mirror of
https://github.com/RGBCube/serenity
synced 2025-07-26 05:07:35 +00:00
Kernel: Demonstrate kill's pid/tid confusion bug
This commit is contained in:
parent
7ab90e1a13
commit
f225321184
2 changed files with 170 additions and 0 deletions
169
Userland/Tests/Kernel/kill-pidtid-confusion.cpp
Normal file
169
Userland/Tests/Kernel/kill-pidtid-confusion.cpp
Normal file
|
@ -0,0 +1,169 @@
|
|||
/*
|
||||
* Copyright (c) Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice, this
|
||||
* list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
||||
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <AK/Assertions.h>
|
||||
#include <AK/LogStream.h>
|
||||
#include <LibPthread/pthread.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* Bug:
|
||||
* If the main thread of a process is no longer alive, it cannot receive
|
||||
* signals anymore. This can manifest as, for example, an unkillable process.
|
||||
*
|
||||
* So what needs to happen:
|
||||
* - There is process P
|
||||
* - It has more than one thread
|
||||
* - The main thread calls thread_exit(), leaving the rest of the threads alive
|
||||
* - Now the process is unkillable!
|
||||
*
|
||||
* Here's how to demonstrate the bug:
|
||||
* - Time 0: PX forks into PZ (mnemonic: Zombie)
|
||||
* - Time 1: PZ's main thread T1 creates a new thread T2
|
||||
* - Time 2: Nothing (T2 could communicate to PX both process and thread ID)
|
||||
* (most LibC functions crash currently, which is a different bug I suppose.)
|
||||
* - Time 3: T1 calls thread_exit()
|
||||
* - Time 4:
|
||||
* * PX tries to kill PZ (should work, but doesn't)
|
||||
* * PX tries to kill PZ using T2's thread ID (shouldn't work, and doesn't)
|
||||
* * PX outputs all results.
|
||||
*/
|
||||
|
||||
static constexpr useconds_t STEP_SIZE = 1100000;
|
||||
|
||||
static void fork_into(void(fn)())
|
||||
{
|
||||
const pid_t rc = fork();
|
||||
if (rc < 0) {
|
||||
perror("fork");
|
||||
exit(1);
|
||||
}
|
||||
if (rc > 0) {
|
||||
return;
|
||||
}
|
||||
fn();
|
||||
dbg() << "child finished (?)";
|
||||
exit(1);
|
||||
}
|
||||
|
||||
static void thread_into(void* (*fn)(void*))
|
||||
{
|
||||
pthread_t tid;
|
||||
const int rc = pthread_create(&tid, nullptr, fn, nullptr);
|
||||
if (rc < 0) {
|
||||
perror("pthread_create");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
static void sleep_steps(useconds_t steps)
|
||||
{
|
||||
const int rc = usleep(steps * STEP_SIZE);
|
||||
if (rc < 0) {
|
||||
perror("usleep");
|
||||
ASSERT_NOT_REACHED();
|
||||
}
|
||||
}
|
||||
|
||||
static bool try_kill(pid_t kill_id)
|
||||
{
|
||||
int rc = kill(kill_id, SIGTERM);
|
||||
perror("kill");
|
||||
printf("kill rc: %d\n", rc);
|
||||
return rc >= 0;
|
||||
}
|
||||
|
||||
static void run_pz();
|
||||
static void* run_pz_t2_wrap(void* fd_ptr);
|
||||
static void run_pz_t2();
|
||||
|
||||
int main(int, char**)
|
||||
{
|
||||
// This entire function is the entirety of process PX.
|
||||
|
||||
// Time 0: PX forks into PZ (mnemonic: Zombie)
|
||||
dbg() << "PX forks into PZ";
|
||||
fork_into(run_pz);
|
||||
sleep_steps(4);
|
||||
|
||||
// Time 4:
|
||||
dbg() << "Let's hope everything went fine!";
|
||||
pid_t guessed_pid = getpid() + 1;
|
||||
pid_t guessed_tid = guessed_pid + 1;
|
||||
printf("About to kill PID %d, TID %d.\n", guessed_pid, guessed_tid);
|
||||
if (try_kill(guessed_tid)) {
|
||||
printf("FAIL, could kill a thread\n");
|
||||
exit(1);
|
||||
}
|
||||
if (!try_kill(guessed_pid)) {
|
||||
printf("FAIL, could not kill the process\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("PASS\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void run_pz()
|
||||
{
|
||||
// Time 0: PX forks into PZ (mnemonic: Zombie)
|
||||
sleep_steps(1);
|
||||
|
||||
// Time 1: PZ's main thread T1 creates a new thread T2
|
||||
dbg() << "PZ calls pthread_create";
|
||||
thread_into(run_pz_t2_wrap);
|
||||
sleep_steps(2);
|
||||
|
||||
// Time 3: T1 calls thread_exit()
|
||||
dbg() << "PZ(T1) calls thread_exit";
|
||||
pthread_exit(nullptr);
|
||||
ASSERT_NOT_REACHED();
|
||||
}
|
||||
|
||||
static void* run_pz_t2_wrap(void*)
|
||||
{
|
||||
run_pz_t2();
|
||||
exit(1);
|
||||
}
|
||||
|
||||
static void run_pz_t2()
|
||||
{
|
||||
// Time 1: PZ's main thread T1 creates a new thread T2
|
||||
sleep_steps(1);
|
||||
|
||||
// Time 2: Nothing
|
||||
// FIXME: For some reason, both printf() and dbg() crash.
|
||||
// This also prevents us from using a pipe to communicate to PX both process and thread ID
|
||||
// dbg() << "T2: I'm alive and well.";
|
||||
sleep_steps(18);
|
||||
|
||||
// Time 20: Cleanup
|
||||
printf("PZ(T2) dies from boredom.\n");
|
||||
exit(0);
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue