13b624bd6SKonstantin Belousov /*- 26eeccaa9SKonstantin Belousov * Copyright (c) 2015, 2020 The FreeBSD Foundation 33b624bd6SKonstantin Belousov * 43b624bd6SKonstantin Belousov * This software was developed by Konstantin Belousov <kib@FreeBSD.org> 53b624bd6SKonstantin Belousov * under sponsorship from the FreeBSD Foundation. 63b624bd6SKonstantin Belousov * 73b624bd6SKonstantin Belousov * Redistribution and use in source and binary forms, with or without 83b624bd6SKonstantin Belousov * modification, are permitted provided that the following conditions 93b624bd6SKonstantin Belousov * are met: 103b624bd6SKonstantin Belousov * 1. Redistributions of source code must retain the above copyright 113b624bd6SKonstantin Belousov * notice, this list of conditions and the following disclaimer. 123b624bd6SKonstantin Belousov * 2. Redistributions in binary form must reproduce the above copyright 133b624bd6SKonstantin Belousov * notice, this list of conditions and the following disclaimer in the 143b624bd6SKonstantin Belousov * documentation and/or other materials provided with the distribution. 153b624bd6SKonstantin Belousov * 163b624bd6SKonstantin Belousov * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 173b624bd6SKonstantin Belousov * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 183b624bd6SKonstantin Belousov * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 193b624bd6SKonstantin Belousov * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 203b624bd6SKonstantin Belousov * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 213b624bd6SKonstantin Belousov * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 223b624bd6SKonstantin Belousov * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 233b624bd6SKonstantin Belousov * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 243b624bd6SKonstantin Belousov * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 253b624bd6SKonstantin Belousov * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 263b624bd6SKonstantin Belousov * SUCH DAMAGE. 273b624bd6SKonstantin Belousov */ 283b624bd6SKonstantin Belousov 293b624bd6SKonstantin Belousov #include <sys/param.h> 306eeccaa9SKonstantin Belousov #include <sys/exec.h> 316eeccaa9SKonstantin Belousov #include <sys/sysctl.h> 326393594bSMark Johnston #include <sys/user.h> 33*939f0b63SKornel Dulęba #include <sys/mman.h> 346393594bSMark Johnston 353b624bd6SKonstantin Belousov #include <errno.h> 368babb558SMitchell Horne #include <fcntl.h> 373b624bd6SKonstantin Belousov #include <limits.h> 383b624bd6SKonstantin Belousov #include <stdio.h> 393b624bd6SKonstantin Belousov #include <stdlib.h> 403b624bd6SKonstantin Belousov #include <unistd.h> 413b624bd6SKonstantin Belousov #include <atf-c.h> 423b624bd6SKonstantin Belousov #include <vm/vm.h> 433b624bd6SKonstantin Belousov #include <vm/pmap.h> 443b624bd6SKonstantin Belousov #include <machine/vmparam.h> 453b624bd6SKonstantin Belousov 463b624bd6SKonstantin Belousov static int scratch_file; 473b624bd6SKonstantin Belousov 483b624bd6SKonstantin Belousov static int 493b624bd6SKonstantin Belousov copyin_checker(uintptr_t uaddr, size_t len) 503b624bd6SKonstantin Belousov { 513b624bd6SKonstantin Belousov ssize_t ret; 523b624bd6SKonstantin Belousov 533b624bd6SKonstantin Belousov ret = write(scratch_file, (const void *)uaddr, len); 543b624bd6SKonstantin Belousov return (ret == -1 ? errno : 0); 553b624bd6SKonstantin Belousov } 563b624bd6SKonstantin Belousov 578babb558SMitchell Horne #if __SIZEOF_POINTER__ == 8 588babb558SMitchell Horne /* 598babb558SMitchell Horne * A slightly more direct path to calling copyin(), but without the ability 608babb558SMitchell Horne * to specify a length. 618babb558SMitchell Horne */ 628babb558SMitchell Horne static int 638babb558SMitchell Horne copyin_checker2(uintptr_t uaddr) 648babb558SMitchell Horne { 658babb558SMitchell Horne int ret; 668babb558SMitchell Horne 678babb558SMitchell Horne ret = fcntl(scratch_file, F_GETLK, (const void *)uaddr); 688babb558SMitchell Horne return (ret == -1 ? errno : 0); 698babb558SMitchell Horne } 708babb558SMitchell Horne #endif 718babb558SMitchell Horne 72*939f0b63SKornel Dulęba static int 73*939f0b63SKornel Dulęba get_vm_layout(struct kinfo_vm_layout *kvm) 746eeccaa9SKonstantin Belousov { 756eeccaa9SKonstantin Belousov size_t len; 76*939f0b63SKornel Dulęba int