- **`mmap`/`munmap`** — anonymous mappings, shared memory backing, and file-backed (fd) mappings
- **SMEP** — Supervisor Mode Execution Prevention enabled in CR4
- **SMAP** — Supervisor Mode Access Prevention enabled in CR4 (bit 21)
-- **W^X** — user `.text` segments marked read-only after ELF load; NX on data segments
+- **W^X** — user `.text` segments mapped RW for load + relocations, then re-protected to RO+X after `elf32_reprotect_segments()`; NX on data segments; boundary pages shared between .text/.data stay writable
- **Guard pages** — 32KB user stack with unmapped guard page below (triggers SIGSEGV on overflow); kernel stacks use dedicated guard-paged region at `0xC8000000`
- **ASLR** — TSC-seeded xorshift32 PRNG randomizes user stack base by up to 1MB per `execve`
- **vDSO** — kernel-updated shared page mapped read-only into every user process at `0x007FE000`
- **PMM spinlock** for SMP safety
### Testing
-- **69 host-side tests** — `test_utils.c` (28) + `test_security.c` (19) + `test_host_utils.sh` (22 cross-compiled utility tests)
+- **212 host-side tests** — `test_utils.c` (63: itoa/atoi, path_normalize, align, tar_parse_octal, mount prefix/normalize, VFS permission, ELF validation) + `test_security.c` (38: user_range_ok, bitmap, eflags, signal mask logic, chmod symbolic parsing) + `test_host_utils.sh` (111 cross-compiled utility tests)
- **120 QEMU smoke tests** — 4-CPU expect-based (file I/O, signals, memory mgmt, IPC, devices, procfs, networking, epoll, epollet, inotify, aio, nanosleep, CoW fork, readv/writev, fsync, flock, posix_spawn, TSC precision, gettimeofday, mprotect, getrlimit/setrlimit, uname, LZ4, lazy PLT, execve, clone, pivot_root, dlopen/dlsym/dlclose, execveat, futex, sigaltstack, socket API, mqueue, semaphores, chown, mount/umount2)
-- **33-check test battery** — multi-disk ATA (hda+hdb+hdd), VFS mount, ping, diskfs ops, clone, socket API, mqueue, semaphores, futex, sigaltstack, chown, mount/umount2 (`make test-battery`)
+- **152-check test battery** — 120 smoke patterns + SMP=1 boot (12) + SMP=2 boot (6) + multi-disk ATA (hda+hdb+hdd) + VFS mount + ping + diskfs ops (`make test-battery`)
+- **10 GDB scripted checks** — heap/PMM/VGA integrity, PID 1 state, scheduler bitmap, mount count, frame refcount
- **Static analysis** — cppcheck, sparse, gcc -fanalyzer
-- **GDB scripted checks** — heap/PMM/VGA integrity
- `make test-all` runs everything
## Running
See [POSIX_ROADMAP.md](docs/POSIX_ROADMAP.md) for a detailed checklist.
-**All 31 planned POSIX tasks are complete**, plus 60 additional features (91 total). The kernel has **141 syscalls** with **124 tested** (87.9% coverage) by the 120 smoke tests. The kernel covers **~98%** of the core POSIX interfaces needed for a practical Unix-like system. All 120 smoke tests, 33 battery checks, and 69 host tests pass clean. ARM64, RISC-V 64, and MIPS32 boot on QEMU.
+**All 31 planned POSIX tasks are complete**, plus 60 additional features (91 total). The kernel has **141 syscalls** with **124 tested** (87.9% coverage) by the 120 smoke tests. The kernel covers **~98%** of the core POSIX interfaces needed for a practical Unix-like system. All 120 smoke tests, 152 battery checks, and 212 host tests pass clean. ARM64, RISC-V 64, and MIPS32 boot on QEMU.
