[apple/xnu.git] / tests / fd_aio_fsync_uaf.c

/*
 * Proof of Concept / Test Case
 * XNU: aio_work_thread use-after-free for AIO_FSYNC entries
 */
#include <err.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>

#include <sys/aio.h>
#include <unistd.h>
#include <darwintest.h>
#include <time.h>

T_GLOBAL_META(
	T_META_NAMESPACE("xnu.vfs"),
	T_META_RUN_CONCURRENTLY(true));

#define NREQUESTS 8

static void
attempt(int fd)
{
	struct aiocb ap[NREQUESTS];
	size_t n;
	unsigned char c;

	for (n = 0; n < NREQUESTS; ++n) {
		ap[n].aio_fildes = fd;
		ap[n].aio_nbytes = 1;
		ap[n].aio_buf = &c;
		ap[n].aio_sigevent.sigev_notify = SIGEV_NONE;
	}

	/*
	 * fire them off and exit.
	 */
	for (n = 0; n < NREQUESTS; ++n) {
		aio_fsync((n & 1) ? O_SYNC : O_DSYNC, &ap[n]);
	}

	exit(0);
}

T_DECL(lio_listio_race_63669270, "test for the lightspeed/unc0ver UaF")
{
	pid_t child;
	int fd;
	char path[128];
	uint64_t end = clock_gettime_nsec_np(CLOCK_UPTIME_RAW) + 10 * NSEC_PER_SEC;

	/* we need a valid fd: */
	strcpy(path, "/tmp/aio_fsync_uaf.XXXXXX");
	T_EXPECT_POSIX_SUCCESS(fd = mkstemp(path), "mkstemp");
	T_EXPECT_POSIX_SUCCESS(unlink(path), "unlink");

	T_LOG("starting...");
	do {
		switch ((child = fork())) {
		case -1: T_FAIL("fork");
		case 0: attempt(fd);
		}

		T_QUIET; T_EXPECT_POSIX_SUCCESS(waitpid(child, NULL, 0), "waitpid");
	} while (clock_gettime_nsec_np(CLOCK_UPTIME_RAW) < end);

	T_PASS("the system didn't panic");
}
Commit	Line	Data
f427ee49 A	1	/*
	2	* Proof of Concept / Test Case
	3	* XNU: aio_work_thread use-after-free for AIO_FSYNC entries
	4	*/
	5	#include <err.h>
	6	#include <stdarg.h>
	7	#include <stdint.h>
	8	#include <stdio.h>
	9	#include <stdlib.h>
	10	#include <string.h>
	11	#include <strings.h>
	12
	13	#include <sys/aio.h>
	14	#include <unistd.h>
	15	#include <darwintest.h>
	16	#include <time.h>
	17
	18	T_GLOBAL_META(
	19	T_META_NAMESPACE("xnu.vfs"),
	20	T_META_RUN_CONCURRENTLY(true));
	21
	22	#define NREQUESTS 8
	23
	24	static void
	25	attempt(int fd)
	26	{
	27	struct aiocb ap[NREQUESTS];
	28	size_t n;
	29	unsigned char c;
	30
	31	for (n = 0; n < NREQUESTS; ++n) {
	32	ap[n].aio_fildes = fd;
	33	ap[n].aio_nbytes = 1;
	34	ap[n].aio_buf = &c;
	35	ap[n].aio_sigevent.sigev_notify = SIGEV_NONE;
	36	}
	37
	38	/*
	39	* fire them off and exit.
	40	*/
	41	for (n = 0; n < NREQUESTS; ++n) {
	42	aio_fsync((n & 1) ? O_SYNC : O_DSYNC, &ap[n]);
	43	}
	44
	45	exit(0);
	46	}
	47
	48	T_DECL(lio_listio_race_63669270, "test for the lightspeed/unc0ver UaF")
	49	{
	50	pid_t child;
	51	int fd;
	52	char path[128];
	53	uint64_t end = clock_gettime_nsec_np(CLOCK_UPTIME_RAW) + 10 * NSEC_PER_SEC;
	54
	55	/* we need a valid fd: */
	56	strcpy(path, "/tmp/aio_fsync_uaf.XXXXXX");
	57	T_EXPECT_POSIX_SUCCESS(fd = mkstemp(path), "mkstemp");
	58	T_EXPECT_POSIX_SUCCESS(unlink(path), "unlink");
	59
	60	T_LOG("starting...");
	61	do {
	62	switch ((child = fork())) {
	63	case -1: T_FAIL("fork");
	64	case 0: attempt(fd);
65	}
66
67	T_QUIET; T_EXPECT_POSIX_SUCCESS(waitpid(child, NULL, 0), "waitpid");
68	} while (clock_gettime_nsec_np(CLOCK_UPTIME_RAW) < end);
69
70	T_PASS("the system didn't panic");
71	}