1 /*-
2 * Copyright (c) 2009 Simon L. Nielsen <simon@FreeBSD.org>,
3 * Bjoern A. Zeeb <bz@FreeBSD.org>
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include <sys/param.h>
28 #include <sys/mman.h>
29 #include <sys/sysctl.h>
30
31 #include <atf-c.h>
32 #include <errno.h>
33 #include <fcntl.h>
34 #include <stdarg.h>
35 #include <stdbool.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38
39 #define MAP_AT_ZERO "security.bsd.map_at_zero"
40
41 #ifdef __LP64__
42 #define ALLOW_WX "kern.elf64.allow_wx"
43 #else
44 #define ALLOW_WX "kern.elf32.allow_wx"
45 #endif
46
47 ATF_TC_WITHOUT_HEAD(mmap__map_at_zero);
ATF_TC_BODY(mmap__map_at_zero,tc)48 ATF_TC_BODY(mmap__map_at_zero, tc)
49 {
50 void *p;
51 size_t len;
52 unsigned int i;
53 int map_at_zero;
54 bool allow_wx;
55 int prot_flags;
56 size_t pgsz = getpagesize();
57
58 const struct {
59 void *addr;
60 int ok[2]; /* Depending on security.bsd.map_at_zero {0, !=0}. */
61 } map_at_zero_tests[] = {
62 { (void *)0, { 0, 1 } }, /* Test sysctl. */
63 { (void *)1, { 0, 0 } },
64 { (void *)(pgsz - 1), { 0, 0 } },
65 { (void *)pgsz, { 1, 1 } },
66 { (void *)-1, { 0, 0 } },
67 { (void *)(-pgsz), { 0, 0 } },
68 { (void *)(-1 - pgsz), { 0, 0 } },
69 { (void *)(-1 - pgsz - 1), { 0, 0 } },
70 { (void *)(0x1000 * pgsz), { 1, 1 } },
71 };
72
73 len = sizeof(map_at_zero);
74 if (sysctlbyname(MAP_AT_ZERO, &map_at_zero, &len, NULL, 0) == -1) {
75 atf_tc_skip("sysctl for %s failed: %s\n", MAP_AT_ZERO,
76 strerror(errno));
77 return;
78 }
79
80 len = sizeof(allow_wx);
81 if (sysctlbyname(ALLOW_WX, &allow_wx, &len, NULL, 0) == -1) {
82 if (errno == ENOENT) {
83 /* Allow W+X if sysctl isn't present */
84 allow_wx = true;
85 } else {
86 atf_tc_skip("sysctl for %s failed: %s\n", ALLOW_WX,
87 strerror(errno));
88 return;
89 }
90 }
91
92 /* Normalize to 0 or 1 for array access. */
93 map_at_zero = !!map_at_zero;
94
95 for (i = 0; i < nitems(map_at_zero_tests); i++) {
96 prot_flags = PROT_READ | PROT_WRITE;
97 if (allow_wx)
98 prot_flags |= PROT_EXEC;
99 p = mmap((void *)map_at_zero_tests[i].addr, PAGE_SIZE,
100 prot_flags, MAP_ANON | MAP_FIXED, -1, 0);
101 if (p == MAP_FAILED) {
102 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 0,
103 "mmap(%p, ...) failed", map_at_zero_tests[i].addr);
104 } else {
105 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 1,
106 "mmap(%p, ...) succeeded: p=%p\n",
107 map_at_zero_tests[i].addr, p);
108 }
109 }
110 }
111
112 static void
checked_mmap(int prot,int flags,int fd,int error,const char * msg)113 checked_mmap(int prot, int flags, int fd, int error, const char *msg)
114 {
115 void *p;
116 int pagesize;
117
118 ATF_REQUIRE((pagesize = getpagesize()) > 0);
119 p = mmap(NULL, pagesize, prot, flags, fd, 0);
120 if (p == MAP_FAILED) {
121 if (error == 0)
122 ATF_CHECK_MSG(0, "%s failed with errno %d", msg,
123 errno);
124 else
125 ATF_CHECK_EQ_MSG(error, errno,
126 "%s failed with wrong errno %d (expected %d)", msg,
127 errno, error);
128 } else {
129 ATF_CHECK_MSG(error == 0, "%s succeeded", msg);
130 munmap(p, pagesize);
131 }
132 }
133
134 ATF_TC_WITHOUT_HEAD(mmap__bad_arguments);
ATF_TC_BODY(mmap__bad_arguments,tc)135 ATF_TC_BODY(mmap__bad_arguments, tc)
136 {
137 int devstatfd, pagesize, shmfd, zerofd;
138
139 ATF_REQUIRE((pagesize = getpagesize()) > 0);
140 ATF_REQUIRE((devstatfd = open("/dev/devstat", O_RDONLY)) >= 0);
141 ATF_REQUIRE((shmfd = shm_open(SHM_ANON, O_RDWR, 0644)) >= 0);
142 ATF_REQUIRE(ftruncate(shmfd, pagesize) == 0);
143 ATF_REQUIRE((zerofd = open("/dev/zero", O_RDONLY)) >= 0);
144
145 /* These should work. */
