test_sandbox: equix crypto test case for issue 40794

This is an additional test case for test_sandbox that runs a small subset of test_crypto_equix() inside the syscall sandbox, where mprotect() is filtered. It's reasonable for the sandbox to disallow JIT. We could revise this policy if we want, but it seems a good default for now. The problem in issue 40794 is that both equix and hashx need improvements in their API to handle failures after allocation time, and this failure occurs while the hash function is being compiled. With this commit only, the segfault from issue 40794 is reproduced. Subsequent commits will fix the segfault and revise the API. Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2024-11-10 05:03:43 +01:00 · 2023-05-23 19:18:50 -07:00 · 2023-05-23 19:18:50 -07:00 · c40c5adec2
commit c40c5adec2
parent d5dea2202c
1 changed files with 61 additions and 0 deletions
--- a/src/test/test_sandbox.c
+++ b/src/test/test_sandbox.c
@ -12,6 +12,8 @@
 #include "orconfig.h"

 #include "lib/sandbox/sandbox.h"
+#include "lib/crypt_ops/crypto_rand.h"
+#include "ext/equix/include/equix.h"

 #ifdef USE_LIBSECCOMP

@ -292,6 +294,63 @@ test_sandbox_stat_filename(void *arg)
  (void)0;
 }

+/** This is a simplified subset of test_crypto_equix(), running one solve
+ * and one verify from inside the sandbox. The sandbox restricts mprotect, and
+ * hashx will experience a failure at runtime which this test case exercises.
+ * The result of the solve and verify should both still be correct, since we
+ * expect it to cleanly fall back on an interpreted implementation which has
+ * no operating system dependencies. */
+static void
+test_sandbox_crypto_equix(void *arg)
+{
+  (void)arg;
+
+  const char *challenge_literal = "abce";
+  const size_t challenge_len = strlen(challenge_literal);
+  const size_t num_sols = 4;
+  static const equix_solution sols_expected[EQUIX_MAX_SOLS] = {
+    {{ 0x4fca, 0x72eb, 0x101f, 0xafab, 0x1add, 0x2d71, 0x75a3, 0xc978 }},
+    {{ 0x17f1, 0x7aa6, 0x23e3, 0xab00, 0x7e2f, 0x917e, 0x16da, 0xda9e }},
+    {{ 0x70ee, 0x7757, 0x8a54, 0xbd2b, 0x90e4, 0xe31e, 0x2085, 0xe47e }},
+    {{ 0x62c5, 0x86d1, 0x5752, 0xe1f0, 0x12da, 0x8f33, 0x7336, 0xf161 }},
+  };
+
+  equix_solution sols_actual[EQUIX_MAX_SOLS] = { 0 };
+  equix_ctx *solve_ctx = NULL, *verify_ctx = NULL;
+
+  /* TODO: A subsequent change will modify these flags to use an auto fallback
+   *       that will be built into our fork of equix. (This implements a
+   *       performant and low-complexity way to share the generated program
+   *       state during fallback instead of re-generating it.)
+   */
+  solve_ctx = equix_alloc(EQUIX_CTX_SOLVE | EQUIX_CTX_COMPILE);
+  tt_ptr_op(solve_ctx, OP_NE, NULL);
+  tt_ptr_op(solve_ctx, OP_NE, EQUIX_NOTSUPP);
+
+  int retval = equix_solve(solve_ctx, challenge_literal,
+                           challenge_len, sols_actual);
+  tt_int_op(retval, OP_EQ, num_sols);
+  tt_mem_op(sols_actual, OP_EQ, sols_expected,
+            num_sols * sizeof(equix_solution));
+
+  verify_ctx = equix_alloc(EQUIX_CTX_VERIFY | EQUIX_CTX_COMPILE);
+  tt_ptr_op(verify_ctx, OP_NE, NULL);
+  tt_ptr_op(verify_ctx, OP_NE, EQUIX_NOTSUPP);
+
+  /* Test one of the solutions randomly */
+  equix_result result;
+  const unsigned sol_i = crypto_rand_int(num_sols);
+  equix_solution *sol = &sols_actual[sol_i];
+
+  result = equix_verify(verify_ctx, challenge_literal,
+                        challenge_len, sol);
+  tt_int_op(EQUIX_OK, OP_EQ, result);
+
+ done:
+  equix_free(solve_ctx);
+  equix_free(verify_ctx);
+}
+
 #define SANDBOX_TEST_SKIPPED(name) \
  { #name, test_sandbox_ ## name, TT_SKIP, NULL, NULL }

@ -343,6 +402,8 @@ struct testcase_t sandbox_tests[] = {
 #else
  SANDBOX_TEST_SKIPPED(stat_filename),
 #endif
+
+  SANDBOX_TEST_IN_SANDBOX(crypto_equix),
  END_OF_TESTCASES
 };