commit c40c5adec21aa02ba21fdf530aeff81b3523cb63
parent d5dea2202cfee1ea5e9653163a0a4f077b0a2eab
Author: Micah Elizabeth Scott <beth@torproject.org>
Date: Tue, 23 May 2023 19:18:50 -0700
test_sandbox: equix crypto test case for issue 40794
This is an additional test case for test_sandbox that runs a small
subset of test_crypto_equix() inside the syscall sandbox, where
mprotect() is filtered.
It's reasonable for the sandbox to disallow JIT. We could revise this
policy if we want, but it seems a good default for now. The problem
in issue 40794 is that both equix and hashx need improvements in their
API to handle failures after allocation time, and this failure occurs
while the hash function is being compiled.
With this commit only, the segfault from issue 40794 is reproduced.
Subsequent commits will fix the segfault and revise the API.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
Diffstat:
1 file changed, 61 insertions(+), 0 deletions(-)
diff --git a/src/test/test_sandbox.c b/src/test/test_sandbox.c
@@ -12,6 +12,8 @@
#include "orconfig.h"
#include "lib/sandbox/sandbox.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "ext/equix/include/equix.h"
#ifdef USE_LIBSECCOMP
@@ -292,6 +294,63 @@ test_sandbox_stat_filename(void *arg)
(void)0;
}
+/** This is a simplified subset of test_crypto_equix(), running one solve
+ * and one verify from inside the sandbox. The sandbox restricts mprotect, and
+ * hashx will experience a failure at runtime which this test case exercises.
+ * The result of the solve and verify should both still be correct, since we
+ * expect it to cleanly fall back on an interpreted implementation which has
+ * no operating system dependencies. */
+static void
+test_sandbox_crypto_equix(void *arg)
+{
+ (void)arg;
+
+ const char *challenge_literal = "abce";
+ const size_t challenge_len = strlen(challenge_literal);
+ const size_t num_sols = 4;
+ static const equix_solution sols_expected[EQUIX_MAX_SOLS] = {
+ {{ 0x4fca, 0x72eb, 0x101f, 0xafab, 0x1add, 0x2d71, 0x75a3, 0xc978 }},
+ {{ 0x17f1, 0x7aa6, 0x23e3, 0xab00, 0x7e2f, 0x917e, 0x16da, 0xda9e }},
+ {{ 0x70ee, 0x7757, 0x8a54, 0xbd2b, 0x90e4, 0xe31e, 0x2085, 0xe47e }},
+ {{ 0x62c5, 0x86d1, 0x5752, 0xe1f0, 0x12da, 0x8f33, 0x7336, 0xf161 }},
+ };
+
+ equix_solution sols_actual[EQUIX_MAX_SOLS] = { 0 };
+ equix_ctx *solve_ctx = NULL, *verify_ctx = NULL;
+
+ /* TODO: A subsequent change will modify these flags to use an auto fallback
+ * that will be built into our fork of equix. (This implements a
+ * performant and low-complexity way to share the generated program
+ * state during fallback instead of re-generating it.)
+ */
+ solve_ctx = equix_alloc(EQUIX_CTX_SOLVE | EQUIX_CTX_COMPILE);
+ tt_ptr_op(solve_ctx, OP_NE, NULL);
+ tt_ptr_op(solve_ctx, OP_NE, EQUIX_NOTSUPP);
+
+ int retval = equix_solve(solve_ctx, challenge_literal,
+ challenge_len, sols_actual);
+ tt_int_op(retval, OP_EQ, num_sols);
+ tt_mem_op(sols_actual, OP_EQ, sols_expected,
+ num_sols * sizeof(equix_solution));
+
+ verify_ctx = equix_alloc(EQUIX_CTX_VERIFY | EQUIX_CTX_COMPILE);
+ tt_ptr_op(verify_ctx, OP_NE, NULL);
+ tt_ptr_op(verify_ctx, OP_NE, EQUIX_NOTSUPP);
+
+ /* Test one of the solutions randomly */
+ equix_result result;
+ const unsigned sol_i = crypto_rand_int(num_sols);
+ equix_solution *sol = &sols_actual[sol_i];
+
+ result = equix_verify(verify_ctx, challenge_literal,
+ challenge_len, sol);
+ tt_int_op(EQUIX_OK, OP_EQ, result);
+
+ done:
+ equix_free(solve_ctx);
+ equix_free(verify_ctx);
+}
+
#define SANDBOX_TEST_SKIPPED(name) \
{ #name, test_sandbox_ ## name, TT_SKIP, NULL, NULL }
@@ -343,6 +402,8 @@ struct testcase_t sandbox_tests[] = {
#else
SANDBOX_TEST_SKIPPED(stat_filename),
#endif
+
+ SANDBOX_TEST_IN_SANDBOX(crypto_equix),
END_OF_TESTCASES
};
