crashes: add arm_map_hw_event_oops test

CHANGES

@@ -1,3 +1,6 @@
+8 August 2013
++ Add some recent exploits on ARM found in the fuzzer
+
 5 July 2013
 + Add sysfs test
 

crashes/Makefile

@@ -11,7 +11,7 @@ all:	pe_inherit_memleak pe_task_schedule_panic \
 	oflo_sw_cpu_clock_crash sw_event_config_overflow \
 	nmi_soft_lockup \
 	tracepoint_fork \
-	arm_validate_event_oops
+	arm_validate_event_oops arm_map_hw_event_oops
 
 ####
 
@@ -28,6 +28,14 @@ arm_validate_event_oops.o:	arm_validate_event_oops.c
 
 ####
 
+arm_map_hw_event_oops:	arm_map_hw_event_oops.o
+	$(CC) $(LFLAGS) -o arm_map_hw_event_oops arm_map_hw_event_oops.o
+
+arm_map_hw_event_oops.o:	arm_map_hw_event_oops.c
+	$(CC) $(CFLAGS) -c arm_map_hw_event_oops.c
+
+####
+
 pe_inherit_memleak:	pe_inherit_memleak.o ../lib/perf_helpers.o
 	$(CC) $(LFLAGS) -o pe_inherit_memleak pe_inherit_memleak.o ../lib/perf_helpers.o $(LFLAGS_PTHREAD)
 
@@ -108,6 +116,7 @@ clean:
 	rm -f *~ *.o pe_inherit_memleak pe_task_schedule_panic \
 		perf_mmap_close_bug offcore_response_mask \
 		oflo_sw_cpu_clock_crash sw_event_config_overflow \
-		nmi_soft_lockup tracepoint_fork
+		nmi_soft_lockup tracepoint_fork \
+		arm_validate_event_oops arm_map_hw_event_oops
 
 

crashes/arm_map_hw_event_oops.c

@@ -0,0 +1,83 @@
+/* arm_map_hw_event_oops.c */
+/* This causes an oops on my Pandaboard running Linux 3.11-rc4 */
+/* The problem is the value of ->config is very large and it   */
+/*   overruns the hw_event array in armpmu_map_hw_event in     */
+/*   arch/arm/kernel/perf_event.c                              */
+/* Hopefully this will be fixed in Linux 3.11                  */
+/* by Vince Weaver <vincent.weaver _at_ maine.edu */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <signal.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <linux/hw_breakpoint.h>
+#include <linux/perf_event.h>
+
+int fd[1024];
+struct perf_event_attr pe[1024];
+char *mmap_result[1024];
+
+int forked_pid;
+
+int perf_event_open(struct perf_event_attr *hw_event_uptr,
+	pid_t pid, int cpu, int group_fd, unsigned long flags) {
+
+	return syscall(__NR_perf_event_open,hw_event_uptr, pid, cpu,
+		group_fd, flags);
+}
+
+int main(int argc, char **argv) {
+
+	printf("This test causes an oops on an ARM pandabord on 3.11-rc4\n");
+
+	memset(&pe[0],0,sizeof(struct perf_event_attr));
+	pe[0].type=PERF_TYPE_HARDWARE;
+	pe[0].config=0x2cc61006;
+	pe[0].sample_type=0; /* 0 */
+	pe[0].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_TOTAL_TIME_RUNNING|PERF_FORMAT_GROUP; /* b */
+	pe[0].disabled=1;
+	pe[0].exclusive=1;
+	pe[0].exclude_idle=1;
+	pe[0].comm=1;
+	pe[0].inherit_stat=1;
+	pe[0].enable_on_exec=1;
+	pe[0].precise_ip=0; /* arbitrary skid */
+	pe[0].mmap_data=1;
+	pe[0].sample_id_all=1;
+	pe[0].exclude_host=1;
+	pe[0].exclude_guest=1;
+	pe[0].wakeup_events=2147483647;
+	pe[0].bp_type=HW_BREAKPOINT_EMPTY;
+	pe[0].branch_sample_type=2147483648ULL;
+
+	fd[0]=perf_event_open(&pe[0],0,0,-1,PERF_FLAG_FD_NO_GROUP /*1*/ );
+
+/* 2 */
+
+	memset(&pe[1],0,sizeof(struct perf_event_attr));
+	pe[1].type=PERF_TYPE_RAW;
+	pe[1].size=80;
+	pe[1].config=0xb6c8ad99;
+	pe[1].sample_type=0; /* 0 */
+	pe[1].read_format=PERF_FORMAT_TOTAL_TIME_ENABLED|PERF_FORMAT_ID|0x80000010ULL; /* 80000015 */
+	pe[1].inherit=1;
+	pe[1].exclude_user=1;
+	pe[1].exclude_hv=1;
+	pe[1].mmap=1;
+	pe[1].inherit_stat=1;
+	pe[1].task=1;
+	pe[1].precise_ip=3; /* must have zero skid */
+	pe[1].sample_id_all=1;
+	pe[1].exclude_guest=1;
+	pe[1].wakeup_events=0;
+	pe[1].bp_type=HW_BREAKPOINT_EMPTY;
+
+	fd[1]=perf_event_open(&pe[1],0,0,-1,PERF_FLAG_FD_NO_GROUP /*1*/ );
+
+	/* Replayed 2 syscalls */
+	return 0;
+}

run_crash_tests.sh

@@ -14,6 +14,7 @@ echo "time to change your mind..."
 echo
 sleep 5
 
+./crashes/arm_map_hw_event_oops
 ./crashes/arm_validate_event_oops
 ./crashes/pe_task_schedule_panic
 ./crashes/pe_inherit_memleak