>
> wrote:
>
>> The test will fail if the kernel does not allow user namespaces, won't it?
>>
>> Peter
>>
>> On Mon, May 15, 2017 at 4:37 PM, Kostya Serebryany via llvm-commits <
>> llvm-commits at lists.llvm.org> wrote:
>>
>>> Author: kcc
>>> Date: Mon May 15 18:37:54 2017
>>> New Revision: 303132
>>>
>>> URL: http://llvm.org/viewvc/llvm-project?rev=303132&view=rev
>>> Log:
>>> [asan] make asan under sandboxes more robust
>>>
>>> Added:
>>> compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>> _self_maps_test.cc
>>> Modified:
>>> compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>
>>> Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_li
>>> nux.cc
>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sa
>>> nitizer_common/sanitizer_procmaps_linux.cc?rev=303132&r1=303
>>> 131&r2=303132&view=diff
>>> ============================================================
>>> ==================
>>> --- compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>> (original)
>>> +++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>> Mon May 15 18:37:54 2017
>>> @@ -18,8 +18,8 @@
>>> namespace __sanitizer {
>>>
>>> void ReadProcMaps(ProcSelfMapsBuff *proc_maps) {
>>> - CHECK(ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>> - &proc_maps->mmaped_size, &proc_maps->len));
>>> + ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>> &proc_maps->mmaped_size,
>>> + &proc_maps->len);
>>> }
>>>
>>> static bool IsOneOf(char c, char c1, char c2) {
>>>
>>> Added: compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>> _self_maps_test.cc
>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/a
>>> san/TestCases/Linux/sanbox_read_proc_self_maps_test.cc?rev=
>>> 303132&view=auto
>>> ============================================================
>>> ==================
>>> --- compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>> (added)
>>> +++ compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>> Mon May 15 18:37:54 2017
>>> @@ -0,0 +1,30 @@
>>> +// REQUIRES: x86_64-target-arch
>>> +// RUN: %clangxx_asan %s -o %t
>>> +// RUN: not %run %t 2>&1 | FileCheck %s
>>> +#include <sanitizer/common_interface_defs.h>
>>> +#include <sched.h>
>>> +#include <unistd.h>
>>> +#include <stdio.h>
>>> +#include <stdlib.h>
>>> +
>>> +int main() {
>>> + __sanitizer_sandbox_arguments args = {0};
>>> + // should cache /proc/self/maps
>>> + __sanitizer_sandbox_on_notify(&args);
>>> +
>>> + if (unshare(CLONE_NEWUSER)) {
>>> + printf("unshare failed\n");
>>> + abort();
>>> + }
>>> +
>>> + // remove access to /proc/self/maps
>>> + if (chroot("/tmp")) {
>>> + printf("chroot failed\n");
>>> + abort();
>>> + }
>>> +
>>> + *(volatile int*)0x42 = 0;
>>> +// CHECK: AddressSanitizer: SEGV on unknown address 0x000000000042
>>> +// CHECK-NOT: AddressSanitizer CHECK failed
>>> +// CHECK: SUMMARY: AddressSanitizer: SEGV
>>> +}
>>>
>>>
>>> _______________________________________________
>>> llvm-commits mailing list
>>> llvm-commits at lists.llvm.org
>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>>
>>
>>
>>
>> --
>> --
>> Peter
>>
>
>
--
--
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170515/8ad4391b/attachment.html>
More information about the llvm-commits
mailing list