Rump Kernel integration is in progress — prerequisites (condition variables, TSC nanosecond clock, IRQ chaining) are implemented and the `rumpuser` hypercall scaffold is in place.
| Syscalls tested by fulltest | 124 (87.9%) |
| Syscalls without test | 17 (12.1%) |
| Smoke tests | 120 |
-| Battery checks | 33 |
-| Host tests | 69 |
+| Battery checks | 152 |
+| Host tests | 212 |
**17 untested syscalls:** `shmctl`, `set_thread_area` (indirect via clone), `accept`, `connect`, `send`, `recv`, `sendto`, `recvfrom`, `fdatasync`, `getaddrinfo`, `sendmsg`, `recvmsg`, `aio_suspend`, `setsockopt`, `getsockopt`, `getpeername`, `wait4`
- `user/` — Userland programs (52 commands: `init.c`, `sh.c`, `cat.c`, `ls.c`, `echo.c`, `cp.c`, `mv.c`, `grep.c`, `sed.c`, `awk.c`, `find.c`, `which.c`, `ps.c`, `top.c`, `kill.c`, `mount.c`, etc. + `ldso.c`, `fulltest.c`, `pie_main.c`)
- `user/doom/` — DOOM port (doomgeneric engine + AdrOS platform adapter)
- `user/ulibc/` — Minimal C library (`printf`, `malloc`, `string.h`, `errno.h`, `pthread.h`, `signal.h`, `stdio.h`, `stdlib.h`, `ctype.h`, `math.h`, `sys/mman.h`, `sys/ioctl.h`, `sys/uio.h`, `time.h`, `linux/futex.h`)
-- `tests/` — Host unit tests, smoke tests, GDB scripted checks
+- `tests/` — Host unit tests (212: utils 63 + security 38 + utilities 111), smoke tests (120), battery tests (152), GDB scripted checks (10), serial input test
- `tools/` — Build tools (`mkinitrd` — produces USTAR archives with LZ4 Frame compression)
- `docs/` — Documentation (POSIX roadmap, audit report, supplementary analysis, testing plan)
- `third_party/lwip/` — lwIP TCP/IP stack (vendored)
**1 additional MODERATE fixed**: `schedule()` now calls `context_switch` BEFORE `spin_unlock_irqrestore`, preventing the timer-fired race window.
**Remaining**: 4 MODERATE (open): hardcoded heap VA (1.2), x86 registers leak in interrupts.h (1.3), itoa no buffer size (2.6), itoa UB for INT_MIN (2.7), fd bounds (3.5), kfree doesn't zero (4.2).
+
+**Additional fixes (post-audit):**
+
+| Fix | Severity | Description |
+|-----|----------|-------------|
+| ELF W^X reprotect | CRITICAL | `elf32_reprotect_segments()` re-protects text segments to RO+X AFTER relocations; boundary pages shared with data segments stay writable |
+| `vfs_lookup_initrd` | HIGH | ELF loader and execve use `vfs_lookup_initrd()` (bypasses mount table) so `pivot_root` doesn't break binary lookups |
+| Heap corruption handling | HIGH | On bad magic/double-free, kernel marks process ZOMBIE and calls `schedule()` instead of infinite `hal_cpu_idle()` loop |
+| SHM UAF | HIGH | `shm_at()` rejects IPC_RMID'd segments with `-EIDRM`; `shm_get()` skips marked_rm segments |
+| Procfs UAF | CRITICAL | Dedicated `g_pid_cmdline` pool prevents `/proc/<pid>/cmdline` from overwriting status entries |
+| ext2 partial inode | HIGH | `ext2_file_write` calls `ext2_write_inode()` after each `i_blocks` increment for on-disk consistency |
+| `rq_remove_if_queued` | HIGH | Scans ALL priority queues in both active/expired runqueues (not just `p->priority`) |
+| `execve_copy_user_str` | HIGH | Upfront `user_range_ok()` check before byte-by-byte copy loop |
+| Frame refcount overflow | MODERATE | `frame_refcount[]` changed from `uint16_t` to `uint32_t` to prevent overflow |
