xref: /freebsd/contrib/netbsd-tests/lib/libc/sys/t_mprotect.c (revision 5dae51da3da0cc94d17bd67b308fad304ebec7e0)
1 /* $NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $ */
2 
3 /*-
4  * Copyright (c) 2011 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This code is derived from software contributed to The NetBSD Foundation
8  * by Jukka Ruohonen.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 #include <sys/cdefs.h>
32 __RCSID("$NetBSD: t_mprotect.c,v 1.4 2016/05/28 14:34:49 christos Exp $");
33 
34 #include <sys/param.h>
35 #include <sys/mman.h>
36 #include <sys/sysctl.h>
37 #include <sys/wait.h>
38 
39 #include <errno.h>
40 #include <fcntl.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <unistd.h>
44 
45 #include <atf-c.h>
46 
47 #ifdef __NetBSD__
48 #include "../common/exec_prot.h"
49 #endif
50 
51 static long	page = 0;
52 static int	pax_global = -1;
53 static int	pax_enabled = -1;
54 static char	path[] = "mmap";
55 
56 static void	sighandler(int);
57 static bool	paxinit(void);
58 static bool	paxset(int, int);
59 
60 static void
61 sighandler(int signo)
62 {
63 	_exit(signo);
64 }
65 
66 static bool
67 paxinit(void)
68 {
69 	size_t len = sizeof(int);
70 	int rv;
71 
72 	rv = sysctlbyname("security.pax.mprotect.global",
73 	    &pax_global, &len, NULL, 0);
74 
75 	if (rv != 0)
76 		return false;
77 
78 	rv = sysctlbyname("security.pax.mprotect.enabled",
79 	    &pax_enabled, &len, NULL, 0);
80 
81 	return rv == 0;
82 }
83 
84 static bool
85 paxset(int global, int enabled)
86 {
87 	size_t len = sizeof(int);
88 	int rv;
89 
90 	rv = sysctlbyname("security.pax.mprotect.global",
91 	    NULL, NULL, &global, len);
92 
93 	if (rv != 0)
94 		return false;
95 
96 	rv = sysctlbyname("security.pax.mprotect.enabled",
97 	    NULL, NULL, &enabled, len);
98 
99 	if (rv != 0)
100 		return false;
101 
102 	return true;
103 }
104 
105 
106 ATF_TC_WITH_CLEANUP(mprotect_access);
107 ATF_TC_HEAD(mprotect_access, tc)
108 {
109 	atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)");
110 }
111 
112 ATF_TC_BODY(mprotect_access, tc)
113 {
114 	int prot[2] = { PROT_NONE, PROT_READ };
115 	void *map;
116 	size_t i;
117 	int fd;
118 
119 	fd = open(path, O_RDONLY | O_CREAT);
120 	ATF_REQUIRE(fd >= 0);
121 
122 	/*
123 	 * The call should fail with EACCES if we try to mark
124 	 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
125 	 */
126 	for (i = 0; i < __arraycount(prot); i++) {
127 
128 		map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0);
129 
130 		if (map == MAP_FAILED)
131 			continue;
132 
133 		errno = 0;
134 
135 		ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0);
136 		ATF_REQUIRE(errno == EACCES);
137 		ATF_REQUIRE(munmap(map, page) == 0);
138 	}
139 
140 	ATF_REQUIRE(close(fd) == 0);
141 }
142 
143 ATF_TC_CLEANUP(mprotect_access, tc)
144 {
145 	(void)unlink(path);
146 }
147 
148 ATF_TC(mprotect_err);
149 ATF_TC_HEAD(mprotect_err, tc)
150 {
151 	atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)");
152 }
153 
154 ATF_TC_BODY(mprotect_err, tc)
155 {
156 	errno = 0;
157 
158 	ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0);
159 	ATF_REQUIRE(errno == EINVAL);
160 }
161 
162 #ifdef __NetBSD__
163 ATF_TC(mprotect_exec);
164 ATF_TC_HEAD(mprotect_exec, tc)
165 {
166 	atf_tc_set_md_var(tc, "descr",
167 	    "Test mprotect(2) executable space protections");
168 }
169 
170 /*
171  * Trivial function -- should fit into a page
172  */
173 ATF_TC_BODY(mprotect_exec, tc)
174 {
175 	pid_t pid;
176 	void *map;
177 	int sta, xp_support;
178 
179 	xp_support = exec_prot_support();
180 
181 	switch (xp_support) {
182 	case NOTIMPL:
183 		atf_tc_skip(
184 		    "Execute protection callback check not implemented");
185 		break;
186 	case NO_XP:
187 		atf_tc_skip(
188 		    "Host does not support executable space protection");
189 		break;
190 	case PARTIAL_XP: case PERPAGE_XP: default:
191 		break;
192 	}
193 
194 	if (!paxinit())
195 		return;
196 	if (pax_enabled == 1 && pax_global == 1)
197 		atf_tc_skip("PaX MPROTECT restrictions enabled");
198 
199 
200 	/*
201 	 * Map a page read/write and copy a trivial assembly function inside.
