[compiler-rt] r303132 - [asan] make asan under sandboxes more robust

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Mon May 15 17:09:12 PDT 2017 

I see...
Shall we wait for someone to complain about this test first (to know who is
affected) or disable it right away?

--kcc

On Mon, May 15, 2017 at 5:06 PM, Peter Collingbourne <peter at pcc.me.uk>
wrote:

> I think it's not just a matter of a new enough kernel but the fact that
> some Linux distributions disable user namespaces for security reasons, e.g.
> Arch Linux: https://bugs.archlinux.org/task/36969
>
> Peter
>
> On Mon, May 15, 2017 at 5:03 PM, Kostya Serebryany <kcc at google.com> wrote:
>
>> Yea, probably.
>> Will this include fresh enough kernels that we care about?
>>
>> On Mon, May 15, 2017 at 4:54 PM, Peter Collingbourne <peter at pcc.me.uk>
>> wrote:
>>
>>> The test will fail if the kernel does not allow user namespaces, won't
>>> it?
>>>
>>> Peter
>>>
>>> On Mon, May 15, 2017 at 4:37 PM, Kostya Serebryany via llvm-commits <
>>> llvm-commits at lists.llvm.org> wrote:
>>>
>>>> Author: kcc
>>>> Date: Mon May 15 18:37:54 2017
>>>> New Revision: 303132
>>>>
>>>> URL: http://llvm.org/viewvc/llvm-project?rev=303132&view=rev
>>>> Log:
>>>> [asan] make asan under sandboxes more robust
>>>>
>>>> Added:
>>>>     compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>>> _self_maps_test.cc
>>>> Modified:
>>>>     compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>>
>>>> Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_li
>>>> nux.cc
>>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sa
>>>> nitizer_common/sanitizer_procmaps_linux.cc?rev=303132&r1=303
>>>> 131&r2=303132&view=diff
>>>> ============================================================
>>>> ==================
>>>> --- compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>> (original)
>>>> +++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>> Mon May 15 18:37:54 2017
>>>> @@ -18,8 +18,8 @@
>>>>  namespace __sanitizer {
>>>>
>>>>  void ReadProcMaps(ProcSelfMapsBuff *proc_maps) {
>>>> -  CHECK(ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>>> -                         &proc_maps->mmaped_size, &proc_maps->len));
>>>> +  ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>>> &proc_maps->mmaped_size,
>>>> +                   &proc_maps->len);
>>>>  }
>>>>
>>>>  static bool IsOneOf(char c, char c1, char c2) {
>>>>
>>>> Added: compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>>> _self_maps_test.cc
>>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/a
>>>> san/TestCases/Linux/sanbox_read_proc_self_maps_test.cc?rev=3
>>>> 03132&view=auto
>>>> ============================================================
>>>> ==================
>>>> --- compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>>> (added)
>>>> +++ compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>>> Mon May 15 18:37:54 2017
>>>> @@ -0,0 +1,30 @@
>>>> +// REQUIRES: x86_64-target-arch
>>>> +// RUN: %clangxx_asan  %s -o %t
>>>> +// RUN: not %run %t 2>&1 | FileCheck %s
>>>> +#include <sanitizer/common_interface_defs.h>
>>>> +#include <sched.h>
>>>> +#include <unistd.h>
>>>> +#include <stdio.h>
>>>> +#include <stdlib.h>
>>>> +
>>>> +int main() {
>>>> +  __sanitizer_sandbox_arguments args = {0};
>>>> +  // should cache /proc/self/maps
>>>> +  __sanitizer_sandbox_on_notify(&args);
>>>> +
>>>> +  if (unshare(CLONE_NEWUSER)) {
>>>> +    printf("unshare failed\n");
>>>> +    abort();
>>>> +  }
>>>> +
>>>> +  // remove access to /proc/self/maps
>>>> +  if (chroot("/tmp")) {
>>>> +    printf("chroot failed\n");
>>>> +    abort();
>>>> +  }
>>>> +
>>>> +  *(volatile int*)0x42 = 0;
>>>> +// CHECK: AddressSanitizer: SEGV on unknown address 0x000000000042
>>>> +// CHECK-NOT: AddressSanitizer CHECK failed
>>>> +// CHECK: SUMMARY: AddressSanitizer: SEGV
>>>> +}
>>>>
>>>>
>>>> _______________________________________________
>>>> llvm-commits mailing list
>>>> llvm-commits at lists.llvm.org
>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>>>
>>>
>>>
>>>
>>> --
>>> --
>>> Peter
>>>
>>
>>
>
>
> --
> --
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170515/ee309847/attachment.html>

More information about the llvm-commits mailing list