out-of-tree kernel {module, exploit} development tool
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

qemu-kernel_test.go 6.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354
  1. // Copyright 2018 Mikhail Klementev. All rights reserved.
  2. // Use of this source code is governed by a AGPLv3 license
  3. // (or later) that can be found in the LICENSE file.
  4. package qemu
  5. import (
  6. "crypto/sha512"
  7. "fmt"
  8. "io/ioutil"
  9. "math/rand"
  10. "net"
  11. "os"
  12. "strings"
  13. "testing"
  14. "time"
  15. )
  16. func init() {
  17. rand.Seed(time.Now().UnixNano())
  18. }
  19. func TestSystemNew_InvalidKernelPath(t *testing.T) {
  20. kernel := Kernel{Name: "Invalid", KernelPath: "/invalid/path"}
  21. if _, err := NewSystem(X86x64, kernel, "/bin/sh"); err == nil {
  22. t.Fatal(err)
  23. }
  24. }
  25. func TestSystemNew_InvalidQemuArch(t *testing.T) {
  26. kernel := Kernel{Name: "Valid path", KernelPath: testConfigVmlinuz}
  27. if _, err := NewSystem(unsupported, kernel, "/bin/sh"); err == nil {
  28. t.Fatal(err)
  29. }
  30. }
  31. func TestSystemNew_InvalidQemuDrivePath(t *testing.T) {
  32. kernel := Kernel{Name: "Valid path", KernelPath: testConfigVmlinuz}
  33. if _, err := NewSystem(X86x64, kernel, "/invalid/path"); err == nil {
  34. t.Fatal(err)
  35. }
  36. }
  37. func TestSystemNew(t *testing.T) {
  38. kernel := Kernel{Name: "Valid path", KernelPath: testConfigVmlinuz}
  39. if _, err := NewSystem(X86x64, kernel, "/bin/sh"); err != nil {
  40. t.Fatal(err)
  41. }
  42. }
  43. func TestSystemStart(t *testing.T) {
  44. kernel := Kernel{Name: "Test kernel", KernelPath: testConfigVmlinuz}
  45. q, err := NewSystem(X86x64, kernel, "/bin/sh")
  46. if err != nil {
  47. t.Fatal(err)
  48. }
  49. if err = q.Start(); err != nil {
  50. t.Fatal(err)
  51. }
  52. q.Stop()
  53. }
  54. func TestGetFreeAddrPort(t *testing.T) {
  55. addrPort := getFreeAddrPort()
  56. ln, err := net.Listen("tcp", addrPort)
  57. if err != nil {
  58. t.Fatal(err)
  59. }
  60. ln.Close()
  61. }
  62. func TestSystemStart_Timeout(t *testing.T) {
  63. t.Parallel()
  64. kernel := Kernel{Name: "Test kernel", KernelPath: testConfigVmlinuz}
  65. q, err := NewSystem(X86x64, kernel, "/bin/sh")
  66. if err != nil {
  67. t.Fatal(err)
  68. }
  69. q.Timeout = time.Second
  70. if err = q.Start(); err != nil {
  71. t.Fatal(err)
  72. }
  73. time.Sleep(2 * time.Second)
  74. if !q.Died {
  75. t.Fatal("qemu does not died :c")
  76. }
  77. if !q.KilledByTimeout {
  78. t.Fatal("qemu died not because of timeout O_o")
  79. }
  80. }
  81. func startTestQemu(t *testing.T, timeout time.Duration) (q *System, err error) {
  82. t.Parallel()
  83. kernel := Kernel{
  84. Name: "Test kernel",
  85. KernelPath: testConfigVmlinuz,
  86. InitrdPath: testConfigInitrd,
  87. }
  88. q, err = NewSystem(X86x64, kernel, testConfigRootfs)
  89. if err != nil {
  90. return
  91. }
  92. if timeout != 0 {
  93. q.Timeout = timeout
  94. }
  95. if err = q.Start(); err != nil {
  96. return
  97. }
  98. time.Sleep(time.Second)
  99. return
  100. }
  101. func TestSystemCommand(t *testing.T) {
  102. q, err := startTestQemu(t, 0)
  103. if err != nil {
  104. t.Fatal(err)
  105. }
  106. defer q.Stop()
  107. output, err := q.Command("root", "cat /etc/shadow")
  108. if err != nil {
  109. t.Fatal(err)
  110. }
  111. if !strings.Contains(output, "root::") {
  112. t.Fatal("Wrong output from `cat /etc/shadow` by root")
  113. }
  114. output, err = q.Command("user", "cat /etc/passwd")
  115. if err != nil {
  116. t.Fatal(err)
  117. }
  118. if !strings.Contains(output, "root:x:0:0:root:/root:/bin/bash") {
  119. t.Fatal("Wrong output from `cat /etc/passwd` by user")
  120. }
  121. _, err = q.Command("user", "cat /etc/shadow")
  122. // unsuccessful is good because user must not read /etc/shadow
  123. if err == nil {
  124. t.Fatal("User have rights for /etc/shadow. WAT?!")
