1 /* $NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $ */
2
3 /*-
4 * Copyright (c) 2011 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Jukka Ruohonen.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31 #include <sys/cdefs.h>
32 __RCSID("$NetBSD: t_mprotect.c,v 1.3 2011/07/20 22:53:44 jym Exp $");
33
34 #include <sys/param.h>
35 #include <sys/mman.h>
36 #include <sys/sysctl.h>
37 #include <sys/wait.h>
38
39 #include <errno.h>
40 #include <fcntl.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <unistd.h>
44
45 #include <atf-c.h>
46
47 #include "../common/exec_prot.h"
48
49 static long page = 0;
50 static int pax_global = -1;
51 static int pax_enabled = -1;
52 static char path[] = "mmap";
53
54 static void sighandler(int);
55 static bool paxinit(void);
56 static bool paxset(int, int);
57
58 static void
sighandler(int signo)59 sighandler(int signo)
60 {
61 _exit(signo);
62 }
63
64 static bool
paxinit(void)65 paxinit(void)
66 {
67 size_t len = sizeof(int);
68 int rv;
69
70 rv = sysctlbyname("security.pax.mprotect.global",
71 &pax_global, &len, NULL, 0);
72
73 if (rv != 0)
74 return false;
75
76 rv = sysctlbyname("security.pax.mprotect.enabled",
77 &pax_enabled, &len, NULL, 0);
78
79 if (rv != 0)
80 return false;
81
82 return paxset(1, 1);
83 }
84
85 static bool
paxset(int global,int enabled)86 paxset(int global, int enabled)
87 {
88 size_t len = sizeof(int);
89 int rv;
90
91 rv = sysctlbyname("security.pax.mprotect.global",
92 NULL, NULL, &global, len);
93
94 if (rv != 0)
95 return false;
96
97 rv = sysctlbyname("security.pax.mprotect.enabled",
98 NULL, NULL, &enabled, len);
99
100 if (rv != 0)
101 return false;
102
103 return true;
104 }
105
106
107 ATF_TC_WITH_CLEANUP(mprotect_access);
ATF_TC_HEAD(mprotect_access,tc)108 ATF_TC_HEAD(mprotect_access, tc)
109 {
110 atf_tc_set_md_var(tc, "descr", "Test for EACCES from mprotect(2)");
111 }
112
ATF_TC_BODY(mprotect_access,tc)113 ATF_TC_BODY(mprotect_access, tc)
114 {
115 int prot[2] = { PROT_NONE, PROT_READ };
116 void *map;
117 size_t i;
118 int fd;
119
120 fd = open(path, O_RDONLY | O_CREAT);
121 ATF_REQUIRE(fd >= 0);
122
123 /*
124 * The call should fail with EACCES if we try to mark
125 * a PROT_NONE or PROT_READ file/section as PROT_WRITE.
126 */
127 for (i = 0; i < __arraycount(prot); i++) {
128
129 map = mmap(NULL, page, prot[i], MAP_SHARED, fd, 0);
130
131 if (map == MAP_FAILED)
132 continue;
133
134 errno = 0;
135
136 ATF_REQUIRE(mprotect(map, page, PROT_WRITE) != 0);
137 ATF_REQUIRE(errno == EACCES);
138 ATF_REQUIRE(munmap(map, page) == 0);
139 }
140
141 ATF_REQUIRE(close(fd) == 0);
142 }
143
ATF_TC_CLEANUP(mprotect_access,tc)144 ATF_TC_CLEANUP(mprotect_access, tc)
145 {
146 (void)unlink(path);
147 }
148
149 ATF_TC(mprotect_err);
ATF_TC_HEAD(mprotect_err,tc)150 ATF_TC_HEAD(mprotect_err, tc)
151 {
152 atf_tc_set_md_var(tc, "descr", "Test error conditions of mprotect(2)");
153 }
154
ATF_TC_BODY(mprotect_err,tc)155 ATF_TC_BODY(mprotect_err, tc)
156 {
157 errno = 0;
158
159 ATF_REQUIRE(mprotect((char *)-1, 1, PROT_READ) != 0);
160 ATF_REQUIRE(errno == EINVAL);
161 }
162
163 ATF_TC(mprotect_exec);
ATF_TC_HEAD(mprotect_exec,tc)164 ATF_TC_HEAD(mprotect_exec, tc)
165 {
166 atf_tc_set_md_var(tc, "descr",
167 "Test mprotect(2) executable space protections");
168 }
169
170 /*
171 * Trivial function -- should fit into a page
172 */
ATF_TC_BODY(mprotect_exec,tc)173 ATF_TC_BODY(mprotect_exec, tc)
174 {
175 pid_t pid;
176 void *map;
177 int sta, xp_support;
178
179 xp_support = exec_prot_support();
180
181 switch (xp_support) {
182 case NOTIMPL:
183 atf_tc_skip(
184 "Execute protection callback check not implemented");
185 break;
186 case NO_XP:
187 atf_tc_skip(
188 "Host does not support executable space protection");
189 break;
190 case PARTIAL_XP: case PERPAGE_XP: default:
191 break;
192 }
193
194 /*
195 * Map a page read/write and copy a trivial assembly function inside.
196 * We will then change the mapping rights:
197 * - first by setting the execution right, and check that we can
198 * call the code found in the allocated page.
199 * - second by removing the execution right. This should generate
200 * a SIGSEGV on architectures that can enforce --x permissions.
