[compiler-rt] r303132 - [asan] make asan under sandboxes more robust

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Thu May 25 13:51:34 PDT 2017 

r303911 relaxes the test while still checking for the regression it's
supposed to check for.
Please let me know if it does not fix your bot.
thanks!

--kcc

On Wed, May 24, 2017 at 9:09 PM, Hal Finkel <hfinkel at anl.gov> wrote:

> On 05/15/2017 07:10 PM, Peter Collingbourne via llvm-commits wrote:
>
> I'm fine with waiting.
>
>
> What's the symptom? This test is failing on some of my build systems:
>
> $ /path/to/build/llvm-stage1/projects/compiler-rt/test/
> asan/X86_64LinuxConfig/TestCases/Linux/Output/sanbox_
> read_proc_self_maps_test.cc.tmp
> unshare failed
> Aborted
>
> strace shows:
>
>   unshare(CLONE_NEWUSER)                  = -1 EINVAL (Invalid argument)
>
> The system is RHEL7 (Kernel 3.10.0).
>
> Can you please make the test more robust?
>
> Thanks again,
> Hal
>
>
>
> Peter
>
> On Mon, May 15, 2017 at 5:09 PM, Kostya Serebryany <kcc at google.com> wrote:
>
>> I see...
>> Shall we wait for someone to complain about this test first (to know who
>> is affected) or disable it right away?
>>
>> --kcc
>>
>> On Mon, May 15, 2017 at 5:06 PM, Peter Collingbourne <peter at pcc.me.uk>
>> wrote:
>>
>>> I think it's not just a matter of a new enough kernel but the fact that
>>> some Linux distributions disable user namespaces for security reasons, e.g.
>>> Arch Linux: https://bugs.archlinux.org/task/36969
>>>
>>> Peter
>>>
>>> On Mon, May 15, 2017 at 5:03 PM, Kostya Serebryany <kcc at google.com>
>>> wrote:
>>>
>>>> Yea, probably.
>>>> Will this include fresh enough kernels that we care about?
>>>>
>>>> On Mon, May 15, 2017 at 4:54 PM, Peter Collingbourne <peter at pcc.me.uk>
>>>> wrote:
>>>>
>>>>> The test will fail if the kernel does not allow user namespaces, won't
>>>>> it?
>>>>>
>>>>> Peter
>>>>>
>>>>> On Mon, May 15, 2017 at 4:37 PM, Kostya Serebryany via llvm-commits <
>>>>> llvm-commits at lists.llvm.org> wrote:
>>>>>
>>>>>> Author: kcc
>>>>>> Date: Mon May 15 18:37:54 2017
>>>>>> New Revision: 303132
>>>>>>
>>>>>> URL: http://llvm.org/viewvc/llvm-project?rev=303132&view=rev
>>>>>> Log:
>>>>>> [asan] make asan under sandboxes more robust
>>>>>>
>>>>>> Added:
>>>>>>     compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>>>>> _self_maps_test.cc
>>>>>> Modified:
>>>>>>     compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_li
>>>>>> nux.cc
>>>>>>
>>>>>> Modified: compiler-rt/trunk/lib/sanitize
>>>>>> r_common/sanitizer_procmaps_linux.cc
>>>>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sa
>>>>>> nitizer_common/sanitizer_procmaps_linux.cc?rev=303132&r1=303
>>>>>> 131&r2=303132&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>>>> (original)
>>>>>> +++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_procmaps_linux.cc
>>>>>> Mon May 15 18:37:54 2017
>>>>>> @@ -18,8 +18,8 @@
>>>>>>  namespace __sanitizer {
>>>>>>
>>>>>>  void ReadProcMaps(ProcSelfMapsBuff *proc_maps) {
>>>>>> -  CHECK(ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>>>>> -                         &proc_maps->mmaped_size, &proc_maps->len));
>>>>>> +  ReadFileToBuffer("/proc/self/maps", &proc_maps->data,
>>>>>> &proc_maps->mmaped_size,
>>>>>> +                   &proc_maps->len);
>>>>>>  }
>>>>>>
>>>>>>  static bool IsOneOf(char c, char c1, char c2) {
>>>>>>
>>>>>> Added: compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc
>>>>>> _self_maps_test.cc
>>>>>> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/a
>>>>>> san/TestCases/Linux/sanbox_read_proc_self_maps_test.cc?rev=3
>>>>>> 03132&view=auto
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>>>>> (added)
>>>>>> +++ compiler-rt/trunk/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc
>>>>>> Mon May 15 18:37:54 2017
>>>>>> @@ -0,0 +1,30 @@
>>>>>> +// REQUIRES: x86_64-target-arch
>>>>>> +// RUN: %clangxx_asan  %s -o %t
>>>>>> +// RUN: not %run %t 2>&1 | FileCheck %s
>>>>>> +#include <sanitizer/common_interface_defs.h>
>>>>>> +#include <sched.h>
>>>>>> +#include <unistd.h>
>>>>>> +#include <stdio.h>
>>>>>> +#include <stdlib.h>
>>>>>> +
>>>>>> +int main() {
>>>>>> +  __sanitizer_sandbox_arguments args = {0};
>>>>>> +  // should cache /proc/self/maps
>>>>>> +  __sanitizer_sandbox_on_notify(&args);
>>>>>> +
>>>>>> +  if (unshare(CLONE_NEWUSER)) {
>>>>>> +    printf("unshare failed\n");
>>>>>> +    abort();
>>>>>> +  }
>>>>>> +
>>>>>> +  // remove access to /proc/self/maps
>>>>>> +  if (chroot("/tmp")) {
>>>>>> +    printf("chroot failed\n");
>>>>>> +    abort();
>>>>>> +  }
>>>>>> +
>>>>>> +  *(volatile int*)0x42 = 0;
>>>>>> +// CHECK: AddressSanitizer: SEGV on unknown address 0x000000000042
>>>>>> +// CHECK-NOT: AddressSanitizer CHECK failed
>>>>>> +// CHECK: SUMMARY: AddressSanitizer: SEGV
>>>>>> +}
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> llvm-commits mailing list
>>>>>> llvm-commits at lists.llvm.org
>>>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>> Peter
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> --
>>> Peter
>>>
>>
>>
>
>
> --
> --
> Peter
>
>
> _______________________________________________
> llvm-commits mailing listllvm-commits at lists.llvm.orghttp://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>
>
> --
> Hal Finkel
> Lead, Compiler Technology and Programming Languages
> Leadership Computing Facility
> Argonne National Laboratory
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170525/75b76926/attachment.html>

More information about the llvm-commits mailing list