1 /*- 2 * Copyright (c) 2009 Simon L. Nielsen <simon@FreeBSD.org>, 3 * Bjoern A. Zeeb <bz@FreeBSD.org> 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/param.h> 28 #include <sys/mman.h> 29 #include <sys/sysctl.h> 30 31 #include <atf-c.h> 32 #include <errno.h> 33 #include <fcntl.h> 34 #include <stdarg.h> 35 #include <stdbool.h> 36 #include <stdio.h> 37 #include <stdlib.h> 38 39 #define MAP_AT_ZERO "security.bsd.map_at_zero" 40 41 #ifdef __LP64__ 42 #define ALLOW_WX "kern.elf64.allow_wx" 43 #else 44 #define ALLOW_WX "kern.elf32.allow_wx" 45 #endif 46 47 ATF_TC_WITHOUT_HEAD(mmap__map_at_zero); 48 ATF_TC_BODY(mmap__map_at_zero, tc) 49 { 50 void *p; 51 size_t len; 52 unsigned int i; 53 int map_at_zero; 54 bool allow_wx; 55 int prot_flags; 56 size_t pgsz = getpagesize(); 57 58 const struct { 59 void *addr; 60 int ok[2]; /* Depending on security.bsd.map_at_zero {0, !=0}. */ 61 } map_at_zero_tests[] = { 62 { (void *)0, { 0, 1 } }, /* Test sysctl. */ 63 { (void *)1, { 0, 0 } }, 64 { (void *)(pgsz - 1), { 0, 0 } }, 65 { (void *)pgsz, { 1, 1 } }, 66 { (void *)-1, { 0, 0 } }, 67 { (void *)(-pgsz), { 0, 0 } }, 68 { (void *)(-1 - pgsz), { 0, 0 } }, 69 { (void *)(-1 - pgsz - 1), { 0, 0 } }, 70 { (void *)(0x1000 * pgsz), { 1, 1 } }, 71 }; 72 73 len = sizeof(map_at_zero); 74 if (sysctlbyname(MAP_AT_ZERO, &map_at_zero, &len, NULL, 0) == -1) { 75 atf_tc_skip("sysctl for %s failed: %s\n", MAP_AT_ZERO, 76 strerror(errno)); 77 return; 78 } 79 80 len = sizeof(allow_wx); 81 if (sysctlbyname(ALLOW_WX, &allow_wx, &len, NULL, 0) == -1) { 82 if (errno == ENOENT) { 83 /* Allow W+X if sysctl isn't present */ 84 allow_wx = true; 85 } else { 86 atf_tc_skip("sysctl for %s failed: %s\n", ALLOW_WX, 87 strerror(errno)); 88 return; 89 } 90 } 91 92 /* Normalize to 0 or 1 for array access. */ 93 map_at_zero = !!map_at_zero; 94 95 for (i = 0; i < nitems(map_at_zero_tests); i++) { 96 prot_flags = PROT_READ | PROT_WRITE; 97 if (allow_wx) 98 prot_flags |= PROT_EXEC; 99 p = mmap((void *)map_at_zero_tests[i].addr, PAGE_SIZE, 100 prot_flags, MAP_ANON | MAP_FIXED, -1, 0); 101 if (p == MAP_FAILED) { 102 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 0, 103 "mmap(%p, ...) failed", map_at_zero_tests[i].addr); 104 } else { 105 ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 1, 106 "mmap(%p, ...) succeeded: p=%p\n", 107 map_at_zero_tests[i].addr, p); 108 } 109 } 110 } 111 112 static void 113 checked_mmap(int prot, int flags, int fd, int error, const char *msg) 114 { 115 void *p; 116 int pagesize; 117 118 ATF_REQUIRE((pagesize = getpagesize()) > 0); 119 p = mmap(NULL, pagesize, prot, flags, fd, 0); 120 if (p == MAP_FAILED) { 121 if (error == 0) 122 ATF_CHECK_MSG(0, "%s failed with errno %d", msg, 123 errno); 124 else 125 ATF_CHECK_EQ_MSG(error, errno, 126 "%s failed with wrong errno %d (expected %d)", msg, 127 errno, error); 128 } else { 129 ATF_CHECK_MSG(error == 0, "%s succeeded", msg); 130 munmap(p, pagesize); 131 } 132 } 133 134 ATF_TC_WITHOUT_HEAD(mmap__bad_arguments); 135 ATF_TC_BODY(mmap__bad_arguments, tc) 136 { 137 int devstatfd, pagesize, shmfd, zerofd; 138 139 ATF_REQUIRE((pagesize = getpagesize()) > 0); 140 ATF_REQUIRE((devstatfd = open("/dev/devstat", O_RDONLY)) >= 0); 141 ATF_REQUIRE((shmfd = shm_open(SHM_ANON, O_RDWR, 0644)) >= 0); 142 ATF_REQUIRE(ftruncate(shmfd, pagesize) == 0); 143 ATF_REQUIRE((zerofd = open("/dev/zero", O_RDONLY)) >= 0); 144 145 /* These should work. */ 146 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON, -1, 0, 