mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-11-26 09:30:24 +00:00
28e1da344d
This adds a test for the race condition in clock_nanosleep. The crux is that clock_nanosleep verifies that the output buffer is writable *before* sleeping, and writes to it *after* sleeping. In the meantime, a concurrent thread can make the output buffer unwritable, e.g. by deallocating it. This testcase is needlessly complex because pthread_kill is not implemented yet. I tried to keep it as simple as possible. Here is the relevant part of dmesg: [nanosleep-race-outbuf-munmap(22:22)]: Unblock nanosleep-race-outbuf-munmap(20:20) due to signal nanosleep-race-outbuf-munmap(20:20) Unrecoverable page fault, write to address 0x02130016 CRASH: Page Fault. Process: nanosleep-race-outbuf-munmap(20) [nanosleep-race-outbuf-munmap(20:20)]: 0xc01160ff memcpy +44 [nanosleep-race-outbuf-munmap(20:20)]: 0xc014de64 Kernel::Process::crash(int, unsigned int) +782 [nanosleep-race-outbuf-munmap(20:20)]: 0xc01191b5 illegal_instruction_handler +0 [nanosleep-race-outbuf-munmap(20:20)]: 0xc011965b page_fault_handler +649 [nanosleep-race-outbuf-munmap(20:20)]: 0xc0117233 page_fault_asm_entry +22 [nanosleep-race-outbuf-munmap(20:20)]: 0xc011616b copy_to_user +102 [nanosleep-race-outbuf-munmap(20:20)]: 0xc015911f Kernel::Process::sys(Kernel::Syscall::SC_clock_nanosleep_params const*) +457 [nanosleep-race-outbuf-munmap(20:20)]: 0xc015daad syscall_handler +1130 [nanosleep-race-outbuf-munmap(20:20)]: 0xc015d597 syscall_asm_entry +29 [nanosleep-race-outbuf-munmap(20:20)]: 0x08048437 main +146 [nanosleep-race-outbuf-munmap(20:20)]: 0x08048573 _start +94 Most importantly, note that it crashes *inside* Kernel::Process::sys. Instead, the correct behavior is to return -EFAULT. |
||
---|---|---|
.. | ||
bind-local-socket-to-symlink.cpp | ||
bxvga-mmap-kernel-into-userspace.cpp | ||
elf-execve-mmap-race.cpp | ||
elf-symbolication-kernel-read-exploit.cpp | ||
mmap-write-into-running-programs-executable-file.cpp | ||
nanosleep-race-outbuf-munmap.cpp | ||
null-deref-close-during-select.cpp | ||
null-deref-crash-during-pthread_join.cpp | ||
path-resolution-race.cpp | ||
uaf-close-while-blocked-in-read.cpp |