xref: /llvm-project/compiler-rt/test/cfi/cross-dso/icall/dlopen.cpp (revision adb555ea369a3a989a9db619c784aa76cccdb823) 
1 // RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so
2 // RUN: %clangxx_cfi_dso %s -o %t1
3 // RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s
4 // RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
5 // RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
6 
7 // RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so
8 // RUN: %clangxx_cfi_dso -DB32 %s -o %t2
9 // RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s
10 // RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
11 // RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
12 
13 // RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so
14 // RUN: %clangxx_cfi_dso -DB64 %s -o %t3
15 // RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s
16 // RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
17 // RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
18 
19 // RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so
20 // RUN: %clangxx_cfi_dso -DBM %s -o %t4
21 // RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s
22 // RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
23 // RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
24 
25 // RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so
26 // RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5
27 // RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s
28 // RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s
29 // RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s
30 
31 // Test that calls to uninstrumented library are unchecked.
32 // RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so
33 // RUN: %clangxx_cfi_dso -DBM %s -o %t6
34 // RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s
35 // RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s
36 
37 // Call-after-dlclose is checked on the caller side.
38 // RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
39 
40 // Tests calls into dlopen-ed library.
41 // REQUIRES: cxxabi
42 
43 #include <assert.h>
44 #include <dlfcn.h>
45 #include <stdio.h>
46 #include <stdint.h>
47 #include <string.h>
48 #include <sys/mman.h>
49 
50 #include <string>
51 
52 struct A {
53   virtual void f();
54 };
55 
56 // The page size of LoongArch is 16KiB, aligned to the memory page size.
57 #ifdef __loongarch__
58 #  define PAGESIZE 16384
59 #else
60 #  define PAGESIZE 4096
61 #endif
62 
63 #ifdef SHARED_LIB
64 
65 #include "../../utils.h"
66 struct B {
67   virtual void f();
68 };
f()69 void B::f() {}
70 
create_B()71 extern "C" void *create_B() {
72   create_derivers<B>();
73   return (void *)(new B());
74 }
75 
do_nothing()76 extern "C" __attribute__((aligned(PAGESIZE))) void do_nothing() {}
77 
78 #else
79 
f()80 void A::f() {}
81 
82 static const int kCodeAlign = PAGESIZE;
83 static const int kCodeSize = 4096;
84 static char saved_code[kCodeSize];
85 static char *real_start;
86 
save_code(char * p)87 static void save_code(char *p) {
88   real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1));
89   memcpy(saved_code, real_start, kCodeSize);
90 }
91 
restore_code()92 static void restore_code() {
93   char *code =
94       (char *)mmap(real_start, kCodeSize, PROT_READ | PROT_WRITE | PROT_EXEC,
95                    MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
96   assert(code == real_start);
97   memcpy(code, saved_code, kCodeSize);
98   __builtin___clear_cache(code, code + kCodeSize);
99 }
100 
main(int argc,char * argv[])101 int main(int argc, char *argv[]) {
102   const bool test_cast = argc > 1 && strcmp(argv[1], "cast") == 0;
103   const bool test_dlclose = argc > 1 && strcmp(argv[1], "dlclose") == 0;
104 
105   std::string name = std::string(argv[0]) + "-so.so";
106   void *handle = dlopen(name.c_str(), RTLD_NOW);
107   assert(handle);
108   void *(*create_B)() = (void *(*)())dlsym(handle, "create_B");
109   assert(create_B);
110 
111   void *p = create_B();
112   A *a;
113 
114   // CFI: =0=
115   // CFI-CAST: =0=
116   // NCFI: =0=
117   fprintf(stderr, "=0=\n");
118 
119   if (test_cast) {
120     // Test cast. BOOM.
121     a = (A*)p;
122   } else {
123     // Invisible to CFI. Test virtual call later.
124     memcpy(&a, &p, sizeof(a));
125   }
126 
127   // CFI: =1=
128   // CFI-CAST-NOT: =1=
129   // NCFI: =1=
130   fprintf(stderr, "=1=\n");
131 
132   if (test_dlclose) {
133     // Imitate an attacker sneaking in an executable page where a dlclose()d
134     // library was loaded. This needs to pass w/o CFI, so for the testing
135     // purpose, we just copy the bytes of a "void f() {}" function back and
136     // forth.
137     void (*do_nothing)() = (void (*)())dlsym(handle, "do_nothing");
138     assert(do_nothing);
139     save_code((char *)do_nothing);
140 
141     int res = dlclose(handle);
142     assert(res == 0);
143 
144     restore_code();
145 
146     do_nothing(); // UB here
147   } else {
148     a->f(); // UB here
149   }
150 
151   // CFI-NOT: =2=
152   // CFI-CAST-NOT: =2=
153   // NCFI: =2=
154   fprintf(stderr, "=2=\n");
155 }
156 #endif
157