202 	 * We will then change the mapping rights:
203 	 * - first by setting the execution right, and check that we can
204 	 *   call the code found in the allocated page.
205 	 * - second by removing the execution right. This should generate
206 	 *   a SIGSEGV on architectures that can enforce --x permissions.
207 	 */
208 
209 	map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
210 	ATF_REQUIRE(map != MAP_FAILED);
211 
212 	memcpy(map, (void *)return_one,
213 	    (uintptr_t)return_one_end - (uintptr_t)return_one);
214 
215 	/* give r-x rights then call code in page */
216 	ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0);
217 	ATF_REQUIRE(((int (*)(void))map)() == 1);
218 
219 	/* remove --x right */
220 	ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
221 
222 	pid = fork();
223 	ATF_REQUIRE(pid >= 0);
224 
225 	if (pid == 0) {
226 		ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
227 		ATF_CHECK(((int (*)(void))map)() == 1);
228 		_exit(0);
229 	}
230 
231 	(void)wait(&sta);
232 
233 	ATF_REQUIRE(munmap(map, page) == 0);
234 
235 	ATF_REQUIRE(WIFEXITED(sta) != 0);
236 
237 	switch (xp_support) {
238 	case PARTIAL_XP:
239 		/* Partial protection might fail; skip the test when it does */
240 		if (WEXITSTATUS(sta) != SIGSEGV) {
241 			atf_tc_skip("Host only supports "
242 			    "partial executable space protection");
243 		}
244 		break;
245 	case PERPAGE_XP: default:
246 		/* Per-page --x protection should not fail */
247 		ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
248 		break;
249 	}
250 }
251 #endif
252 
253 ATF_TC(mprotect_pax);
254 ATF_TC_HEAD(mprotect_pax, tc)
255 {
256 	atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)");
257 	atf_tc_set_md_var(tc, "require.user", "root");
258 }
259 
260 ATF_TC_BODY(mprotect_pax, tc)
261 {
262 	const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE };
263 	const char *str = NULL;
264 	void *map;
265 	size_t i;
266 	int rv;
267 
268 	if (!paxinit() || !paxset(1, 1))
269 		return;
270 
271 	/*
272 	 * As noted in the original PaX documentation [1],
273 	 * the following restrictions should apply:
274 	 *
275 	 *   (1) creating executable anonymous mappings
276 	 *
277 	 *   (2) creating executable/writable file mappings
278 	 *
279 	 *   (3) making a non-executable mapping executable
280 	 *
281 	 *   (4) making an executable/read-only file mapping
282 	 *       writable except for performing relocations
283 	 *       on an ET_DYN ELF file (non-PIC shared library)
284 	 *
285 	 *  The following will test only the case (3).
286 	 *
287 	 * [1] http://pax.grsecurity.net/docs/mprotect.txt
288 	 *
289 	 *     (Sun Apr 3 11:06:53 EEST 2011.)
290 	 */
291 	for (i = 0; i < __arraycount(prot); i++) {
292 
293 		map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0);
294 
295 		if (map == MAP_FAILED)
296 			continue;
297 
298 		rv = mprotect(map, 1, prot[i] | PROT_EXEC);
299 
300 		(void)munmap(map, page);
301 
302 		if (rv == 0) {
303 			str = "non-executable mapping made executable";
304 			goto out;
305 		}
306 	}
307 
308 out:
309 	if (pax_global != -1 && pax_enabled != -1)
310 		(void)paxset(pax_global, pax_enabled);
311 
312 	if (str != NULL)
313 		atf_tc_fail("%s", str);
314 }
315 
316 ATF_TC(mprotect_write);
317 ATF_TC_HEAD(mprotect_write, tc)
318 {
319 	atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections");
320 }
321 
322 ATF_TC_BODY(mprotect_write, tc)
323 {
324 	pid_t pid;
325 	void *map;
326 	int sta;
327 
328 	/*
329 	 * Map a page read/write, change the protection
330 	 * to read-only with mprotect(2), and try to write
331 	 * to the page. This should generate a SIGSEGV.
332 	 */
333 	map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
334 	ATF_REQUIRE(map != MAP_FAILED);
335 
336 	ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3);
337 	ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
338 
339 	pid = fork();
340 	ATF_REQUIRE(pid >= 0);
341 
342 	if (pid == 0) {
343 		ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
344 		ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0);
345 	}
346 
347 	(void)wait(&sta);
348 
349 	ATF_REQUIRE(WIFEXITED(sta) != 0);
350 	ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
351 	ATF_REQUIRE(munmap(map, page) == 0);
352 }
353 
354 ATF_TP_ADD_TCS(tp)
355 {
356 	page = sysconf(_SC_PAGESIZE);
357 	ATF_REQUIRE(page >= 0);
358 
359 	ATF_TP_ADD_TC(tp, mprotect_access);
360 	ATF_TP_ADD_TC(tp, mprotect_err);
361 #ifdef __NetBSD__
362 	ATF_TP_ADD_TC(tp, mprotect_exec);
363 #endif
364 	ATF_TP_ADD_TC(tp, mprotect_pax);
365 	ATF_TP_ADD_TC(tp, mprotect_write);
366 
367 	return atf_no_error();
368 }
369