mib[4]; 776eeccaa9SKonstantin Belousov 786eeccaa9SKonstantin Belousov mib[0] = CTL_KERN; 796eeccaa9SKonstantin Belousov mib[1] = KERN_PROC; 806393594bSMark Johnston mib[2] = KERN_PROC_VM_LAYOUT; 816eeccaa9SKonstantin Belousov mib[3] = getpid(); 82*939f0b63SKornel Dulęba len = sizeof(*kvm); 836eeccaa9SKonstantin Belousov 84*939f0b63SKornel Dulęba return (sysctl(mib, nitems(mib), kvm, &len, NULL, 0)); 856eeccaa9SKonstantin Belousov } 866eeccaa9SKonstantin Belousov 873b624bd6SKonstantin Belousov #define FMAX ULONG_MAX 888babb558SMitchell Horne #if __SIZEOF_POINTER__ == 8 898babb558SMitchell Horne /* PR 257193 */ 908babb558SMitchell Horne #define ADDR_SIGNED 0x800000c000000000 918babb558SMitchell Horne #endif 923b624bd6SKonstantin Belousov 933b624bd6SKonstantin Belousov ATF_TC_WITHOUT_HEAD(kern_copyin); 943b624bd6SKonstantin Belousov ATF_TC_BODY(kern_copyin, tc) 953b624bd6SKonstantin Belousov { 963b624bd6SKonstantin Belousov char template[] = "copyin.XXXXXX"; 97*939f0b63SKornel Dulęba struct kinfo_vm_layout kvm; 986eeccaa9SKonstantin Belousov uintptr_t maxuser; 99*939f0b63SKornel Dulęba long page_size; 100*939f0b63SKornel Dulęba void *addr; 101*939f0b63SKornel Dulęba int error; 1023b624bd6SKonstantin Belousov 103*939f0b63SKornel Dulęba addr = MAP_FAILED; 104470d063aSRuslan Bukin 105*939f0b63SKornel Dulęba error = get_vm_layout(&kvm); 106*939f0b63SKornel Dulęba ATF_REQUIRE(error == 0); 107*939f0b63SKornel Dulęba 108*939f0b63SKornel Dulęba page_size = sysconf(_SC_PAGESIZE); 109*939f0b63SKornel Dulęba ATF_REQUIRE(page_size != (long)-1); 110*939f0b63SKornel Dulęba 111*939f0b63SKornel Dulęba maxuser = kvm.kvm_max_user_addr; 1123b624bd6SKonstantin Belousov scratch_file = mkstemp(template); 1133b624bd6SKonstantin Belousov ATF_REQUIRE(scratch_file != -1); 1143b624bd6SKonstantin Belousov unlink(template); 1153b624bd6SKonstantin Belousov 116*939f0b63SKornel Dulęba /* 117*939f0b63SKornel Dulęba * Since the shared page address can be randomized we need to make 118*939f0b63SKornel Dulęba * sure that something is mapped at the top of the user address space. 119*939f0b63SKornel Dulęba * Otherwise reading bytes from maxuser-X will fail rendering this test 120*939f0b63SKornel Dulęba * useless. 121*939f0b63SKornel Dulęba */ 122*939f0b63SKornel Dulęba if (kvm.kvm_shp_addr + kvm.kvm_shp_size < maxuser) { 123*939f0b63SKornel Dulęba addr = mmap((void *)(maxuser - page_size), page_size, PROT_READ, 124*939f0b63SKornel Dulęba MAP_ANON | MAP_FIXED, -1, 0); 125*939f0b63SKornel Dulęba ATF_REQUIRE(addr != MAP_FAILED); 126*939f0b63SKornel Dulęba } 127*939f0b63SKornel Dulęba 1283b624bd6SKonstantin Belousov ATF_CHECK(copyin_checker(0, 0) == 0); 1296eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser - 10, 9) == 0); 1306eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser - 10, 10) == 0); 1316eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser - 10, 11) == EFAULT); 1326eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser - 1, 1) == 0); 1336eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser, 0) == 0); 1346eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser, 1) == EFAULT); 1356eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser, 2) == EFAULT); 1366eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser + 1, 0) == 0); 1376eeccaa9SKonstantin Belousov ATF_CHECK(copyin_checker(maxuser + 1, 2) == EFAULT); 1383b624bd6SKonstantin Belousov ATF_CHECK(copyin_checker(FMAX - 10, 9) == EFAULT); 1393b624bd6SKonstantin Belousov ATF_CHECK(copyin_checker(FMAX - 10, 10) == EFAULT); 1403b624bd6SKonstantin Belousov ATF_CHECK(copyin_checker(FMAX - 10, 11) == EFAULT); 1418babb558SMitchell Horne #if __SIZEOF_POINTER__ == 8 1428babb558SMitchell Horne ATF_CHECK(copyin_checker(ADDR_SIGNED, 1) == EFAULT); 1438babb558SMitchell Horne ATF_CHECK(copyin_checker2(ADDR_SIGNED) == EFAULT); 1448babb558SMitchell Horne #endif 145*939f0b63SKornel Dulęba 146*939f0b63SKornel Dulęba if (addr != MAP_FAILED) 147*939f0b63SKornel Dulęba munmap(addr, PAGE_SIZE); 1483b624bd6SKonstantin Belousov } 1493b624bd6SKonstantin Belousov 1503b624bd6SKonstantin Belousov ATF_TP_ADD_TCS(tp) 1513b624bd6SKonstantin Belousov { 1523b624bd6SKonstantin Belousov 1533b624bd6SKonstantin Belousov ATF_TP_ADD_TC(tp, kern_copyin); 1543b624bd6SKonstantin Belousov return (atf_no_error()); 1553b624bd6SKonstantin Belousov } 156