svn commit: r300672 - user/pho/stress2/misc
Peter Holm
pho at FreeBSD.org
Wed May 25 10:02:16 UTC 2016
Author: pho
Date: Wed May 25 10:02:14 2016
New Revision: 300672
URL: https://svnweb.freebsd.org/changeset/base/300672
Log:
sendmsg(2) fuzz test scenario added.
PR: 209748
Sponsored by: EMC / Isilon Storage Division
Added:
user/pho/stress2/misc/sendmsg.sh (contents, props changed)
Added: user/pho/stress2/misc/sendmsg.sh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/pho/stress2/misc/sendmsg.sh Wed May 25 10:02:14 2016 (r300672)
@@ -0,0 +1,226 @@
+#!/bin/sh
+
+#
+# Copyright (c) 2016 EMC Corp.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# sendmsg(2) fuzz test.
+
+# Looping test program seen:
+# https://people.freebsd.org/~pho/stress/log/sendmsg.txt
+
+. ../default.cfg
+
+dir=/tmp
+odir=`pwd`
+cd $dir
+sed '1,/^EOF/d' < $odir/$0 > $dir/sendmsg.c
+mycc -o sendmsg -Wall -Wextra -O0 -g sendmsg.c || exit 1
+rm -f sendmsg.c
+cd $odir
+
+daemon sh -c "(cd ../testcases/swap; ./swap -t 5m -i 20 -k -h)" > /dev/null
+sleep 2
+
+/tmp/sendmsg 2>/dev/null
+
+while pgrep -q swap; do
+ pkill -9 swap
+done
+rm -f /tmp/sendmsg sendmsg.core
+
+n=0
+while pgrep -q sendmsg; do
+ pkill -9 sendmsg
+ n=$((n + 1))
+ [ $n -gt 20 ] && { echo "Looping sendmsg"; exit 1; }
+ sleep 1
+done
+exit 0
+
+EOF
+#include <sys/param.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+
+#include <machine/atomic.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+volatile u_int *share;
+
+#define PARALLEL 16
+#define RUNTIME (5 * 60)
+#define SYNC 0
+
+int
+setflag(void)
+{
+ int flag, i;
+
+ i = arc4random() % 100;
+
+ if (i < 33)
+ flag = 0;
+ else if (i >= 33 && i < 66)
+ flag = 2 << (arc4random() % 9);
+ else
+ flag = arc4random();
+
+ return(flag);
+}
+
+void
+corrupt(unsigned char *buf, int len)
+{
+ unsigned char byte, mask;
+ int bit, i;
+
+ i = arc4random() % len;
+ byte = buf[i];
+ bit = arc4random() % 8;
+ mask = ~(1 << bit);
+ byte = (byte & mask) | (~byte & ~mask);
+ buf[i] = byte;
+}
+
+/*
+ Based on https://www.win.tue.nl/~aeb/linux/lk/sendfd.c
+ */
+void
+test(void)
+{
+ struct cmsghdr *cmsg;
+ struct msghdr msg;
+ pid_t pid;
+ int fd, flag, n, pair[2];
+ char buf[1024];
+ char fdbuf[CMSG_SPACE(sizeof(int))];
+
+ /* dummy */
+ struct iovec vec;
+ char ch = '\0';
+
+ atomic_add_int(&share[SYNC], 1);
+ while (share[SYNC] != PARALLEL)
+ ;
+
+ memset(&msg, 0, sizeof(msg));
+
+ /* having zero msg_iovlen or iov_len doesnt seem to work */
+ vec.iov_base = &ch;
+ vec.iov_len = 1;
+ msg.msg_iov = &vec;
+ msg.msg_iovlen = 1;
+
+ msg.msg_control = fdbuf;
+ msg.msg_controllen = CMSG_LEN(sizeof(int));
+ cmsg = CMSG_FIRSTHDR(&msg);
+ cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair))
+ err(1, "socketpair");
+
+ if ((pid = fork()) == -1)
+ err(1, "fork");
+
+ if (pid == 0) {
+ fd = open("/etc/passwd", O_RDONLY);
+ if (fd < 0)
+ err(1, "/etc/passwd");
+#if defined(DEBUG)
+ printf("child: sending fd=%d for /etc/passwd\n", fd);
+#endif
+
+ cmsg->cmsg_level = SOL_SOCKET;
+ cmsg->cmsg_type = SCM_RIGHTS;
+ *(int *)CMSG_DATA(cmsg) = fd;
+ flag = setflag();
+ if (arc4random() % 2 == 0)
+ corrupt((unsigned char *)&msg, sizeof(msg));
+ else
+ corrupt((unsigned char *)&cmsg, sizeof(cmsg));
+ if (sendmsg(pair[0], &msg, flag) < 0)
+ err(1, "sendmsg");
+ _exit(0);
+ }
+ alarm(2);
+ if (recvmsg(pair[1], &msg, 0) < 0)
+ err(1, "recvmsg");
+ if (cmsg->cmsg_type != SCM_RIGHTS)
+ err(1, "didnt get a fd?\n");
+ fd = *(int *)CMSG_DATA(cmsg);
+#if defined(DEBUG)
+ printf("parent: received fd=%d\n", fd);
+#endif
+ n = read(fd, buf, sizeof(buf));
+ if (n < 0)
+ err(1, "read");
+ if (n != sizeof(buf))
+ printf("read %d bytes\n", n);
+ wait(NULL);
+
+ _exit(0);
+}
+
+int
+main(void)
+{
+ size_t len;
+ time_t start;
+ int e, i, pids[PARALLEL], status;
+
+ e = 0;
+ len = PAGE_SIZE;
+ if ((share = mmap(NULL, len, PROT_READ | PROT_WRITE,
+ MAP_ANON | MAP_SHARED, -1, 0)) == MAP_FAILED)
+ err(1, "mmap");
+
+ start = time(NULL);
+ while ((time(NULL) - start) < RUNTIME) {
+ share[SYNC] = 0;
+ for (i = 0; i < PARALLEL; i++) {
+ if ((pids[i] = fork()) == 0)
+ test();
+ }
+ for (i = 0; i < PARALLEL; i++) {
+ waitpid(pids[i], &status, 0);
+ e += status == 0 ? 0 : 1;
+ }
+ }
+
+ return (e);
+}
More information about the svn-src-user
mailing list