# AdrOS — Full POSIX/Unix Compatibility Audit & Porting Analysis
**Date:** 2026-03-14 (updated after Tier 1-5 implementation)
-**Original commit:** 2deaf85 — **Current state reflects commit aa5474a (Tiers 1-5 complete)**
+**Original commit:** 2deaf85 — **Current state reflects commit 0e463dd (Tiers 1-5 complete, tests expanded)**
---
|---------|--------|-------|
| ELF32 loader | [x] | Secure with W^X + ASLR; supports `ET_EXEC` + `ET_DYN` + `PT_INTERP` |
| `/sbin/fulltest` (smoke tests) | [x] | Comprehensive test suite (120 checks: file I/O, signals, memory, IPC, devices, procfs, networking, epoll, epollet, inotify, aio, nanosleep, CoW fork, readv/writev, fsync, flock, posix_spawn, TSC precision, gettimeofday, mprotect, getrlimit/setrlimit, uname, LZ4, lazy PLT, execve, clone, pivot_root, dlopen/dlsym/dlclose, execveat, futex, sigaltstack, socket API, mqueue, semaphores, chown, mount/umount2) |
+| Host unit tests | [x] | 212 tests: `test_utils.c` (63: itoa/atoi, path_normalize, align, tar_parse_octal, mount prefix/normalize, VFS permission, ELF validation) + `test_security.c` (38: user_range_ok, bitmap, eflags, signal mask, chmod symbolic) + `test_host_utils.sh` (111 utility tests) |
+| Test battery | [x] | 152 checks: 120 smoke patterns + SMP=1 boot (12) + SMP=2 boot (6) + multi-disk ATA + VFS mount + ping + diskfs |
+| GDB scripted checks | [x] | 10 checks: heap/PMM/VGA integrity, PID 1 state, scheduler bitmap, mount count, frame refcount |
| `/bin/echo` | [x] | argv/envp test |
| `/bin/sh` | [x] | POSIX sh-compatible shell; builtins, pipes, redirects, `$PATH` search |
| `/bin/cat` | [x] | |
85. ~~MIPS32 bring-up (QEMU Malta boot + UART)~~ ✅
86. ~~SysV `/sbin/init` (inittab, runlevels, respawn)~~ ✅
87. ~~50+ userland POSIX utilities (cp, mv, sed, awk, grep, find, etc.)~~ ✅
-88. ~~Host utility test harness (68 cross-platform tests)~~ ✅
+88. ~~Host utility test harness (111 cross-platform tests)~~ ✅
89. ~~Native toolchain (GCC 13.2 + Binutils 2.42, Canadian cross for i686-adros)~~ ✅
90. ~~`mount` syscall — runtime filesystem mounting~~ ✅
91. ~~USTAR InitRD format with LZ4 Frame compression~~ ✅
# AdrOS — Syscall Test Coverage & POSIX Compliance Analysis
-**Date:** 2026-04-26
+**Date:** 2026-04-27
**Kernel syscalls:** 141 (defined in `include/syscall.h`)
**Fulltest smoke tests:** 120
-**Test battery checks:** 33
-**Host tests:** 69
+**Test battery checks:** 152
+**Host tests:** 212
---
| Syscalls tested by fulltest | 124 (87.9%) |
| Syscalls without test | 17 (12.1%) |
| Smoke tests | 120 |
-| Battery checks | 33 |
-| Host tests | 69 |
+| Battery checks | 152 |
+| Host tests | 212 |
| Test:syscall ratio | ~0.85:1 (not 1:1) |
| POSIX-mandated features missing | ~55+ |
| Major missing categories | Threads, TCP loopback, mkfifo/mknod, chroot, getgroups/setgroups, POSIX timers, msync, fchmod, pathconf, socketpair |
- **Static analysis** (`make check`): cppcheck + sparse + gcc -fanalyzer
- **QEMU smoke tests** (`make test`): expect-based, 120 checks (file I/O, signals, memory, IPC, devices, procfs, networking, epoll, epollet, inotify, aio, nanosleep, CLOCK_REALTIME/CLOCK_MONOTONIC, /dev/urandom, /proc/cmdline, CoW fork, readv/writev, fsync, truncate, getuid/getgid, chmod, flock, times, gettid, posix_spawn, TSC ns precision, SIGSEGV, gettimeofday, mprotect, getrlimit/setrlimit, uname, LZ4 initrd decomp, lazy PLT, execve, clone, pivot_root, dlopen/dlsym/dlclose, execveat, futex, sigaltstack, socket API, mqueue, semaphores, chown, mount/umount2), 4-CPU SMP, 120s timeout
