1*ef777be9SPeter Holm#!/bin/sh 2*ef777be9SPeter Holm 3*ef777be9SPeter Holm# Test scenario from: 4*ef777be9SPeter Holm# Bug 272585 - calling mprotect in an mmap-ed stack can affect non-target pages 5*ef777be9SPeter Holm# Test scenario by: John F. Carr <jfc mit edu> 6*ef777be9SPeter Holm 7*ef777be9SPeter Holm. ../default.cfg 8*ef777be9SPeter Holmset -u 9*ef777be9SPeter Holmprog=$(basename "$0" .sh) 10*ef777be9SPeter Holmcat > /tmp/$prog.c <<EOF 11*ef777be9SPeter Holm/* Test program from: 12*ef777be9SPeter Holm Bug 272585 - calling mprotect in an mmap-ed stack can affect non-target pages 13*ef777be9SPeter Holm */ 14*ef777be9SPeter Holm#include <err.h> 15*ef777be9SPeter Holm#include <stdio.h> 16*ef777be9SPeter Holm#include <stdint.h> 17*ef777be9SPeter Holm#include <stdlib.h> 18*ef777be9SPeter Holm#include <sys/mman.h> 19*ef777be9SPeter Holm#include <sysexits.h> 20*ef777be9SPeter Holm#include <unistd.h> 21*ef777be9SPeter Holm 22*ef777be9SPeter Holm#ifndef MAP_GROWSDOWN 23*ef777be9SPeter Holm#define MAP_GROWSDOWN 0 24*ef777be9SPeter Holm#endif 25*ef777be9SPeter Holm#ifndef MAP_STACK 26*ef777be9SPeter Holm#define MAP_STACK 0 27*ef777be9SPeter Holm#endif 28*ef777be9SPeter Holm 29*ef777be9SPeter Holmint main(void) 30*ef777be9SPeter Holm{ 31*ef777be9SPeter Holm long pagesize; 32*ef777be9SPeter Holm char *addr, *guard; 33*ef777be9SPeter Holm size_t alloc_size; 34*ef777be9SPeter Holm 35*ef777be9SPeter Holm pagesize = sysconf(_SC_PAGESIZE); 36*ef777be9SPeter Holm if (pagesize < 0) 37*ef777be9SPeter Holm err(EX_OSERR, "getPAGESIZE"); 38*ef777be9SPeter Holm 39*ef777be9SPeter Holm alloc_size = 0x200000 + pagesize; 40*ef777be9SPeter Holm 41*ef777be9SPeter Holm addr = mmap(0, alloc_size, PROT_READ|PROT_WRITE, 42*ef777be9SPeter Holm MAP_GROWSDOWN|MAP_STACK|MAP_PRIVATE|MAP_ANONYMOUS, 43*ef777be9SPeter Holm -1, 0); 44*ef777be9SPeter Holm if (addr == MAP_FAILED) { 45*ef777be9SPeter Holm err(EX_OSERR, "mmap"); 46*ef777be9SPeter Holm } 47*ef777be9SPeter Holm 48*ef777be9SPeter Holm /* Only 0x20 causes a failure. */ 49*ef777be9SPeter Holm guard = addr + alloc_size - 0x20 * pagesize; 50*ef777be9SPeter Holm 51*ef777be9SPeter Holm if (mprotect(guard, pagesize, PROT_NONE)) { 52*ef777be9SPeter Holm err(EX_OSERR, "mprotect"); 53*ef777be9SPeter Holm } 54*ef777be9SPeter Holm 55*ef777be9SPeter Holm printf("mapped %p..%p, guard at %p\n", addr, addr + alloc_size, guard); 56*ef777be9SPeter Holm fflush(stdout); 57*ef777be9SPeter Holm 58*ef777be9SPeter Holm ((volatile char *)guard)[-1]; 59*ef777be9SPeter Holm 60*ef777be9SPeter Holm return 0; 61*ef777be9SPeter Holm} 62*ef777be9SPeter HolmEOF 63*ef777be9SPeter Holmmycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 0 64*ef777be9SPeter Holm 65*ef777be9SPeter Holmcd /tmp 66*ef777be9SPeter Holm./$prog; s=$? 67*ef777be9SPeter Holmcd - 68*ef777be9SPeter Holm 69*ef777be9SPeter Holmrm -f /tmp/$prog /tmp/$prog.c /tmp/$prog.core 70*ef777be9SPeter Holmexit $s 71