325 lines
		
	
	
	
		
			8.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			325 lines
		
	
	
	
		
			8.7 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| /*
 | |
|  * Copyright 2018, Breno Leitao, IBM Corp.
 | |
|  * Licensed under GPLv2.
 | |
|  *
 | |
|  * Sigfuz(tm): A PowerPC TM-aware signal fuzzer.
 | |
|  *
 | |
|  * This is a new selftest that raises SIGUSR1 signals and handles it in a set
 | |
|  * of different ways, trying to create different scenario for testing
 | |
|  * purpose.
 | |
|  *
 | |
|  * This test works raising a signal and calling sigreturn interleaved with
 | |
|  * TM operations, as starting, suspending and terminating a transaction. The
 | |
|  * test depends on random numbers, and, based on them, it sets different TM
 | |
|  * states.
 | |
|  *
 | |
|  * Other than that, the test fills out the user context struct that is passed
 | |
|  * to the sigreturn system call with random data, in order to make sure that
 | |
|  * the signal handler syscall can handle different and invalid states
 | |
|  * properly.
 | |
|  *
 | |
|  * This selftest has command line parameters to control what kind of tests the
 | |
|  * user wants to run, as for example, if a transaction should be started prior
 | |
|  * to signal being raised, or, after the signal being raised and before the
 | |
|  * sigreturn. If no parameter is given, the default is enabling all options.
 | |
|  *
 | |
|  * This test does not check if the user context is being read and set
 | |
|  * properly by the kernel. Its purpose, at this time, is basically
 | |
|  * guaranteeing that the kernel does not crash on invalid scenarios.
 | |
|  */
 | |
| 
 | |
| #include <stdio.h>
 | |
| #include <limits.h>
 | |
| #include <sys/wait.h>
 | |
| #include <unistd.h>
 | |
| #include <stdlib.h>
 | |
| #include <signal.h>
 | |
| #include <string.h>
 | |
| #include <ucontext.h>
 | |
| #include <sys/mman.h>
 | |
| #include <pthread.h>
 | |
| #include "utils.h"
 | |
| 
 | |
| /* Selftest defaults */
 | |
| #define COUNT_MAX	600		/* Number of interactions */
 | |
| #define THREADS		16		/* Number of threads */
 | |
| 
 | |
| /* Arguments options */
 | |
| #define ARG_MESS_WITH_TM_AT	0x1
 | |
| #define ARG_MESS_WITH_TM_BEFORE	0x2
 | |
| #define ARG_MESS_WITH_MSR_AT	0x4
 | |
| #define ARG_FOREVER		0x10
 | |
| #define ARG_COMPLETE		(ARG_MESS_WITH_TM_AT |		\
 | |
| 				ARG_MESS_WITH_TM_BEFORE |	\
 | |
| 				ARG_MESS_WITH_MSR_AT)
 | |
| 
 | |
| static int args;
 | |
| static int nthread = THREADS;
 | |
| static int count_max = COUNT_MAX;
 | |
| 
 | |
| /* checkpoint context */
 | |
| static ucontext_t *tmp_uc;
 | |
| 
 | |
| /* Return true with 1/x probability */
 | |
| static int one_in_chance(int x)
 | |
| {
 | |
| 	return rand() % x == 0;
 | |
| }
 | |
| 
 | |
| /* Change TM states */
 | |
| static void mess_with_tm(void)
 | |
| {
 | |
| 	/* Starts a transaction 33% of the time */
 | |
| 	if (one_in_chance(3)) {
 | |
| 		asm ("tbegin.	;"
 | |
| 		     "beq 8	;");
 | |
| 
 | |
| 		/* And suspended half of them */
 | |
| 		if (one_in_chance(2))
 | |
| 			asm("tsuspend.	;");
 | |
| 	}
 | |
| 
 | |
| 	/* Call 'tend' in 5% of the runs */
 | |
| 	if (one_in_chance(20))
 | |
| 		asm("tend.	;");
 | |
| }
 | |
| 
 | |
| /* Signal handler that will be invoked with raise() */
 | |
| static void trap_signal_handler(int signo, siginfo_t *si, void *uc)
 | |
| {
 | |
| 	ucontext_t *ucp = uc;
 | |
| 
 | |
| 	ucp->uc_link = tmp_uc;
 | |
| 
 | |
| 	/*
 | |
| 	 * Set uc_link in three possible ways:
 | |
| 	 *  - Setting a single 'int' in the whole chunk
 | |
| 	 *  - Cloning ucp into uc_link
 | |
| 	 *  - Allocating a new memory chunk
 | |
| 	 */
 | |
| 	if (one_in_chance(3)) {
 | |
| 		memset(ucp->uc_link, rand(), sizeof(ucontext_t));
 | |
| 	} else if (one_in_chance(2)) {