147 "simple MAP_ANON"); 148 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, shmfd, 0, 149 "simple shm fd shared"); 150 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, shmfd, 0, 151 "simple shm fd private"); 152 checked_mmap(PROT_READ, MAP_SHARED, zerofd, 0, 153 "simple /dev/zero shared"); 154 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, zerofd, 0, 155 "simple /dev/zero private"); 156 checked_mmap(PROT_READ, MAP_SHARED, devstatfd, 0, 157 "simple /dev/devstat shared"); 158 159 /* Extra PROT flags. */ 160 checked_mmap(PROT_READ | PROT_WRITE | 0x100000, MAP_ANON, -1, EINVAL, 161 "MAP_ANON with extra PROT flags"); 162 checked_mmap(0xffff, MAP_SHARED, shmfd, EINVAL, 163 "shm fd with garbage PROT"); 164 165 /* Undefined flag. */ 166 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_RESERVED0080, -1, 167 EINVAL, "Undefined flag"); 168 169 /* Both MAP_SHARED and MAP_PRIVATE */ 170 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | 171 MAP_SHARED, -1, EINVAL, "MAP_ANON with both SHARED and PRIVATE"); 172 checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_SHARED, shmfd, 173 EINVAL, "shm fd with both SHARED and PRIVATE"); 174 175 /* At least one of MAP_SHARED or MAP_PRIVATE without ANON */ 176 checked_mmap(PROT_READ | PROT_WRITE, 0, shmfd, EINVAL, 177 "shm fd without sharing flag"); 178 179 /* MAP_ANON with either sharing flag (impacts fork). */ 180 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0, 181 "shared MAP_ANON"); 182 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0, 183 "private MAP_ANON"); 184 185 /* MAP_ANON should require an fd of -1. */ 186 checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, EINVAL, 187 "MAP_ANON with fd != -1"); 188 189 /* Writable MAP_SHARED should fail on read-only descriptors. */ 190 checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, zerofd, EACCES, 191 "MAP_SHARED of read-only /dev/zero"); 192 193 /* 194 * Character devices other than /dev/zero do not support private 195 * mappings. 196 */ 197 checked_mmap(PROT_READ, MAP_PRIVATE, devstatfd, EINVAL, 198 "MAP_PRIVATE of /dev/devstat"); 199 200 close(devstatfd); 201 close(shmfd); 202 close(zerofd); 203 } 204 205 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_private); 206 ATF_TC_BODY(mmap__dev_zero_private, tc) 207 { 208 char *p1, *p2, *p3; 209 int fd, i, pagesize; 210 211 ATF_REQUIRE((pagesize = getpagesize()) > 0); 212 ATF_REQUIRE((fd = open("/dev/zero", O_RDONLY)) >= 0); 213 214 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 215 ATF_REQUIRE(p1 != MAP_FAILED); 216 217 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 218 ATF_REQUIRE(p2 != MAP_FAILED); 219 220 for (i = 0; i < pagesize; i++) 221 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]); 222 223 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0); 224 225 p1[0] = 1; 226 227 ATF_REQUIRE(p2[0] == 0); 228 229 p2[0] = 2; 230 231 ATF_REQUIRE(p1[0] == 1); 232 233 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); 234 ATF_REQUIRE(p3 != MAP_FAILED); 235 236 ATF_REQUIRE(p3[0] == 0); 237 238 munmap(p1, pagesize); 239 munmap(p2, pagesize); 240 munmap(p3, pagesize); 241 close(fd); 242 } 243 244 ATF_TC_WITHOUT_HEAD(mmap__dev_zero_shared); 245 ATF_TC_BODY(mmap__dev_zero_shared, tc) 246 { 247 char *p1, *p2, *p3; 248 int fd, i, pagesize; 249 250 ATF_REQUIRE((pagesize = getpagesize()) > 0); 251 ATF_REQUIRE((fd = open("/dev/zero", O_RDWR)) >= 0); 252 253 p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 254 