-
Alic3r3L1cwhk authored
- mm frame-UAF audit: route remaining multi-byte-struct user derefs through page-safe read_user_struct/write_user_struct (pty Termios w/r, futex FutexWaitv, aio Iocb, mqueue MqAttr). try_translated_ref(mut)::<T> returns a single-frame pointer; deref of a struct straddling a page overflows into the physically-adjacent frame (read garbage / write-corrupt a freed-or-pagetable frame -> addr=0x8 family / latent UAF). Page-safe path copies per-page. - runner: grant 30s LA per-case timeout to fcntl14/fcntl14_64 (block-2 mandatory locking is alarm/blocking-wait bound, not TCG-bound) -> glibc-la 45->96 each, +102 TPASS, cases now complete (rc=0) instead of rc=137. - scripts: static runner/disk guards (test_ltp_runner_skip, workdir). Verified SMP=1: RV basic/busybox55/libctest174, LA basic/busybox55 (0 panic); glibc-la LTP 53 cases 0 panic, fcntl14/64=96; iozone+netperf glibc-rv clean. runner budget caps unchanged (1...
fffff13b