1 /*- 2 * Copyright (c) 2009 Simon L. Nielsen <simon@FreeBSD.org>, 3 * Bjoern A. Zeeb <bz@FreeBSD.org> 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29 #include <sys/param.h> 30 #include <sys/mman.h> 31 #include <sys/sysctl.h> 32 33 #include <atf-c.h> 34 #include <errno.h> 35 #include <fcntl.h> 36 #include <stdarg.h> 37 #include <stdbool.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 41 static const struct { 42 void *addr; 43 int ok[2]; /* Depending on security.bsd.map_at_zero {0, !=0}. */ 44 } map_at_zero_tests[] = { 45 { (void *)0, { 0, 1 } }, /* Test sysctl. */ 46 { (void *)1, { 0, 0 } }, 47 { (void *)(PAGE_SIZE - 1), { 0, 0 } }, 48 { (void *)PAGE_SIZE, { 1, 1 } }, 49 { (void *)-1, { 0, 0 } }, 50 { (void *)(-PAGE_SIZE), { 0, 0 } }, 51 { (void *)(-1 - PAGE_SIZE), { 0, 0 } }, 52 { (void *)(-1 - PAGE_SIZE - 1), { 0, 0 } }, 53 { (void *)(0x1000 * PAGE_SIZE), { 1, 1 } }, 54 }; 55 56 #define MAP_AT_ZERO "security.bsd.map_at_zero" 57 58 #ifdef __LP64__ 59 #define ALLOW_WX "kern.elf64.allow_wx" 60 #else 61 #define ALLOW_WX "kern.elf32.allow_wx" 62 #endif 63 64 ATF_TC_WITHOUT_HEAD(mmap__map_at_zero); 65 ATF_TC_BODY(mmap__map_at_zero, tc) 66 { 67 void *p; 68 size_t len; 69 unsigned int i; 70 int map_at_zero; 71 bool allow_wx; 72 int prot_flags; 73 74 len = sizeof(map_at_zero); 75 if (sysctlbyname(MAP_AT_ZERO, &map_at_zero, &len, NULL, 0) == -1) { 76 atf_tc_skip("sysctl for %s failed: %s\n", MAP_AT_ZERO, 77 strerror(errno)); 78 return; 79 } 80 81 len = sizeof(allow_wx); 82 if (sysctlbyname(ALLOW_WX, &allow_wx, &len, NULL, 0) == -1) { 83 if (errno == ENOENT) { 84 /* Allow W+X if sysctl isn't present */ 85 allow_wx = true; 86 } else { 87 atf_tc_skip("sysctl for %s failed: %s\n", ALLOW_WX, 88 strerror(errno)); 89 return; 90 } 91 } 92 93 /* Normalize to 0 or 1 for array access. */ 94 map_at_zero = !!map_at_zero; 95 96 for (i = 0; i < nitems(map_at_zero_tests); i++) { 97 prot_flags = PROT_READ | PROT_WRITE; 98 if (allow_wx) 99 prot_flags |= PROT_EXEC; 100 p = mmap((void *)map_at_zero_tests[i].addr, PAGE_SIZE, 101 prot_flags, MAP_ANON | MAP_FIXED, -1, 0); 102 if (p == MAP_FAILED) { 103 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 0, 104 "mmap(%p, ...) failed", map_at_zero_tests[i].addr); 105 } else { 106 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 1, 107 "mmap(%p, ...) succeeded: p=%p\n", 108 map_at_zero_tests[i].addr, p); 109 } 110 } 111 } 112 113 static void 114 checked_mmap(int prot, int flags, int fd, int error, const char *msg) 115 { 116 void *p; 117 int pagesize; 118 119 ATF_REQUIRE((pagesize = getpagesize()) > 0); 120 p = mmap(NULL, pagesize, prot, flags, fd, 0); 121 if (p == MAP_FAILED) { 122 if (error == 0) 123 ATF_CHECK_MSG(0, "%s failed with errno %d", msg, 124 errno); 125 else 126 ATF_CHECK_EQ_MSG(error, errno, 127 "%s failed with wrong errno %d (expected %d)", msg, 128 errno, error); 129 } else { 130 ATF_CHECK_MSG(error == 0, "%s succeeded", msg); 131 munmap(p, pagesize); 132 } 133 } 134 135 ATF_TC_WITHOUT_HEAD(mmap__bad_arguments); 136 ATF_TC_BODY(mmap__bad_arguments, tc) 137 { 138 int devstatfd, pagesize, shmfd, zerofd; 139 140 ATF_REQUIRE((pagesize = getpagesize()) > 0); 141 ATF_REQUIRE((devstatfd = open("/dev/devstat", O_RDONLY)) >= 0); 142 ATF_REQUIRE((shmfd = shm_open(SHM_ANON, O_RDWR, 0644)) >= 0); 143 ATF_REQUIRE(ftruncate(shmfd, pagesize) == 0); 144 ATF_REQUIRE((zerofd = open("/dev/zero", O_RDONLY)) >= 0); 145 146 /* These should work. */ 147 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON, -1, 0, 148 "simple MAP_ANON"); 149 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, shmfd, 0, 150 "simple shm fd shared"); 151 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, shmfd, 0, 152 "simple shm fd private"); 153 checked_mmap(PROT_READ, MAP_SHARED, zerofd, 0, 154 "simple /dev/zero shared"); 155 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, zerofd, 0, 156 "simple /dev/zero private"); 157 checked_mmap(PROT_READ, MAP_SHARED, devstatfd, 0, 158 "simple /dev/devstat shared"); 159 160 /* Extra PROT flags. */ 161 checked_mmap(PROT_READ | PROT_WRITE | 0x100000, MAP_ANON, -1, EINVAL, 162 "MAP_ANON with extra PROT