diff options
| author | Robert Morris <[email protected]> | 2020-08-07 16:56:00 -0400 |
|---|---|---|
| committer | Frans Kaashoek <[email protected]> | 2020-08-10 11:19:10 -0400 |
| commit | d8fe1773b26758c7c7b8f36724cd822555b33612 (patch) | |
| tree | f8445e71efb0bfb47964bdcc0818c37011e8808c /user/usertests.c | |
| parent | 76d6c57edec14071156e7780f7e8e08c200cf166 (diff) | |
| download | xv6-labs-d8fe1773b26758c7c7b8f36724cd822555b33612.tar.gz xv6-labs-d8fe1773b26758c7c7b8f36724cd822555b33612.tar.bz2 xv6-labs-d8fe1773b26758c7c7b8f36724cd822555b33612.zip | |
test string system call arguments that cross over the end of the last page.
Diffstat (limited to 'user/usertests.c')
| -rw-r--r-- | user/usertests.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/user/usertests.c b/user/usertests.c index 5c2fc02..dfe0039 100644 --- a/user/usertests.c +++ b/user/usertests.c @@ -22,6 +22,8 @@ char buf[BUFSZ]; char name[3]; +// what if you pass ridiculous pointers to system calls +// that read user memory with copyin? void copyin(char *s) { @@ -64,6 +66,8 @@ copyin(char *s) } } +// what if you pass ridiculous pointers to system calls +// that write user memory with copyout? void copyout(char *s) { @@ -104,6 +108,7 @@ copyout(char *s) } } +// what if you pass ridiculous string pointers to system calls? void copyinstr1(char *s) { @@ -120,6 +125,9 @@ copyinstr1(char *s) } } +// what if a string system call argument is exactly the size +// of the kernel buffer it is copied into, so that the null +// would fall just beyond the end of the kernel buffer? void copyinstr2(char *s) { @@ -181,6 +189,50 @@ copyinstr2(char *s) } } +// what if a string argument crosses over the end of last user page? +void +copyinstr3(char *s) +{ + sbrk(8192); + uint64 top = (uint64) sbrk(0); + if((top % PGSIZE) != 0){ + sbrk(PGSIZE - (top % PGSIZE)); + } + top = (uint64) sbrk(0); + if(top % PGSIZE){ + printf("oops\n"); + exit(1); + } + + char *b = (char *) (top - 1); + *b = 'x'; + + int ret = unlink(b); + if(ret != -1){ + printf("unlink(%s) returned %d, not -1\n", b, ret); + exit(1); + } + + int fd = open(b, O_CREATE | O_WRONLY); + if(fd != -1){ + printf("open(%s) returned %d, not -1\n", b, fd); + exit(1); + } + + ret = link(b, b); + if(ret != -1){ + printf("link(%s, %s) returned %d, not -1\n", b, b, ret); + exit(1); + } + + char *args[] = { "xx", 0 }; + ret = exec(b, args); + if(ret != -1){ + printf("exec(%s) returned %d, not -1\n", b, fd); + exit(1); + } +} + // test O_TRUNC. void truncate1(char *s) @@ -2470,6 +2522,7 @@ main(int argc, char *argv[]) {copyout, "copyout"}, {copyinstr1, "copyinstr1"}, {copyinstr2, "copyinstr2"}, + {copyinstr3, "copyinstr3"}, {truncate1, "truncate1"}, {truncate2, "truncate2"}, {truncate3, "truncate3"}, |