ATF_REQUIRE(p1 != MAP_FAILED); 255 256 p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); 257 ATF_REQUIRE(p2 != MAP_FAILED); 258 259 for (i = 0; i < pagesize; i++) 260 ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]); 261 262 ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0); 263 264 p1[0] = 1; 265 266 ATF_REQUIRE(p2[0] == 0); 267 268 p2[0] = 2; 269 270 ATF_REQUIRE(p1[0] == 1); 271 272 p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 273 0); 274 ATF_REQUIRE(p3 != MAP_FAILED); 275 276 ATF_REQUIRE(p3[0] == 0); 277 278 munmap(p1, pagesize); 279 munmap(p2, pagesize); 280 munmap(p3, pagesize); 281 close(fd); 282 } 283 284 ATF_TC_WITHOUT_HEAD(mmap__write_only); 285 ATF_TC_BODY(mmap__write_only, tc) 286 { 287 void *p; 288 int pagesize; 289 290 ATF_REQUIRE((pagesize = getpagesize()) > 0); 291 p = mmap(NULL, pagesize, PROT_WRITE, MAP_ANON, -1, 0); 292 ATF_REQUIRE(p != MAP_FAILED); 293 294 *(volatile uint32_t *)p = 0x12345678; 295 296 munmap(p, pagesize); 297 } 298 299 ATF_TC_WITHOUT_HEAD(mmap__maxprot_basic); 300 ATF_TC_BODY(mmap__maxprot_basic, tc) 301 { 302 void *p; 303 int error, pagesize; 304 305 ATF_REQUIRE((pagesize = getpagesize()) > 0); 306 307 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ), 308 MAP_ANON, -1, 0); 309 ATF_REQUIRE(p != MAP_FAILED); 310 311 error = mprotect(p, pagesize, PROT_WRITE); 312 ATF_REQUIRE_ERRNO(EACCES, error == -1); 313 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE); 314 ATF_REQUIRE_ERRNO(EACCES, error == -1); 315 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC); 316 ATF_REQUIRE_ERRNO(EACCES, error == -1); 317 318 ATF_REQUIRE(munmap(p, pagesize) == 0); 319 } 320 321 /* Make sure that PROT_MAX applies as expected to mappings of shm objects */ 322 ATF_TC_WITHOUT_HEAD(mmap__maxprot_shm); 323 ATF_TC_BODY(mmap__maxprot_shm, tc) 324 { 325 void *p; 326 int error, fd, pagesize; 327 328 ATF_REQUIRE((pagesize = getpagesize()) > 0); 329 330 fd = shm_open(SHM_ANON, O_RDWR, 0644); 331 ATF_REQUIRE(fd >= 0); 332 333 error = ftruncate(fd, pagesize); 334 ATF_REQUIRE(error == 0); 335 336 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ), 337 MAP_PRIVATE, fd, 0); 338 ATF_REQUIRE(p != MAP_FAILED); 339 340 error = mprotect(p, pagesize, PROT_WRITE); 341 ATF_REQUIRE_ERRNO(EACCES, error == -1); 342 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE); 343 ATF_REQUIRE_ERRNO(EACCES, error == -1); 344 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC); 345 ATF_REQUIRE_ERRNO(EACCES, error == -1); 346 347 ATF_REQUIRE(munmap(p, pagesize) == 0); 348 349 /* Again, this time with a shared mapping. */ 350 p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ), 351 MAP_SHARED, fd, 0); 352 ATF_REQUIRE(p != MAP_FAILED); 353 354 error = mprotect(p, pagesize, PROT_WRITE); 355 ATF_REQUIRE_ERRNO(EACCES, error == -1); 356 error = mprotect(p, pagesize, PROT_READ | PROT_WRITE); 357 ATF_REQUIRE_ERRNO(EACCES, error == -1); 358 error = mprotect(p, pagesize, PROT_READ | PROT_EXEC); 359 ATF_REQUIRE_ERRNO(EACCES, error == -1); 360 361 ATF_REQUIRE(munmap(p, pagesize) == 0); 362 363 ATF_REQUIRE(close(fd) == 0); 364 } 365 366 ATF_TP_ADD_TCS(tp) 367 { 368 ATF_TP_ADD_TC(tp, mmap__map_at_zero); 369 ATF_TP_ADD_TC(tp, mmap__bad_arguments); 370 ATF_TP_ADD_TC(tp, mmap__dev_zero_private); 371 ATF_TP_ADD_TC(tp, mmap__dev_zero_shared); 372 ATF_TP_ADD_TC(tp, mmap__write_only); 373 ATF_TP_ADD_TC(tp, mmap__maxprot_basic); 374 ATF_TP_ADD_TC(tp, mmap__maxprot_shm); 375 376 return (atf_no_error()); 377 } 378