 | |
| 		memcpy(ucp->uc_link, uc, sizeof(ucontext_t));
 | |
| 	} else if (one_in_chance(2)) {
 | |
| 		if (tmp_uc) {
 | |
| 			free(tmp_uc);
 | |
| 			tmp_uc = NULL;
 | |
| 		}
 | |
| 		tmp_uc = malloc(sizeof(ucontext_t));
 | |
| 		ucp->uc_link = tmp_uc;
 | |
| 		/* Trying to cause a major page fault at Kernel level */
 | |
| 		madvise(ucp->uc_link, sizeof(ucontext_t), MADV_DONTNEED);
 | |
| 	}
 | |
| 
 | |
| 	if (args & ARG_MESS_WITH_MSR_AT) {
 | |
| 		/* Changing the checkpointed registers */
 | |
| 		if (one_in_chance(4)) {
 | |
| 			ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
 | |
| 		} else {
 | |
| 			if (one_in_chance(2)) {
 | |
| 				ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
 | |
| 						 MSR_TS_T;
 | |
| 			} else if (one_in_chance(2)) {
 | |
| 				ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] |=
 | |
| 						MSR_TS_T | MSR_TS_S;
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		/* Checking the current register context */
 | |
| 		if (one_in_chance(2)) {
 | |
| 			ucp->uc_mcontext.gp_regs[PT_MSR] |= MSR_TS_S;
 | |
| 		} else if (one_in_chance(2)) {
 | |
| 			if (one_in_chance(2))
 | |
| 				ucp->uc_mcontext.gp_regs[PT_MSR] |=
 | |
| 					MSR_TS_T;
 | |
| 			else if (one_in_chance(2))
 | |
| 				ucp->uc_mcontext.gp_regs[PT_MSR] |=
 | |
| 					MSR_TS_T | MSR_TS_S;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	if (one_in_chance(20)) {
 | |
| 		/* Nested transaction start */
 | |
| 		if (one_in_chance(5))
 | |
| 			mess_with_tm();
 | |
| 
 | |
| 		/* Return without changing any other context info */
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	if (one_in_chance(10))
 | |
| 		ucp->uc_mcontext.gp_regs[PT_MSR] = random();
 | |
| 	if (one_in_chance(10))
 | |
| 		ucp->uc_mcontext.gp_regs[PT_NIP] = random();
 | |
| 	if (one_in_chance(10))
 | |
| 		ucp->uc_link->uc_mcontext.gp_regs[PT_MSR] = random();
 | |
| 	if (one_in_chance(10))
 | |
| 		ucp->uc_link->uc_mcontext.gp_regs[PT_NIP] = random();
 | |
| 
 | |
| 	ucp->uc_mcontext.gp_regs[PT_TRAP] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_DSISR] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_DAR] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_XER] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_RESULT] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_SOFTE] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_DSCR] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_CTR] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_LNK] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_CCR] = random();
 | |
| 	ucp->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();
 | |
| 
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_TRAP] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_DSISR] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_DAR] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_ORIG_R3] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_XER] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_RESULT] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_SOFTE] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_DSCR] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_CTR] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_LNK] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_CCR] = random();
 | |
| 	ucp->uc_link->uc_mcontext.gp_regs[PT_REGS_COUNT] = random();
 | |
| 
 | |
| 	if (args & ARG_MESS_WITH_TM_BEFORE) {
 | |
| 		if (one_in_chance(2))
 | |
| 			mess_with_tm();
 | |
| 	}
 | |
| }
 | |
| 
 | |
| static void seg_signal_handler(int signo, siginfo_t *si, void *uc)
 | |
| {
 | |
| 	/* Clear exit for process that segfaults */
 | |
| 	exit(0);
 | |
| }
 | |
| 
 | |
| static void *sigfuz_test(void *thrid)
 | |
| {
 | |
| 	struct sigaction trap_sa, seg_sa;