201 */
202
203 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
204 ATF_REQUIRE(map != MAP_FAILED);
205
206 memcpy(map, (void *)return_one,
207 (uintptr_t)return_one_end - (uintptr_t)return_one);
208
209 /* give r-x rights then call code in page */
210 ATF_REQUIRE(mprotect(map, page, PROT_EXEC|PROT_READ) == 0);
211 ATF_REQUIRE(((int (*)(void))map)() == 1);
212
213 /* remove --x right */
214 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
215
216 pid = fork();
217 ATF_REQUIRE(pid >= 0);
218
219 if (pid == 0) {
220 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
221 ATF_CHECK(((int (*)(void))map)() == 1);
222 _exit(0);
223 }
224
225 (void)wait(&sta);
226
227 ATF_REQUIRE(munmap(map, page) == 0);
228
229 ATF_REQUIRE(WIFEXITED(sta) != 0);
230
231 switch (xp_support) {
232 case PARTIAL_XP:
233 /* Partial protection might fail; skip the test when it does */
234 if (WEXITSTATUS(sta) != SIGSEGV) {
235 atf_tc_skip("Host only supports "
236 "partial executable space protection");
237 }
238 break;
239 case PERPAGE_XP: default:
240 /* Per-page --x protection should not fail */
241 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
242 break;
243 }
244 }
245
246 ATF_TC(mprotect_pax);
ATF_TC_HEAD(mprotect_pax,tc)247 ATF_TC_HEAD(mprotect_pax, tc)
248 {
249 atf_tc_set_md_var(tc, "descr", "PaX restrictions and mprotect(2)");
250 atf_tc_set_md_var(tc, "require.user", "root");
251 }
252
ATF_TC_BODY(mprotect_pax,tc)253 ATF_TC_BODY(mprotect_pax, tc)
254 {
255 const int prot[4] = { PROT_NONE, PROT_READ, PROT_WRITE };
256 const char *str = NULL;
257 void *map;
258 size_t i;
259 int rv;
260
261 if (paxinit() != true)
262 return;
263
264 /*
265 * As noted in the original PaX documentation [1],
266 * the following restrictions should apply:
267 *
268 * (1) creating executable anonymous mappings
269 *
270 * (2) creating executable/writable file mappings
271 *
272 * (3) making a non-executable mapping executable
273 *
274 * (4) making an executable/read-only file mapping
275 * writable except for performing relocations
276 * on an ET_DYN ELF file (non-PIC shared library)
277 *
278 * The following will test only the case (3).
279 *
280 * [1] http://pax.grsecurity.net/docs/mprotect.txt
281 *
282 * (Sun Apr 3 11:06:53 EEST 2011.)
283 */
284 for (i = 0; i < __arraycount(prot); i++) {
285
286 map = mmap(NULL, page, prot[i], MAP_ANON, -1, 0);
287
288 if (map == MAP_FAILED)
289 continue;
290
291 rv = mprotect(map, 1, prot[i] | PROT_EXEC);
292
293 (void)munmap(map, page);
294
295 if (rv == 0) {
296 str = "non-executable mapping made executable";
297 goto out;
298 }
299 }
300
301 out:
302 if (pax_global != -1 && pax_enabled != -1)
303 (void)paxset(pax_global, pax_enabled);
304
305 if (str != NULL)
306 atf_tc_fail("%s", str);
307 }
308
309 ATF_TC(mprotect_write);
ATF_TC_HEAD(mprotect_write,tc)310 ATF_TC_HEAD(mprotect_write, tc)
311 {
312 atf_tc_set_md_var(tc, "descr", "Test mprotect(2) write protections");
313 }
314
ATF_TC_BODY(mprotect_write,tc)315 ATF_TC_BODY(mprotect_write, tc)
316 {
317 pid_t pid;
318 void *map;
319 int sta;
320
321 /*
322 * Map a page read/write, change the protection
323 * to read-only with mprotect(2), and try to write
324 * to the page. This should generate a SIGSEGV.
325 */
326 map = mmap(NULL, page, PROT_WRITE|PROT_READ, MAP_ANON, -1, 0);
327 ATF_REQUIRE(map != MAP_FAILED);
328
329 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 3);
330 ATF_REQUIRE(mprotect(map, page, PROT_READ) == 0);
331
332 pid = fork();
333 ATF_REQUIRE(pid >= 0);
334
335 if (pid == 0) {
336 ATF_REQUIRE(signal(SIGSEGV, sighandler) != SIG_ERR);
337 ATF_REQUIRE(strlcpy(map, "XXX", 3) == 0);
338 }
339
340 (void)wait(&sta);
341
342 ATF_REQUIRE(WIFEXITED(sta) != 0);
343 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV);
344 ATF_REQUIRE(munmap(map, page) == 0);
345 }
346
ATF_TP_ADD_TCS(tp)347 ATF_TP_ADD_TCS(tp)
348 {
349 page = sysconf(_SC_PAGESIZE);
350 ATF_REQUIRE(page >= 0);
351
352 ATF_TP_ADD_TC(tp, mprotect_access);
353 ATF_TP_ADD_TC(tp, mprotect_err);
354 ATF_TP_ADD_TC(tp, mprotect_exec);
355 ATF_TP_ADD_TC(tp, mprotect_pax);
356 ATF_TP_ADD_TC(tp, mprotect_write);
357
358 return atf_no_error();
359 }
360