146 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON, -1, 0,
147 "simple MAP_ANON");
148 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, shmfd, 0,
149 "simple shm fd shared");
150 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, shmfd, 0,
151 "simple shm fd private");
152 checked_mmap(PROT_READ, MAP_SHARED, zerofd, 0,
153 "simple /dev/zero shared");
154 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, zerofd, 0,
155 "simple /dev/zero private");
156 checked_mmap(PROT_READ, MAP_SHARED, devstatfd, 0,
157 "simple /dev/devstat shared");
158
159 /* Extra PROT flags. */
160 checked_mmap(PROT_READ | PROT_WRITE | 0x100000, MAP_ANON, -1, EINVAL,
161 "MAP_ANON with extra PROT flags");
162 checked_mmap(0xffff, MAP_SHARED, shmfd, EINVAL,
163 "shm fd with garbage PROT");
164
165 /* Undefined flag. */
166 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_RESERVED0080, -1,
167 EINVAL, "Undefined flag");
168
169 /* Both MAP_SHARED and MAP_PRIVATE */
170 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE |
171 MAP_SHARED, -1, EINVAL, "MAP_ANON with both SHARED and PRIVATE");
172 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_SHARED, shmfd,
173 EINVAL, "shm fd with both SHARED and PRIVATE");
174
175 /* At least one of MAP_SHARED or MAP_PRIVATE without ANON */
176 checked_mmap(PROT_READ | PROT_WRITE, 0, shmfd, EINVAL,
177 "shm fd without sharing flag");
178
179 /* MAP_ANON with either sharing flag (impacts fork). */
180 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0,
181 "shared MAP_ANON");
182 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0,
183 "private MAP_ANON");
184
185 /* MAP_ANON should require an fd of -1. */
186 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, EINVAL,
187 "MAP_ANON with fd != -1");
188
189 /* Writable MAP_SHARED should fail on read-only descriptors. */
190 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, zerofd, EACCES,
191 "MAP_SHARED of read-only /dev/zero");
192
193 /*
194 * Character devices other than /dev/zero do not support private
195 * mappings.
196 */
197 checked_mmap(PROT_READ, MAP_PRIVATE, devstatfd, EINVAL,
198 "MAP_PRIVATE of /dev/devstat");
199
200 close(devstatfd);
201 close(shmfd);
202 close(zerofd);
203 }
204
205 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_private);
ATF_TC_BODY(mmap__dev_zero_private,tc)206 ATF_TC_BODY(mmap__dev_zero_private, tc)
207 {
208 char *p1, *p2, *p3;
209 int fd, i, pagesize;
210
211 ATF_REQUIRE((pagesize = getpagesize()) > 0);
212 ATF_REQUIRE((fd = open("/dev/zero", O_RDONLY)) >= 0);
213
214 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
215 ATF_REQUIRE(p1 != MAP_FAILED);
216
217 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
218 ATF_REQUIRE(p2 != MAP_FAILED);
219
220 for (i = 0; i < pagesize; i++)
221 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
222
223 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
224
225 p1[0] = 1;
226
227 ATF_REQUIRE(p2[0] == 0);
228
229 p2[0] = 2;
230
231 ATF_REQUIRE(p1[0] == 1);
232
233 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
234 ATF_REQUIRE(p3 != MAP_FAILED);
235
236 ATF_REQUIRE(p3[0] == 0);
237
238 munmap(p1, pagesize);
239 munmap(p2, pagesize);
240 munmap(p3, pagesize);
241 close(fd);
242 }
243
244 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_shared);
ATF_TC_BODY(mmap__dev_zero_shared,tc)245 ATF_TC_BODY(mmap__dev_zero_shared, tc)
246 {
247 char *p1, *p2, *p3;
248 int fd, i, pagesize;
249
250 ATF_REQUIRE((pagesize = getpagesize()) > 0);
251 ATF_REQUIRE((fd = open("/dev/zero", O_RDWR)) >= 0);
252
253 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
