1 /* $NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2011 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Jukka Ruohonen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 #include <sys/cdefs.h> 32 __RCSID("$NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $"); 33 34 #include <sys/param.h> 35 #include <sys/mman.h> 36 #include <sys/sysctl.h> 37 #include <sys/wait.h> 38 39 #include <errno.h> 40 #include <fcntl.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <unistd.h> 44 45 #include <atf-c.h> 46 47 #ifdef __NetBSD__ 48 #include "../common/exec_prot.h" 49 #endif 50 51 static long page = 0; 52 static int pax_global = -1; 53 static int pax_enabled = -1; 54 static char path[] = "mmap"; 55 56 static void sighandler(int); 57 static bool paxinit(void); 58 static bool paxset(int, int); 59 60 static void 61 sighandler(int signo) 62 { 63 _exit(signo); 64 } 65 66 static bool 67 paxinit(void) 68 { 69 size_t len = sizeof(int); 70 int rv; 71 72 rv = sysctlbyname("security.pax.mprotect.global", 73 &pax_global, &len, NULL, 0); 74 75 if (rv != 0) 76 return false; 77 78 rv = sysctlbyname("security.pax.mprotect.enabled", 79 &pax_enabled, &len, NULL, 0); 80 81 return rv == 0; 82 } 83 84 static bool 85 paxset(int global, int enabled) 86 { 87 size_t len = sizeof(int); 88 int rv; 89 90 rv = sysctlbyname("security.pax.mprotect.global", 91 NULL, NULL, &global, len); 92 93 if (rv != 0) 94 return false; 95 96 rv = sysctlbyname("security.pax.mprotect.enabled", 97 NULL, NULL, &enabled, len); 98 99 if (rv != 0) 100 return false; 101 102 return true; 103 } 104 105 106 ATF_TC_WITH_CLEANUP(mprotect_access); 107 ATF_TC_HEAD(mprotect_access, tc) 108 { 109 atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)"); 110 } 111 112 ATF_TC_BODY(mprotect_access, tc) 113 { 114 int prot[2] = { PROT_NONE, PROT_READ }; 115 void *map; 116 size_t i; 117 int fd; 118 119 fd = open(path, O_RDONLY | O_CREAT); 120 ATF_REQUIRE(fd >= 0); 121 122 /* 123 * The call should fail with EACCES if we try to mark 124 * a PROT_NONE or PROT_READ file/section as PROT_WRITE. 125 */ 126 for (i = 0; i < __arraycount(prot); i++) { 127 128 map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0); 129 130 if (map == MAP_FAILED) 131 continue; 132 133 errno = 0; 134 135 ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0); 136 ATF_REQUIRE(errno == EACCES); 137 ATF_REQUIRE(munmap(map, page) == 0); 138 } 139 140 ATF_REQUIRE(close(fd) == 0); 141 } 142 143 ATF_TC_CLEANUP(mprotect_access, tc) 144 { 145 (void)unlink(path); 146 } 147 148 ATF_TC(mprotect_err); 149 ATF_TC_HEAD(mprotect_err, tc) 150 { 151 atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)"); 152 } 153 154 ATF_TC_BODY(mprotect_err, tc) 155 { 156 errno = 0; 157 158 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0); 159 ATF_REQUIRE(errno == EINVAL); 160 } 161 162 #ifdef __NetBSD__ 163 ATF_TC(mprotect_exec); 164 ATF_TC_HEAD(mprotect_exec, tc) 165 { 166 atf_tc_set_md_var(tc, "descr", 167 "Test mprotect(2) executable space protections"); 168 } 169 170 /* 171 * Trivial function -- should fit into a page 172 */ 173 ATF_TC_BODY(mprotect_exec, tc) 174 { 175 pid_t pid; 176 void *map; 177 int sta, xp_support; 178 179 xp_support = exec_prot_support(); 180 181 switch (xp_support) { 182 case NOTIMPL: 183 atf_tc_skip( 184 "Execute protection callback check not implemented"); 185 break; 186 case NO_XP: 187 atf_tc_skip( 188 "Host does not support executable space protection"); 189 break; 190 case PARTIAL_XP: case PERPAGE_XP: default: 191 break; 192 } 193 194 if (!paxinit()) 195 return; 196 if (pax_enabled == 1 && pax_global == 1) 197 atf_tc_skip("PaX MPROTECT restrictions enabled"); 198 199 200 /* 201 * Map a page read/write and copy a trivial assembly function inside. 202 * We will then change the mapping rights: 203 * - first by setting the execution right, and check that we can 204 * call the code found in the allocated page. 205 * - second by removing the execution right. This should generate 206 * a SIGSEGV on architectures that can enforce --x permissions. 