1 /*
2 * Copyright (c) 2014 Fujitsu Ltd.
3 * Author: Xing Gu <gux.fnst@cn.fujitsu.com>
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
8 *
9 * This program is distributed in the hope that it would be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
12 *
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
16 */
17 /*
18 * Description:
19 * Verify that,
20 * 1) mprotect() succeeds to set a region of memory with no access,
21 * when 'prot' is set to PROT_NONE. An attempt to access the contents
22 * of the region gives rise to the signal SIGSEGV.
23 * 2) mprotect() succeeds to set a region of memory to be executed, when
24 * 'prot' is set to PROT_EXEC.
25 */
26
27 #include "config.h"
28 #include <signal.h>
29 #include <setjmp.h>
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <fcntl.h>
33 #include <unistd.h>
34 #include <errno.h>
35 #include <string.h>
36 #include <sys/mman.h>
37 #include <stdlib.h>
38
39 #include "test.h"
40 #include "safe_macros.h"
41
42 static void sighandler(int sig);
43
44 static void setup(void);
45 static void cleanup(void);
46
47 static void testfunc_protnone(void);
48
49 static void testfunc_protexec(void);
50
51 static void (*testfunc[])(void) = { testfunc_protnone, testfunc_protexec };
52
53 char *TCID = "mprotect04";
54 int TST_TOTAL = ARRAY_SIZE(testfunc);
55
56 static volatile int sig_caught;
57 static sigjmp_buf env;
58 static unsigned int page_sz;
59 typedef void (*func_ptr_t)(void);
60
main(int ac,char ** av)61 int main(int ac, char **av)
62 {
63 int lc;
64 int i;
65
66 tst_parse_opts(ac, av, NULL, NULL);
67
68 setup();
69
70 for (lc = 0; TEST_LOOPING(lc); lc++) {
71 tst_count = 0;
72
73 for (i = 0; i < TST_TOTAL; i++)
74 (*testfunc[i])();
75 }
76
77 cleanup();
78 tst_exit();
79 }
80
sighandler(int sig)81 static void sighandler(int sig)
82 {
83 sig_caught = sig;
84 siglongjmp(env, 1);
85 }
86
setup(void)87 static void setup(void)
88 {
89 tst_tmpdir();
90 tst_sig(NOFORK, sighandler, cleanup);
91 page_sz = getpagesize();
92
93 TEST_PAUSE;
94 }
95
testfunc_protnone(void)96 static void testfunc_protnone(void)
97 {
98 char *addr;
99
100 sig_caught = 0;
101
102 addr = SAFE_MMAP(cleanup, 0, page_sz, PROT_READ | PROT_WRITE,
103 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
104
105 /* Change the protection to PROT_NONE. */
106 TEST(mprotect(addr, page_sz, PROT_NONE));
107
108 if (TEST_RETURN == -1) {
109 tst_resm(TFAIL | TTERRNO, "mprotect failed");
110 } else {
111 if (sigsetjmp(env, 1) == 0)
112 addr[0] = 1;
113
114 switch (sig_caught) {
115 case SIGSEGV:
116 tst_resm(TPASS, "test PROT_NONE for mprotect success");
117 break;
118 case 0:
119 tst_resm(TFAIL, "test PROT_NONE for mprotect failed");
120 break;
121 default:
122 tst_brkm(TBROK, cleanup,
123 "received an unexpected signal: %d",
124 sig_caught);
125 }
126 }
127
128 SAFE_MUNMAP(cleanup, addr, page_sz);
129 }
130
131 #ifdef __ia64__
132
133 static char exec_func[] __attribute__ ((aligned (64))) = {
134 0x11, 0x00, 0x00, 0x00, 0x01, 0x00, /* nop.m 0x0 */
135 0x00, 0x00, 0x00, 0x02, 0x00, 0x80, /* nop.i 0x0 */
136 0x08, 0x00, 0x84, 0x00, /* br.ret.sptk.many b0;; */
137 };
138
139 struct func_desc {
140 uint64_t func_addr;
141 uint64_t glob_pointer;
142 };
143
get_func(void * mem)144 static __attribute__((noinline)) void *get_func(void *mem)
145 {
146 static struct func_desc fdesc;
147
148 memcpy(mem, exec_func, sizeof(exec_func));
149
150 fdesc.func_addr = (uint64_t)mem;
151 fdesc.glob_pointer = 0;
152
153 return &fdesc;
154 }
155
156 #else
157
exec_func(void)158 static void exec_func(void)
159 {
160 return;
161 }
162
page_present(void * p)163 static int page_present(void *p)
164 {
165 int fd;
166
167 fd = SAFE_OPEN(cleanup, "page_present", O_WRONLY|O_CREAT, 0644);
168 TEST(write(fd, p, 1));
169 SAFE_CLOSE(cleanup, fd);
170
171 if (TEST_RETURN >= 0)
172 return 1;
173
174 if (TEST_ERRNO != EFAULT)
175 tst_brkm(TBROK | TTERRNO, cleanup, "page_present write");
176
177 return 0;
178 }
179
clear_cache(void * start,int len)180 static void clear_cache(void *start, int len)
181 {
182 #if HAVE_BUILTIN_CLEAR_CACHE == 1
183 __builtin___clear_cache(start, start + len);
184 #else
185 tst_brkm(TCONF, cleanup,
186 "compiler doesn't have __builtin___clear_cache()");
187 #endif
188 }
189
190 /*
191 * To check for the ABI version, because ppc64le can technically use
192 * function descriptors.
