#!/bin/sh # # Copyright (c) 2011-2013 Peter Holm # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # Threaded syscall(2) fuzz test inspired by the iknowthis test suite # by Tavis Ormandy # Usage: syscall4.sh [syscall number] # Without an argument random syscall numbers are tested. # With an argument only the specified syscall number is tested. # Sample problems found: # Thread stuck in stopprof. # http://people.freebsd.org/~pho/stress/log/kostik732.txt # Fixed by r275121. # panic: td 0xcbe1ac40 is not suspended. # https://people.freebsd.org/~pho/stress/log/kostik807.txt # Fixed by r282944. [ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 . ../default.cfg odir=`pwd` cd /tmp sed '1,/^EOF/d' < $odir/$0 > syscall4.c sed -i '' -e "s#MNTPOINT#$mntpoint#" syscall4.c rm -f /tmp/syscall4 mycc -o syscall4 -Wall -Wextra -O2 -g syscall4.c -lpthread || exit 1 rm -f syscall4.c kldstat -v | grep -q sysvmsg || $stress2tools/kldload.sh sysvmsg kldstat -v | grep -q sysvsem || $stress2tools/kldload.sh sysvsem kldstat -v | grep -q sysvshm || $stress2tools/kldload.sh sysvshm kldstat -v | grep -q aio || $stress2tools/kldload.sh aio kldstat -v | grep -q mqueuefs || $stress2tools/kldload.sh mqueuefs mount | grep -q "on $mntpoint " && umount -f $mntpoint [ -c /dev/md$mdstart ] && mdconfig -d -u $mdstart mdconfig -a -t swap -s 2g -u $mdstart || exit 1 newfs $newfs_flags -n md$mdstart > /dev/null mount /dev/md$mdstart $mntpoint chmod 777 $mntpoint [ -z "$noswap" ] && daemon sh -c "(cd $odir/../testcases/swap; ./swap -t 10m -i 20 -k)" > \ /dev/null sleeptime=${sleeptime:-12} st=`date '+%s'` while [ $((`date '+%s'` - st)) -lt $((10 * sleeptime)) ]; do (cd $mntpoint; /tmp/syscall4 $* 1>>stdout 2>>stderr) & start=`date '+%s'` while [ $((`date '+%s'` - start)) -lt $sleeptime ]; do pgrep syscall4 > /dev/null || break sleep .5 done while pkill -9 syscall4; do :; done wait ipcs | grep nobody | awk '/^(q|m|s)/ {print " -" $1, $2}' | xargs -L 1 ipcrm done while pkill -9 swap; do :; done while pkill -9 syscall4; do :; done for i in `jot 10`; do mount | grep -q md$mdstart && \ umount $mntpoint && mdconfig -d -u $mdstart && break sleep 10 done if mount | grep -q md$mdstart; then fstat $mntpoint echo "umount $mntpoint failed" exit 1 fi rm -f /tmp/syscall4 exit 0 EOF #include #include #include #include #include #include #include #include #include #include #include #include #include #if defined(__FreeBSD__) #include #define __NP__ #endif #include #include #include #include #include #include #include static int ignore[] = { SYS_syscall, SYS_exit, SYS_fork, 11, /* 11 is obsolete execv */ SYS_reboot, SYS_vfork, 109, /* 109 is old sigblock */ 111, /* 111 is old sigsuspend */ SYS_shutdown, SYS___syscall, 216, /* custom syscall */ SYS_rfork, SYS_mac_syscall, }; static int fd[900], fds[2], kq, socketpr[2]; #ifndef nitems #define nitems(x) (sizeof((x)) / sizeof((x)[0])) #endif #define N 4096 #define MAGIC 1664 #define RUNTIME 120 #define THREADS 50 static uint32_t r[N]; static int magic1, syscallno, magic2; static int random_int(int mi, int ma) { return (arc4random() % (ma - mi + 1) + mi); } static void hand(int i __unused) { /* handler */ exit(1); } static unsigned long makearg(void) { unsigned int i; unsigned long val; val = arc4random(); i = arc4random() % 100; if (i < 20) val = val & 0xff; if (i >= 20 && i < 40) val = val & 0xffff; if (i >= 40 && i < 60) val = (unsigned long)(r) | (val & 0xffff); #if defined(__LP64__) if (i >= 60) { val = (val << 32) | arc4random(); if (i > 80) val = val & 0x00007fffffffffffUL; } #endif return(val); } static void * test(void *arg __unused) { FTS *fts; FTSENT *p; time_t start; int ftsoptions, i, numfiles; char *args[] = { "/dev", "/proc", "MNTPOINT", "mnt2", ".", NULL, }; #ifdef __NP__ pthread_set_name_np(pthread_self(), __func__); #endif numfiles = 0; ftsoptions = FTS_PHYSICAL; start = time(NULL); while (time(NULL) - start < 2) { for (i = 0; i < N; i++) r[i] = arc4random(); if (pipe(fds) == -1) err(1, "pipe()"); if (socketpair(PF_UNIX, SOCK_SEQPACKET, 0, socketpr) == -1) err(1, "socketpair()"); kq = kqueue(); if ((fts = fts_open(args, ftsoptions, NULL)) == NULL) err(1, "fts_open"); i = 0; while ((p = fts_read(fts)) != NULL) { if (fd[i] > 0) close(fd[i]); if ((fd[i] = open(p->fts_path, O_RDWR)) == -1) if ((fd[i] = open(p->fts_path, O_WRONLY)) == -1) if ((fd[i] = open(p->fts_path, O_RDONLY)) == -1) continue; i++; i = i % nitems(fd); if (numfiles++ < 10) { fprintf(stderr, "%d: pts_path = %s\n", numfiles, p->fts_path); } } if (fts_close(fts) == -1) warn("fts_close()"); sleep(1); close(socketpr[0]); close(socketpr[1]); close(fds[0]); close(fds[1]); close(kq); } return(NULL); } static void * calls(void *arg __unused) { time_t start; int i __unused, j, num; unsigned long arg1, arg2, arg3, arg4, arg5, arg6, arg7; #ifdef __NP__ pthread_set_name_np(pthread_self(), __func__); #endif start = time(NULL); for (i = 0; time(NULL) - start < 10; i++) { num = syscallno; while (num == 0) { num = random_int(0, SYS_MAXSYSCALL); for (j = 0; j < (int)nitems(ignore); j++) if (num == ignore[j]) { num = 0; break; } } arg1 = makearg(); arg2 = makearg(); arg3 = makearg(); arg4 = makearg(); arg5 = makearg(); arg6 = makearg(); arg7 = makearg(); #if 0 /* Debug mode */ fprintf(stderr, "%2d : syscall(%3d, %lx, %lx, %lx, %lx, %lx," " %lx, %lx)\n", i, num, arg1, arg2, arg3, arg4, arg5, arg6, arg7); sleep(2); #endif alarm(1); syscall(num, arg1, arg2, arg3, arg4, arg5, arg6, arg7); num = 0; if (magic1 != MAGIC || magic2 != MAGIC) exit(1); } return (NULL); } int main(int argc, char **argv) { struct passwd *pw; struct rlimit limit; pthread_t rp, cp[THREADS]; time_t start; int e, j; magic1 = magic2 = MAGIC; if ((pw = getpwnam("nobody")) == NULL) err(1, "failed to resolve nobody"); if (getenv("USE_ROOT") && argc == 2) fprintf(stderr, "Running syscall4 as root for %s.\n", argv[1]); else { if (setgroups(1, &pw->pw_gid) || setegid(pw->pw_gid) || setgid(pw->pw_gid) || seteuid(pw->pw_uid) || setuid(pw->pw_uid)) err(1, "Can't drop privileges to \"nobody\""); endpwent(); } limit.rlim_cur = limit.rlim_max = 1000; #if defined(RLIMIT_NPTS) if (setrlimit(RLIMIT_NPTS, &limit) < 0) err(1, "setrlimit"); #endif signal(SIGALRM, hand); signal(SIGILL, hand); signal(SIGFPE, hand); signal(SIGSEGV, hand); signal(SIGBUS, hand); signal(SIGURG, hand); signal(SIGSYS, hand); signal(SIGTRAP, hand); if (argc > 2) { fprintf(stderr, "usage: %s [syscall-num]\n", argv[0]); exit(1); } if (argc == 2) { syscallno = atoi(argv[1]); for (j = 0; j < (int)nitems(ignore); j++) if (syscallno == ignore[j]) errx(0, "syscall #%d is on the ignore list.", syscallno); } if (daemon(1, 1) == -1) err(1, "daemon()"); system("touch aaa bbb ccc; mkdir -p ddd"); start = time(NULL); while ((time(NULL) - start) < RUNTIME) { if (fork() == 0) { if ((e = pthread_create(&rp, NULL, test, NULL)) != 0) errc(1, e, "pthread_create"); usleep(1000); for (j = 0; j < THREADS; j++) if ((e = pthread_create(&cp[j], NULL, calls, NULL)) != 0) errc(1, e, "pthread_create"); for (j = 0; j < THREADS; j++) pthread_join(cp[j], NULL); if ((e = pthread_kill(rp, SIGINT)) != 0) errc(1, e, "pthread_kill"); exit(0); } wait(NULL); usleep(10000); } return (0); }