  125. }
  126. }
  127. func TestSystemCopyFile(t *testing.T) {
  128. q, err := startTestQemu(t, 0)
  129. if err != nil {
  130. t.Fatal(err)
  131. }
  132. defer q.Stop()
  133. localPath := "/bin/sh"
  134. content, err := ioutil.ReadFile(localPath)
  135. if err != nil {
  136. return
  137. }
  138. shaLocal := fmt.Sprintf("%x", sha512.Sum512(content))
  139. err = q.CopyFile("user", localPath, "/tmp/test")
  140. if err != nil {
  141. t.Fatal(err)
  142. }
  143. shaRemote, err := q.Command("user", "sha512sum /tmp/test")
  144. if err != nil {
  145. t.Fatal(err)
  146. }
  147. shaRemote = strings.Split(shaRemote, " ")[0]
  148. if shaLocal != shaRemote {
  149. t.Fatal(fmt.Sprintf("Broken file (%s instead of %s)",
  150. shaRemote, shaLocal))
  151. }
  152. }
  153. func TestSystemCopyAndRun(t *testing.T) {
  154. q, err := startTestQemu(t, 0)
  155. if err != nil {
  156. t.Fatal(err)
  157. }
  158. defer q.Stop()
  159. randStr := fmt.Sprintf("%d", rand.Int())
  160. content := []byte("#!/bin/sh\n echo -n " + randStr + "\n")
  161. tmpfile, err := ioutil.TempFile("", "executable")
  162. if err != nil {
  163. t.Fatal(err)
  164. }
  165. defer os.Remove(tmpfile.Name())
  166. if _, err := tmpfile.Write(content); err != nil {
  167. t.Fatal(err)
  168. }
  169. if err := tmpfile.Close(); err != nil {
  170. t.Fatal(err)
  171. }
  172. output, err := q.CopyAndRun("user", tmpfile.Name())
  173. if err != nil {
  174. t.Fatal(err)
  175. }
  176. if output != randStr {
  177. t.Fatal("Wrong output from copyied executable (" +
  178. output + "," + randStr + ")")
  179. }
  180. }
  181. func TestSystemCopyAndInsmod(t *testing.T) {
  182. q, err := startTestQemu(t, 0)
  183. if err != nil {
  184. t.Fatal(err)
  185. }
  186. defer q.Stop()
  187. lsmodBefore, err := q.Command("root", "lsmod | wc -l")
  188. if err != nil {
  189. t.Fatal(err)
  190. }
  191. _, err = q.CopyAndInsmod(testConfigSampleKo)
  192. if err != nil {
  193. t.Fatal(err)
  194. }
  195. lsmodAfter, err := q.Command("root", "lsmod | wc -l")
  196. if err != nil {
  197. t.Fatal(err)
  198. }
  199. if lsmodBefore == lsmodAfter {
  200. t.Fatal("insmod returns ok but there is no new kernel modules")
  201. }
  202. }
  203. func TestSystemKernelPanic(t *testing.T) {
  204. q, err := startTestQemu(t, 5*time.Minute)
  205. if err != nil {
  206. t.Fatal(err)
  207. }
  208. defer q.Stop()
  209. // Enable sysrq
  210. _, err = q.Command("root", "echo 1 > /proc/sys/kernel/sysrq")
  211. if err != nil {
  212. t.Fatal(err)
  213. }
  214. // Trigger kernel panic
  215. err = q.AsyncCommand("root", "sleep 1s && echo c > /proc/sysrq-trigger")
  216. if err != nil {
  217. t.Fatal(err)
  218. }
  219. // Wait for panic watcher timeout
  220. time.Sleep(5 * time.Second)
  221. if q.KilledByTimeout {
  222. t.Fatal("qemu is killed by timeout, not because of panic")
  223. }
  224. if !q.Died {
  225. t.Fatal("qemu is not killed after kernel panic")
  226. }
  227. if !q.KernelPanic {
  228. t.Fatal("qemu is died but there's no information about panic")
  229. }
  230. }
  231. func TestSystemRun(t *testing.T) {
  232. q, err := startTestQemu(t, 0)
  233. if err != nil {
  234. t.Fatal(err)
  235. }
  236. defer q.Stop()
  237. for {
  238. _, err := q.Command("root", "echo")
  239. if err == nil {
  240. break
  241. }
  242. }
  243. start := time.Now()
  244. err = q.AsyncCommand("root", "sleep 1m")
  245. if err != nil {
  246. t.Fatal(err)
  247. }
  248. if time.Since(start) > 10*time.Second {
  249. t.Fatalf("q.AsyncCommand does not async (waited %s)",
  250. time.Since(start))
  251. }
  252. }
  253. func openedPort(port int) bool {
  254. conn, err := net.Dial("tcp", fmt.Sprintf(":%d", port))
  255. if err != nil {
  256. return false
  257. }
  258. conn.Close()
  259. return true
  260. }
  261. func TestSystemDebug(t *testing.T) {
  262. t.Parallel()
  263. kernel := Kernel{
  264. KernelPath: testConfigVmlinuz,
  265. InitrdPath: testConfigInitrd,
  266. }
  267. q, err := NewSystem(X86x64, kernel, testConfigRootfs)
  268. if err != nil {
  269. return
  270. }
  271. time.Sleep(time.Second)
  272. port := 45256
  273. q.Debug(fmt.Sprintf("tcp::%d", port))
  274. if openedPort(port) {
  275. t.Fatal("Port opened before qemu starts")
  276. }
  277. if err = q.Start(); err != nil {
  278. return
  279. }
  280. defer q.Stop()
  281. time.Sleep(time.Second)
  282. if !openedPort(port) {
  283. t.Fatal("Qemu debug port does not opened")
  284. }
  285. q.Stop()
  286. if openedPort(port) {
  287. t.Fatal("Qemu listens after die")
  288. }
  289. }