254 ATF_REQUIRE(p1 != MAP_FAILED);
255
256 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
257 ATF_REQUIRE(p2 != MAP_FAILED);
258
259 for (i = 0; i < pagesize; i++)
260 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
261
262 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
263
264 p1[0] = 1;
265
266 ATF_REQUIRE(p2[0] == 0);
267
268 p2[0] = 2;
269
270 ATF_REQUIRE(p1[0] == 1);
271
272 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd,
273 0);
274 ATF_REQUIRE(p3 != MAP_FAILED);
275
276 ATF_REQUIRE(p3[0] == 0);
277
278 munmap(p1, pagesize);
279 munmap(p2, pagesize);
280 munmap(p3, pagesize);
281 close(fd);
282 }
283
284 ATF_TC_WITHOUT_HEAD(mmap__write_only);
ATF_TC_BODY(mmap__write_only,tc)285 ATF_TC_BODY(mmap__write_only, tc)
286 {
287 void *p;
288 int pagesize;
289
290 ATF_REQUIRE((pagesize = getpagesize()) > 0);
291 p = mmap(NULL, pagesize, PROT_WRITE, MAP_ANON, -1, 0);
292 ATF_REQUIRE(p != MAP_FAILED);
293
294 *(volatile uint32_t *)p = 0x12345678;
295
296 munmap(p, pagesize);
297 }
298
299 ATF_TC_WITHOUT_HEAD(mmap__maxprot_basic);
ATF_TC_BODY(mmap__maxprot_basic,tc)300 ATF_TC_BODY(mmap__maxprot_basic, tc)
301 {
302 void *p;
303 int error, pagesize;
304
305 ATF_REQUIRE((pagesize = getpagesize()) > 0);
306
307 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
308 MAP_ANON, -1, 0);
309 ATF_REQUIRE(p != MAP_FAILED);
310
311 error = mprotect(p, pagesize, PROT_WRITE);
312 ATF_REQUIRE_ERRNO(EACCES, error == -1);
313 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
314 ATF_REQUIRE_ERRNO(EACCES, error == -1);
315 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
316 ATF_REQUIRE_ERRNO(EACCES, error == -1);
317
318 ATF_REQUIRE(munmap(p, pagesize) == 0);
319 }
320
321 /* Make sure that PROT_MAX applies as expected to mappings of shm objects */
322 ATF_TC_WITHOUT_HEAD(mmap__maxprot_shm);
ATF_TC_BODY(mmap__maxprot_shm,tc)323 ATF_TC_BODY(mmap__maxprot_shm, tc)
324 {
325 void *p;
326 int error, fd, pagesize;
327
328 ATF_REQUIRE((pagesize = getpagesize()) > 0);
329
330 fd = shm_open(SHM_ANON, O_RDWR, 0644);
331 ATF_REQUIRE(fd >= 0);
332
333 error = ftruncate(fd, pagesize);
334 ATF_REQUIRE(error == 0);
335
336 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
337 MAP_PRIVATE, fd, 0);
338 ATF_REQUIRE(p != MAP_FAILED);
339
340 error = mprotect(p, pagesize, PROT_WRITE);
341 ATF_REQUIRE_ERRNO(EACCES, error == -1);
342 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
343 ATF_REQUIRE_ERRNO(EACCES, error == -1);
344 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
345 ATF_REQUIRE_ERRNO(EACCES, error == -1);
346
347 ATF_REQUIRE(munmap(p, pagesize) == 0);
348
349 /* Again, this time with a shared mapping. */
350 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
351 MAP_SHARED, fd, 0);
352 ATF_REQUIRE(p != MAP_FAILED);
353
354 error = mprotect(p, pagesize, PROT_WRITE);
355 ATF_REQUIRE_ERRNO(EACCES, error == -1);
356 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
357 ATF_REQUIRE_ERRNO(EACCES, error == -1);
358 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
359 ATF_REQUIRE_ERRNO(EACCES, error == -1);
360
361 ATF_REQUIRE(munmap(p, pagesize) == 0);
362
363 ATF_REQUIRE(close(fd) == 0);
364 }
365
ATF_TP_ADD_TCS(tp)366 ATF_TP_ADD_TCS(tp)
367 {
368 ATF_TP_ADD_TC(tp, mmap__map_at_zero);
369 ATF_TP_ADD_TC(tp, mmap__bad_arguments);
370 ATF_TP_ADD_TC(tp, mmap__dev_zero_private);
371 ATF_TP_ADD_TC(tp, mmap__dev_zero_shared);
372 ATF_TP_ADD_TC(tp, mmap__write_only);
373 ATF_TP_ADD_TC(tp, mmap__maxprot_basic);
374 ATF_TP_ADD_TC(tp, mmap__maxprot_shm);
375
376 return (atf_no_error());
377 }
378