207 */ 208 209 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 210 ATF_REQUIRE(map != MAP_FAILED); 211 212 memcpy(map, (void *)return_one, 213 (uintptr_t)return_one_end - (uintptr_t)return_one); 214 215 /* give r-x rights then call code in page */ 216 ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0); 217 ATF_REQUIRE(((int (*)(void))map)() == 1); 218 219 /* remove --x right */ 220 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 221 222 pid = fork(); 223 ATF_REQUIRE(pid >= 0); 224 225 if (pid == 0) { 226 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 227 ATF_CHECK(((int (*)(void))map)() == 1); 228 _exit(0); 229 } 230 231 (void)wait(&sta); 232 233 ATF_REQUIRE(munmap(map, page) == 0); 234 235 ATF_REQUIRE(WIFEXITED(sta) != 0); 236 237 switch (xp_support) { 238 case PARTIAL_XP: 239 /* Partial protection might fail; skip the test when it does */ 240 if (WEXITSTATUS(sta) != SIGSEGV) { 241 atf_tc_skip("Host only supports " 242 "partial executable space protection"); 243 } 244 break; 245 case PERPAGE_XP: default: 246 /* Per-page --x protection should not fail */ 247 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 248 break; 249 } 250 } 251 #endif 252 253 ATF_TC(mprotect_pax); 254 ATF_TC_HEAD(mprotect_pax, tc) 255 { 256 atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)"); 257 atf_tc_set_md_var(tc, "require.user", "root"); 258 } 259 260 ATF_TC_BODY(mprotect_pax, tc) 261 { 262 const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE }; 263 const char *str = NULL; 264 void *map; 265 size_t i; 266 int rv; 267 268 if (!paxinit() || !paxset(1, 1)) 269 return; 270 271 /* 272 * As noted in the original PaX documentation [1], 273 * the following restrictions should apply: 274 * 275 * (1) creating executable anonymous mappings 276 * 277 * (2) creating executable/writable file mappings 278 * 279 * (3) making a non-executable mapping executable 280 * 281 * (4) making an executable/read-only file mapping 282 * writable except for performing relocations 283 * on an ET_DYN ELF file (non-PIC shared library) 284 * 285 * The following will test only the case (3). 286 * 287 * [1] http://pax.grsecurity.net/docs/mprotect.txt 288 * 289 * (Sun Apr 3 11:06:53 EEST 2011.) 290 */ 291 for (i = 0; i < __arraycount(prot); i++) { 292 293 map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0); 294 295 if (map == MAP_FAILED) 296 continue; 297 298 rv = mprotect(map, 1, prot[i] | PROT_EXEC); 299 300 (void)munmap(map, page); 301 302 if (rv == 0) { 303 str = "non-executable mapping made executable"; 304 goto out; 305 } 306 } 307 308 out: 309 if (pax_global != -1 && pax_enabled != -1) 310 (void)paxset(pax_global, pax_enabled); 311 312 if (str != NULL) 313 atf_tc_fail("%s", str); 314 } 315 316 ATF_TC(mprotect_write); 317 ATF_TC_HEAD(mprotect_write, tc) 318 { 319 atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections"); 320 } 321 322 ATF_TC_BODY(mprotect_write, tc) 323 { 324 pid_t pid; 325 void *map; 326 int sta; 327 328 /* 329 * Map a page read/write, change the protection 330 * to read-only with mprotect(2), and try to write 331 * to the page. This should generate a SIGSEGV. 332 */ 333 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0); 334 ATF_REQUIRE(map != MAP_FAILED); 335 336 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3); 337 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0); 338 339 pid = fork(); 340 ATF_REQUIRE(pid >= 0); 341 342 if (pid == 0) { 343 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR); 344 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0); 345 } 346 347 (void)wait(&sta); 348 349 ATF_REQUIRE(WIFEXITED(sta) != 0); 350 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 351 ATF_REQUIRE(munmap(map, page) == 0); 352 } 353 354 ATF_TP_ADD_TCS(tp) 355 { 356 page = sysconf(_SC_PAGESIZE); 357 ATF_REQUIRE(page >= 0); 358 359 ATF_TP_ADD_TC(tp, mprotect_access); 360 ATF_TP_ADD_TC(tp, mprotect_err); 361 #ifdef __NetBSD__ 362 ATF_TP_ADD_TC(tp, mprotect_exec); 363 #endif 364 ATF_TP_ADD_TC(tp, mprotect_pax); 365 ATF_TP_ADD_TC(tp, mprotect_write); 366 367 return atf_no_error(); 368 } 369