-- **Test battery** (`make test-battery`): 33 checks across QEMU scenarios — multi-disk ATA, VFS mount, ping, diskfs, clone, socket API, mqueue, semaphores, futex, sigaltstack, chown, mount/umount2
-- **Host unit tests** (`make test-host`): 69 tests — `test_utils.c` (28) + `test_security.c` (19) + `test_host_utils.sh` (22 cross-compiled utility tests)
-- **GDB scripted checks** (`make test-gdb`): heap/PMM/VGA integrity validation
+- **Test battery** (`make test-battery`): 152 checks across QEMU scenarios — 120 smoke patterns + SMP=1 boot (12 checks) + SMP=2 boot (6 checks) + multi-disk ATA (hda+hdb+hdd) + VFS mount + ICMP ping + diskfs ops
+- **Host unit tests** (`make test-host`): 212 tests — `test_utils.c` (63: itoa/atoi, path_normalize, align, tar_parse_octal, mount prefix/normalize, VFS permission, ELF validation) + `test_security.c` (38: user_range_ok, bitmap, eflags, signal mask logic, chmod symbolic parsing) + `test_host_utils.sh` (111 cross-compiled utility tests)
+- **GDB scripted checks** (`make test-gdb`): 10 checks — heap integrity, PMM bitmap sanity, VGA mapping, PID 1 state, scheduler runqueue bitmap, mount count, frame 0 refcount
- **Full suite** (`make test-all`): runs check + test-host + test
- **Multi-arch build verification**: `make ARCH=arm`, `make ARCH=riscv`, and `make ARCH=mips` compile and boot on QEMU
- `path_normalize_inplace` (critical for security)
- `align_up`, `align_down`
- Bitmap operations
+- `tar_parse_octal` (initrd header parsing)
+- `path_is_mountpoint_prefix`, `normalize_mountpoint` (VFS mount logic)
+- `vfs_check_permission` (file permission checks)
+- `elf32_validate` (ELF header validation)
+- Signal mask logic (KILL/STOP always deliverable, sigpending = pending & blocked)
+- `parse_symbolic` (chmod symbolic mode parsing)
These can be compiled and run on the host with `gcc -m32` and a minimal test harness.
No need for Unity — a simple `assert()` + `main()` is sufficient for a kernel project.
```makefile
make check # cppcheck + sparse + gcc -fanalyzer
make test # QEMU + expect automated smoke test (120 checks incl. ICMP ping, epoll, epollet, inotify, aio, CoW fork, flock, posix_spawn, gettimeofday, mprotect, uname, LZ4, lazy PLT, clone, pivot_root, dlopen/dlsym/dlclose, execveat, futex, sigaltstack, socket API, mqueue, semaphores, chown, mount/umount2)
-make test-battery # Full test battery: multi-disk ATA, VFS mount, ping, diskfs, clone, socket API, mqueue, semaphores, futex, sigaltstack, chown, mount/umount2 (33 checks)
+make test-battery # Full test battery: 120 smoke + SMP=1 (12) + SMP=2 (6) + multi-disk ATA + VFS mount + ping + diskfs (152 checks)
make test-host # Host-side unit tests for pure functions
make test-gdb # QEMU + GDB scripted checks (optional)
make test-all # All of the above
**Date:** 2026-03-14
**Prerequisite:** Tiers 1-5 complete (commit aa5474a), audit updated (commit f3a652e)
-**Current state:** ~99% POSIX, 141 syscalls, 124/141 tested (87.9%), 120 smoke tests, 33 battery checks, all ulibc headers complete
+**Current state:** ~99% POSIX, 141 syscalls, 124/141 tested (87.9%), 120 smoke tests, 152 battery checks, 212 host tests, all ulibc headers complete
---
projects / AdrOS.git / commitdiff