 | |
| 	int ret, i = 0;
 | |
| 	pid_t t;
 | |
| 
 | |
| 	tmp_uc = malloc(sizeof(ucontext_t));
 | |
| 
 | |
| 	/* Main signal handler */
 | |
| 	trap_sa.sa_flags = SA_SIGINFO;
 | |
| 	trap_sa.sa_sigaction = trap_signal_handler;
 | |
| 
 | |
| 	/* SIGSEGV signal handler */
 | |
| 	seg_sa.sa_flags = SA_SIGINFO;
 | |
| 	seg_sa.sa_sigaction = seg_signal_handler;
 | |
| 
 | |
| 	/* The signal handler will enable MSR_TS */
 | |
| 	sigaction(SIGUSR1, &trap_sa, NULL);
 | |
| 
 | |
| 	/* If it does not crash, it will segfault, avoid it to retest */
 | |
| 	sigaction(SIGSEGV, &seg_sa, NULL);
 | |
| 
 | |
| 	while (i < count_max) {
 | |
| 		t = fork();
 | |
| 
 | |
| 		if (t == 0) {
 | |
| 			/* Once seed per process */
 | |
| 			srand(time(NULL) + getpid());
 | |
| 			if (args & ARG_MESS_WITH_TM_AT) {
 | |
| 				if (one_in_chance(2))
 | |
| 					mess_with_tm();
 | |
| 			}
 | |
| 			raise(SIGUSR1);
 | |
| 			exit(0);
 | |
| 		} else {
 | |
| 			waitpid(t, &ret, 0);
 | |
| 		}
 | |
| 		if (!(args & ARG_FOREVER))
 | |
| 			i++;
 | |
| 	}
 | |
| 
 | |
| 	/* If not freed already, free now */
 | |
| 	if (tmp_uc) {
 | |
| 		free(tmp_uc);
 | |
| 		tmp_uc = NULL;
 | |
| 	}
 | |
| 
 | |
| 	return NULL;
 | |
| }
 | |
| 
 | |
| static int signal_fuzzer(void)
 | |
| {
 | |
| 	int t, rc;
 | |
| 	pthread_t *threads;
 | |
| 
 | |
| 	threads = malloc(nthread * sizeof(pthread_t));
 | |
| 
 | |
| 	for (t = 0; t < nthread; t++) {
 | |
| 		rc = pthread_create(&threads[t], NULL, sigfuz_test,
 | |
| 				    (void *)&t);
 | |
| 		if (rc)
 | |
| 			perror("Thread creation error\n");
 | |
| 	}
 | |
| 
 | |
| 	for (t = 0; t < nthread; t++) {
 | |
| 		rc = pthread_join(threads[t], NULL);
 | |
| 		if (rc)
 | |
| 			perror("Thread join error\n");
 | |
| 	}
 | |
| 
 | |
| 	free(threads);
 | |
| 
 | |
| 	return EXIT_SUCCESS;
 | |
| }
 | |
| 
 | |
| static void show_help(char *name)
 | |
| {
 | |
| 	printf("%s: Sigfuzzer for powerpc\n", name);
 | |
| 	printf("Usage:\n");
 | |
| 	printf("\t-b\t Mess with TM before raising a SIGUSR1 signal\n");
 | |
| 	printf("\t-a\t Mess with TM after raising a SIGUSR1 signal\n");
 | |
| 	printf("\t-m\t Mess with MSR[TS] bits at mcontext\n");
 | |
| 	printf("\t-x\t Mess with everything above\n");
 | |
| 	printf("\t-f\t Run forever (Press ^C to Quit)\n");
 | |
| 	printf("\t-i\t Amount of interactions.	(Default = %d)\n", COUNT_MAX);
 | |
| 	printf("\t-t\t Amount of threads.	(Default = %d)\n", THREADS);
 | |
| 	exit(-1);
 | |
| }
 | |
| 
 | |
| int main(int argc, char **argv)
 | |
| {
 | |
| 	int opt;
 | |
| 
 | |
| 	while ((opt = getopt(argc, argv, "bamxt:fi:h")) != -1) {
 | |
| 		if (opt == 'b') {
 | |
| 			printf("Mess with TM before signal\n");
 | |
| 			args |= ARG_MESS_WITH_TM_BEFORE;
 | |
| 		} else if (opt == 'a') {
 | |
| 			printf("Mess with TM at signal handler\n");
 | |
| 			args |= ARG_MESS_WITH_TM_AT;
 | |
| 		} else if (opt == 'm') {
 | |
| 			printf("Mess with MSR[TS] bits in mcontext\n");
 | |
| 			args |= ARG_MESS_WITH_MSR_AT;
 | |
| 		} else if (opt == 'x') {
 | |
| 			printf("Running with all options enabled\n");
 | |
| 			args |= ARG_COMPLETE;
 | |
| 		} else if (opt == 't') {
 | |
| 			nthread = atoi(optarg);
 | |
| 			printf("Threads = %d\n", nthread);
 | |
| 		} else if (opt == 'f') {
 | |
| 			args |= ARG_FOREVER;
 | |
| 			printf("Press ^C to stop\n");
 | |
| 			test_harness_set_timeout(-1);
 | |
| 		} else if (opt == 'i') {
 | |
| 			count_max = atoi(optarg);
 | |
| 			printf("Running for %d interactions\n", count_max);
 | |
| 		} else if (opt == 'h') {
 | |
| 			show_help(argv[0]);
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	/* Default test suite */
 | |
| 	if (!args)
 | |
| 		args = ARG_COMPLETE;
 | |
| 
 | |
| 	test_harness(signal_fuzzer, "signal_fuzzer");
 | |
| }
 |