flags"); 163 checked_mmap(0xffff, MAP_SHARED, shmfd, EINVAL, 164 "shm fd with garbage PROT"); 165 166 /* Undefined flag. */ 167 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_RESERVED0080, -1, 168 EINVAL, "Undefined flag"); 169 170 /* Both MAP_SHARED and MAP_PRIVATE */ 171 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | 172 MAP_SHARED, -1, EINVAL, "MAP_ANON with both SHARED and PRIVATE"); 173 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_SHARED, shmfd, 174 EINVAL, "shm fd with both SHARED and PRIVATE"); 175 176 /* At least one of MAP_SHARED or MAP_PRIVATE without ANON */ 177 checked_mmap(PROT_READ | PROT_WRITE, 0, shmfd, EINVAL, 178 "shm fd without sharing flag"); 179 180 /* MAP_ANON with either sharing flag (impacts fork). */ 181 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0, 182 "shared MAP_ANON"); 183 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0, 184 "private MAP_ANON"); 185 186 /* MAP_ANON should require an fd of -1. */ 187 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, EINVAL, 188 "MAP_ANON with fd != -1"); 189 190 /* Writable MAP_SHARED should fail on read-only descriptors. */ 191 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, zerofd, EACCES, 192 "MAP_SHARED of read-only /dev/zero"); 193 194 /* 195 * Character devices other than /dev/zero do not support private 196 * mappings. 197 */ 198 checked_mmap(PROT_READ, MAP_PRIVATE, devstatfd, EINVAL, 199 "MAP_PRIVATE of /dev/devstat"); 200 201 close(devstatfd); 202 close(shmfd); 203 close(zerofd); 204 } 205 206 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_private); 207 ATF_TC_BODY(mmap__dev_zero_private, tc) 208 { 209 char *p1, *p2, *p3; 210 int fd, i, pagesize; 211 212 ATF_REQUIRE((pagesize = getpagesize()) > 0); 213 ATF_REQUIRE((fd = open("/dev/zero", O_RDONLY)) >= 0); 214 215 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 216 ATF_REQUIRE(p1 != MAP_FAILED); 217 218 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 219 ATF_REQUIRE(p2 != MAP_FAILED); 220 221 for (i = 0; i < pagesize; i++) 222 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]); 223 224 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0); 225 226 p1[0] = 1; 227 228 ATF_REQUIRE(p2[0] == 0); 229 230 p2[0] = 2; 231 232 ATF_REQUIRE(p1[0] == 1); 233 234 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 235 ATF_REQUIRE(p3 != MAP_FAILED); 236 237 ATF_REQUIRE(p3[0] == 0); 238 239 munmap(p1, pagesize); 240 munmap(p2, pagesize); 241 munmap(p3, pagesize); 242 close(fd); 243 } 244 245 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_shared); 246 ATF_TC_BODY(mmap__dev_zero_shared, tc) 247 { 248 char *p1, *p2, *p3; 249 int fd, i, pagesize; 250 251 ATF_REQUIRE((pagesize = getpagesize()) > 0); 252 ATF_REQUIRE((fd = open("/dev/zero", O_RDWR)) >= 0); 253 254 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 255 ATF_REQUIRE(p1 != MAP_FAILED); 256 257 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 258 ATF_REQUIRE(p2 != MAP_FAILED); 259 260 for (i = 0; i < pagesize; i++) 261 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]); 262 263 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0); 264 265 p1[0] = 1; 266 267 ATF_REQUIRE(p2[0] == 0); 268 269 p2[0] = 2; 270 271 ATF_REQUIRE(p1[0] == 1); 272 273 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 274 0); 275 ATF_REQUIRE(p3 != MAP_FAILED); 276 277 ATF_REQUIRE(p3[0] == 0); 278 279 munmap(p1, pagesize); 280 munmap(p2, pagesize); 281 munmap(p3, pagesize); 282 close(fd); 283 } 284 285 ATF_TC_WITHOUT_HEAD(mmap__write_only); 286 ATF_TC_BODY(mmap__write_only, tc) 287 { 288 void *p; 289 int pagesize; 290 291 ATF_REQUIRE((pagesize = getpagesize()) > 0); 292 p = mmap(NULL, pagesize, PROT_WRITE, MAP_ANON, -1, 0); 293 ATF_REQUIRE(p != MAP_FAILED); 294 295 *(volatile uint32_t *)p = 0x12345678; 296 297 munmap(p, pagesize); 298 } 299 300 ATF_TP_ADD_TCS(tp) 301 { 302 303 ATF_TP_ADD_TC(tp, mmap__map_at_zero); 304 ATF_TP_ADD_TC(tp, mmap__bad_arguments); 305 ATF_TP_ADD_TC(tp, mmap__dev_zero_private); 306 ATF_TP_ADD_TC(tp, mmap__dev_zero_shared); 307 ATF_TP_ADD_TC(tp, mmap__write_only); 308 309 return (atf_no_error()); 310 } 311