1 /* $NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $ */
2
3 /*-
4 * Copyright (c) 2011 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Jukka Ruohonen.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31 #include <sys/cdefs.h>
32 __RCSID("$NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $");
33
34 #include <sys/param.h>
35 #include <sys/mman.h>
36 #include <sys/sysctl.h>
37 #include <sys/wait.h>
38
39 #include <errno.h>
40 #include <fcntl.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <unistd.h>
44
45 #include <atf-c.h>
46
47 #ifdef __NetBSD__
48 #include "../common/exec_prot.h"
49 #endif
50
51 static long page = 0;
52 static int pax_global = -1;
53 static int pax_enabled = -1;
54 static char path[] = "mmap";
55
56 static void sighandler(int);
57 static bool paxinit(void);
58 static bool paxset(int, int);
59
60 static void
sighandler(int signo)61 sighandler(int signo)
62 {
63 _exit(signo);
64 }
65
66 static bool
paxinit(void)67 paxinit(void)
68 {
69 size_t len = sizeof(int);
70 int rv;
71
72 rv = sysctlbyname("security.pax.mprotect.global",
73 &pax_global, &len, NULL, 0);
74
75 if (rv != 0)
76 return false;
77
78 rv = sysctlbyname("security.pax.mprotect.enabled",
79 &pax_enabled, &len, NULL, 0);
80
81 if (rv != 0)
82 return false;
83
84 return paxset(1, 1);
85 }
86
87 static bool
paxset(int global,int enabled)88 paxset(int global, int enabled)
89 {
90 size_t len = sizeof(int);
91 int rv;
92
93 rv = sysctlbyname("security.pax.mprotect.global",
94 NULL, NULL, &global, len);
95
96 if (rv != 0)
97 return false;
98
99 rv = sysctlbyname("security.pax.mprotect.enabled",
100 NULL, NULL, &enabled, len);
101
102 if (rv != 0)
103 return false;
104
105 return true;
106 }
107
108
109 ATF_TC_WITH_CLEANUP(mprotect_access);
ATF_TC_HEAD(mprotect_access,tc)110 ATF_TC_HEAD(mprotect_access, tc)
111 {
112 atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)");
113 }
114
ATF_TC_BODY(mprotect_access,tc)115 ATF_TC_BODY(mprotect_access, tc)
116 {
117 int prot[2] = { PROT_NONE, PROT_READ };
118 void *map;
119 size_t i;
120 int fd;
121
122 fd = open(path, O_RDONLY | O_CREAT);
123 ATF_REQUIRE(fd >= 0);
124
125 /*
126 * The call should fail with EACCES if we try to mark
127 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
128 */
129 for (i = 0; i < __arraycount(prot); i++) {
130
131 map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0);
132
133 if (map == MAP_FAILED)
134 continue;
135
136 errno = 0;
137
138 ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0);
139 ATF_REQUIRE(errno == EACCES);
140 ATF_REQUIRE(munmap(map, page) == 0);
141 }
142
143 ATF_REQUIRE(close(fd) == 0);
144 }
145
ATF_TC_CLEANUP(mprotect_access,tc)146 ATF_TC_CLEANUP(mprotect_access, tc)
147 {
148 (void)unlink(path);
149 }
150
151 ATF_TC(mprotect_err);
ATF_TC_HEAD(mprotect_err,tc)152 ATF_TC_HEAD(mprotect_err, tc)
153 {
154 atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)");
155 }
156
ATF_TC_BODY(mprotect_err,tc)157 ATF_TC_BODY(mprotect_err, tc)
158 {
159 errno = 0;
160
161 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0);
162 ATF_REQUIRE(errno == EINVAL);
163 }
164
165 #ifdef __NetBSD__
166 ATF_TC(mprotect_exec);
ATF_TC_HEAD(mprotect_exec,tc)167 ATF_TC_HEAD(mprotect_exec, tc)
168 {
169 atf_tc_set_md_var(tc, "descr",
170 "Test mprotect(2) executable space protections");
171 }
172
173 /*
174 * Trivial function -- should fit into a page
175 */
ATF_TC_BODY(mprotect_exec,tc)176 ATF_TC_BODY(mprotect_exec, tc)
177 {
178 pid_t pid;
179 void *map;
180 int sta, xp_support;
181
182 xp_support = exec_prot_support();
183
184 switch (xp_support) {
185 case NOTIMPL:
186 atf_tc_skip(
187 "Execute protection callback check not implemented");
188 break;
189 case NO_XP:
190 atf_tc_skip(
191 "Host does not support executable space protection");
192 break;
193 case PARTIAL_XP: case PERPAGE_XP: default:
194 break;
195 }
196
197 /*
198 * Map a page read/write and copy a trivial assembly function inside.
199 * We will then change the mapping rights:
200 * - first by setting the execution right, and check that we can
201 * call the code found in the allocated page.
