46 lines
1.2 KiB
C
46 lines
1.2 KiB
C
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
||
|
|
/*
|
||
|
|
* Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
|
||
|
|
*/
|
||
|
|
|
||
|
|
/*\
|
||
|
|
* [Description]
|
||
|
|
*
|
||
|
|
* Reproducer of CVE-2018-10124; INT_MIN negation.
|
||
|
|
*
|
||
|
|
* On most two's complement CPUs negation of INT_MIN will result in
|
||
|
|
* INT_MIN because ~((unsigned)INT_MIN) + 1 overflows to INT_MIN
|
||
|
|
* (unless trapped). On one's complement ~((unsigned)INT_MIN) = INT_MAX.
|
||
|
|
*
|
||
|
|
* Without UBSAN kill will always return ESRCH. Regardless of if the
|
||
|
|
* bug is present as INT_MIN/INT_MAX are invalid PIDs. It checks the
|
||
|
|
* PID before the signal number so we can not cause EINVAL. A trivial
|
||
|
|
* test of kill is performed elsewhere. So we don't run the test
|
||
|
|
* without UBSAN to avoid giving the impression we have actually
|
||
|
|
* tested for the bug.
|
||
|
|
*/
|
||
|
|
|
||
|
|
#include <limits.h>
|
||
|
|
#include <signal.h>
|
||
|
|
#include "tst_test.h"
|
||
|
|
|
||
|
|
static void run(void)
|
||
|
|
{
|
||
|
|
TST_EXP_FAIL2(kill(INT_MIN, 0), ESRCH,
|
||
|
|
"kill(INT_MIN, ...) fails with ESRCH");
|
||
|
|
}
|
||
|
|
|
||
|
|
static struct tst_test test = {
|
||
|
|
.test_all = run,
|
||
|
|
.taint_check = TST_TAINT_W | TST_TAINT_D,
|
||
|
|
.needs_kconfigs = (const char *[]) {
|
||
|
|
"CONFIG_UBSAN_SIGNED_OVERFLOW",
|
||
|
|
NULL
|
||
|
|
},
|
||
|
|
.tags = (const struct tst_tag[]) {
|
||
|
|
{"linux-git", "4ea77014af0d"},
|
||
|
|
{"CVE", "CVE-2018-10124"},
|
||
|
|
{}
|
||
|
|
}
|
||
|
|
};
|