193 */
194 #if defined(__powerpc64__) && (!defined(_CALL_ELF) || _CALL_ELF < 2)
195 #define USE_FUNCTION_DESCRIPTORS
196 #endif
197
198 #ifdef USE_FUNCTION_DESCRIPTORS
199 typedef struct {
200 uintptr_t entry;
201 uintptr_t toc;
202 uintptr_t env;
203 } func_descr_t;
204 #endif
205
206 /*
207 * Copy page where &exec_func resides. Also try to copy subsequent page
208 * in case exec_func is close to page boundary.
209 */
get_func(void * mem,uintptr_t * func_page_offset)210 static void *get_func(void *mem, uintptr_t *func_page_offset)
211 {
212 uintptr_t page_sz = getpagesize();
213 uintptr_t page_mask = ~(page_sz - 1);
214 void *func_copy_start, *page_to_copy;
215 void *mem_start = mem;
216
217 #ifdef USE_FUNCTION_DESCRIPTORS
218 func_descr_t *opd = (func_descr_t *)&exec_func;
219 *func_page_offset = (uintptr_t)opd->entry & (page_sz - 1);
220 func_copy_start = mem + *func_page_offset;
221 page_to_copy = (void *)((uintptr_t)opd->entry & page_mask);
222 #else
223 *func_page_offset = (uintptr_t)&exec_func & (page_sz - 1);
224 func_copy_start = mem + *func_page_offset;
225 page_to_copy = (void *)((uintptr_t)&exec_func & page_mask);
226 #endif
227 tst_resm(TINFO, "exec_func: %p, page_to_copy: %p",
228 &exec_func, page_to_copy);
229
230 /* Copy 1st page. If it's not accessible, we might be running on a
231 * platform that supports execute-only page access permissions, in which
232 * case we have to explicitly change access protections to allow the
233 * memory to be read. */
234 if (!page_present(page_to_copy)) {
235 TEST(mprotect(page_to_copy, page_sz, PROT_READ | PROT_EXEC));
236 if (TEST_RETURN == -1) {
237 tst_resm(TFAIL | TTERRNO,
238 "mprotect(PROT_READ|PROT_EXEC) failed");
239 return NULL;
240 }
241 /* If the memory is still not accessible, then something must be
242 * wrong. */
243 if (!page_present(page_to_copy))
244 tst_brkm(TBROK, cleanup, "page_to_copy not present\n");
245 }
246 memcpy(mem, page_to_copy, page_sz);
247
248 clear_cache(mem_start, page_sz);
249
250 /* return pointer to area where copy of exec_func resides */
251 return func_copy_start;
252 }
253
254 #endif
255
testfunc_protexec(void)256 static void testfunc_protexec(void)
257 {
258 func_ptr_t func;
259 uintptr_t func_page_offset;
260 void *p;
261
262 sig_caught = 0;
263
264 p = SAFE_MMAP(cleanup, 0, page_sz, PROT_READ | PROT_WRITE,
265 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
266
267 #ifdef USE_FUNCTION_DESCRIPTORS
268 func_descr_t opd;
269 opd.entry = (uintptr_t)get_func(p, &func_page_offset);
270 func = (func_ptr_t)&opd;
271 #else
272 func = get_func(p, &func_page_offset);
273 #endif
274
275 if (!func)
276 goto out;
277
278 if (func_page_offset + 64 > page_sz) {
279 SAFE_MUNMAP(cleanup, p, page_sz);
280 tst_brkm(TCONF, cleanup, "func too close to page boundary, "
281 "maybe your compiler ignores -falign-functions?");
282 }
283
284 /* Change the protection to PROT_EXEC. */
285 TEST(mprotect(p, page_sz, PROT_EXEC));
286
287 if (TEST_RETURN == -1) {
288 tst_resm(TFAIL | TTERRNO, "mprotect failed");
289 } else {
290 if (sigsetjmp(env, 1) == 0)
291 (*func)();
292
293 switch (sig_caught) {
294 case SIGSEGV:
295 tst_resm(TFAIL, "test PROT_EXEC for mprotect failed");
296 break;
297 case 0:
298 tst_resm(TPASS, "test PROT_EXEC for mprotect success");
299 break;
300 default:
301 tst_brkm(TBROK, cleanup,
302 "received an unexpected signal: %d",
303 sig_caught);
304 }
305 }
306
307 out:
308 SAFE_MUNMAP(cleanup, p, page_sz);
309 }
310
cleanup(void)311 static void cleanup(void)
312 {
313 tst_rmdir();
314 }
315