202 * - second by removing the execution right. This should generate
203 * a SIGSEGV on architectures that can enforce --x permissions.
204 */
205
206 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
207 ATF_REQUIRE(map != MAP_FAILED);
208
209 memcpy(map, (void *)return_one,
210 (uintptr_t)return_one_end - (uintptr_t)return_one);
211
212 /* give r-x rights then call code in page */
213 ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0);
214 ATF_REQUIRE(((int (*)(void))map)() == 1);
215
216 /* remove --x right */
217 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
218
219 pid = fork();
220 ATF_REQUIRE(pid >= 0);
221
222 if (pid == 0) {
223 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
224 ATF_CHECK(((int (*)(void))map)() == 1);
225 _exit(0);
226 }
227
228 (void)wait(&sta);
229
230 ATF_REQUIRE(munmap(map, page) == 0);
231
232 ATF_REQUIRE(WIFEXITED(sta) != 0);
233
234 switch (xp_support) {
235 case PARTIAL_XP:
236 /* Partial protection might fail; skip the test when it does */
237 if (WEXITSTATUS(sta) != SIGSEGV) {
238 atf_tc_skip("Host only supports "
239 "partial executable space protection");
240 }
241 break;
242 case PERPAGE_XP: default:
243 /* Per-page --x protection should not fail */
244 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
245 break;
246 }
247 }
248 #endif
249
250 ATF_TC(mprotect_pax);
ATF_TC_HEAD(mprotect_pax,tc)251 ATF_TC_HEAD(mprotect_pax, tc)
252 {
253 atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)");
254 atf_tc_set_md_var(tc, "require.user", "root");
255 }
256
ATF_TC_BODY(mprotect_pax,tc)257 ATF_TC_BODY(mprotect_pax, tc)
258 {
259 const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE };
260 const char *str = NULL;
261 void *map;
262 size_t i;
263 int rv;
264
265 if (paxinit() != true)
266 return;
267
268 /*
269 * As noted in the original PaX documentation [1],
270 * the following restrictions should apply:
271 *
272 * (1) creating executable anonymous mappings
273 *
274 * (2) creating executable/writable file mappings
275 *
276 * (3) making a non-executable mapping executable
277 *
278 * (4) making an executable/read-only file mapping
279 * writable except for performing relocations
280 * on an ET_DYN ELF file (non-PIC shared library)
281 *
282 * The following will test only the case (3).
283 *
284 * [1] http://pax.grsecurity.net/docs/mprotect.txt
285 *
286 * (Sun Apr 3 11:06:53 EEST 2011.)
287 */
288 for (i = 0; i < __arraycount(prot); i++) {
289
290 map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0);
291
292 if (map == MAP_FAILED)
293 continue;
294
295 rv = mprotect(map, 1, prot[i] | PROT_EXEC);
296
297 (void)munmap(map, page);
298
299 if (rv == 0) {
300 str = "non-executable mapping made executable";
301 goto out;
302 }
303 }
304
305 out:
306 if (pax_global != -1 && pax_enabled != -1)
307 (void)paxset(pax_global, pax_enabled);
308
309 if (str != NULL)
310 atf_tc_fail("%s", str);
311 }
312
313 ATF_TC(mprotect_write);
ATF_TC_HEAD(mprotect_write,tc)314 ATF_TC_HEAD(mprotect_write, tc)
315 {
316 atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections");
317 }
318
ATF_TC_BODY(mprotect_write,tc)319 ATF_TC_BODY(mprotect_write, tc)
320 {
321 pid_t pid;
322 void *map;
323 int sta;
324
325 /*
326 * Map a page read/write, change the protection
327 * to read-only with mprotect(2), and try to write
328 * to the page. This should generate a SIGSEGV.
329 */
330 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
331 ATF_REQUIRE(map != MAP_FAILED);
332
333 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3);
334 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
335
336 pid = fork();
337 ATF_REQUIRE(pid >= 0);
338
339 if (pid == 0) {
340 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
341 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0);
342 }
343
344 (void)wait(&sta);
345
346 ATF_REQUIRE(WIFEXITED(sta) != 0);
347 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
348 ATF_REQUIRE(munmap(map, page) == 0);
349 }
350
ATF_TP_ADD_TCS(tp)351 ATF_TP_ADD_TCS(tp)
352 {
353 page = sysconf(_SC_PAGESIZE);
354 ATF_REQUIRE(page >= 0);
355
356 ATF_TP_ADD_TC(tp, mprotect_access);
357 ATF_TP_ADD_TC(tp, mprotect_err);
358 #ifdef __NetBSD__
359 ATF_TP_ADD_TC(tp, mprotect_exec);
360 #endif
361 ATF_TP_ADD_TC(tp, mprotect_pax);
362 ATF_TP_ADD_TC(tp, mprotect_write);
363
364 return atf_no_error();
365 }
366