1 /* $NetBSD: t_mmap.c,v 1.14 2020/06/26 07:50:11 jruoho Exp $ */ 2 3 /*- 4 * Copyright (c) 2011 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Jukka Ruohonen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /*- 33 * Copyright (c)2004 YAMAMOTO Takashi, 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 45 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 48 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 55 * SUCH DAMAGE. 56 */ 57 #include <sys/cdefs.h> 58 __RCSID("$NetBSD: t_mmap.c,v 1.14 2020/06/26 07:50:11 jruoho Exp $"); 59 60 #include <sys/param.h> 61 #include <sys/disklabel.h> 62 #include <sys/mman.h> 63 #include <sys/stat.h> 64 #include <sys/socket.h> 65 #include <sys/sysctl.h> 66 #include <sys/wait.h> 67 68 #include <atf-c.h> 69 #include <errno.h> 70 #include <fcntl.h> 71 #include <signal.h> 72 #include <stdio.h> 73 #include <stdlib.h> 74 #include <string.h> 75 #include <unistd.h> 76 #include <paths.h> 77 78 static long page = 0; 79 static char path[] = "mmap"; 80 static void map_check(void *, int); 81 static void map_sighandler(int); 82 static void testloan(void *, void *, char, int); 83 84 #define BUFSIZE (32 * 1024) /* enough size to trigger sosend_loan */ 85 86 static void 87 map_check(void *map, int flag) 88 { 89 90 if (flag != 0) { 91 ATF_REQUIRE(map == MAP_FAILED); 92 return; 93 } 94 95 ATF_REQUIRE(map != MAP_FAILED); 96 ATF_REQUIRE(munmap(map, page) == 0); 97 } 98 99 void 100 testloan(void *vp, void *vp2, char pat, int docheck) 101 { 102 char buf[BUFSIZE]; 103 char backup[BUFSIZE]; 104 ssize_t nwritten; 105 ssize_t nread; 106 int fds[2]; 107 int val; 108 109 val = BUFSIZE; 110 111 if (docheck != 0) 112 (void)memcpy(backup, vp, BUFSIZE); 113 114 if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, fds) != 0) 115 atf_tc_fail("socketpair() failed"); 116 117 val = BUFSIZE; 118 119 if (setsockopt(fds[1], SOL_SOCKET, SO_RCVBUF, &val, sizeof(val)) != 0) 120 atf_tc_fail("setsockopt() failed, SO_RCVBUF"); 121 122 val = BUFSIZE; 123 124 if (setsockopt(fds[0], SOL_SOCKET, SO_SNDBUF, &val, sizeof(val)) != 0) 125 atf_tc_fail("setsockopt() failed, SO_SNDBUF"); 126 127 if (fcntl(fds[0], F_SETFL, O_NONBLOCK) != 0) 128 atf_tc_fail("fcntl() failed"); 129 130 nwritten = write(fds[0], (char *)vp + page, BUFSIZE - page); 131 132 if (nwritten == -1) 133 atf_tc_fail("write() failed"); 134 135 /* Break loan. */ 136 (void)memset(vp2, pat, BUFSIZE); 137 138 nread = read(fds[1], buf + page, BUFSIZE - page); 139 140 if (nread == -1) 141 atf_tc_fail("read() failed"); 142 143 if (nread != nwritten) 144 atf_tc_fail("too short read"); 145 146 if (docheck != 0 && memcmp(backup, buf + page, nread) != 0) 147 atf_tc_fail("data mismatch"); 148 149 ATF_REQUIRE(close(fds[0]) == 0); 150 ATF_REQUIRE(close(fds[1]) == 0); 151 } 152 153 static void 154 map_sighandler(int signo) 155 { 156 _exit(signo); 157 } 158 159 ATF_TC(mmap_block); 160 ATF_TC_HEAD(mmap_block, tc) 161 { 162 atf_tc_set_md_var(tc, "descr", "Test mmap(2) with a block device"); 163 atf_tc_set_md_var(tc, "require.user", "root"); 164 } 165 166 ATF_TC_BODY(mmap_block, tc) 167 { 168 static const int mib[] = { CTL_HW, HW_DISKNAMES }; 169 static const unsigned int miblen = __arraycount(mib); 170 char *map, *dk, *drives, dev[PATH_MAX]; 171 size_t len; 172 int fd = -1; 173 174 atf_tc_skip("The test case causes a panic " \ 175 "(PR kern/38889, PR kern/46592)"); 176 177 ATF_REQUIRE(sysctl(mib, miblen, NULL, &len, NULL, 0) == 0); 178 drives = malloc(len); 179 ATF_REQUIRE(drives != NULL); 180 ATF_REQUIRE(sysctl(mib, miblen, drives, &len, NULL, 0) == 0); 181 for (dk = strtok(drives, " "); dk != NULL; dk = strtok(NULL, " ")) { 182 if (strncmp(dk, "dk", 2) == 0) 183 snprintf(dev, sizeof(dev), _PATH_DEV "%s", dk); 184 else 185 snprintf(dev, sizeof(dev), _PATH_DEV "%s%c", dk, 186 'a' + RAW_PART); 187 fprintf(stderr, "trying: %s\n", dev); 188 189 if ((fd = open(dev, O_RDONLY)) >= 0) { 190 (void)fprintf(stderr, "using %s\n", dev); 191 break; 192 } else 193 (void)fprintf(stderr, "%s: %s\n", dev, strerror(errno)); 194 } 195 free(drives); 196 197 if (fd < 0) 198 atf_tc_skip("failed to find suitable block device"); 199 200 map = mmap(NULL, 4096, PROT_READ, MAP_FILE, fd, 0); 201 ATF_REQUIRE_MSG(map != MAP_FAILED, "mmap: %s", strerror(errno)); 202 203 (void)fprintf(stderr, "first byte %x\n", *map); 204 ATF_REQUIRE(close(fd) == 0); 205 (void)fprintf(stderr, "first byte %x\n", *map); 206 207 ATF_REQUIRE(munmap(map, 4096) == 0); 208 } 209 210 ATF_TC(mmap_err); 211 ATF_TC_HEAD(mmap_err, tc) 212 { 213 atf_tc_set_md_var(tc, "descr", "Test error conditions of mmap(2)"); 214 } 215 216 ATF_TC_BODY(mmap_err, tc) 217 { 218 size_t addr = SIZE_MAX; 219 void *map; 220 221 errno = 0; 222 map = mmap(NULL, 3, PROT_READ, MAP_FILE|MAP_PRIVATE, -1, 0); 223 224 ATF_REQUIRE(map == MAP_FAILED); 225 ATF_REQUIRE(errno == EBADF); 226 227 errno = 0; 228 map = mmap(&addr, page, PROT_READ, MAP_FIXED|MAP_PRIVATE, -1, 0); 229 230 ATF_REQUIRE(map == MAP_FAILED); 231 ATF_REQUIRE(errno == EINVAL); 232 233 errno = 0; 234 map = mmap(NULL, page, PROT_READ, MAP_ANON|MAP_PRIVATE, INT_MAX, 0); 235 236 ATF_REQUIRE(map == MAP_FAILED); 237 ATF_REQUIRE(errno == EINVAL); 238 } 239 240 ATF_TC_WITH_CLEANUP(mmap_loan); 241 ATF_TC_HEAD(mmap_loan, tc) 242 { 243 atf_tc_set_md_var(tc, "descr", "Test uvm page loanout with mmap(2)"); 244 } 245 246 ATF_TC_BODY(mmap_loan, tc) 247 { 248 char buf[BUFSIZE]; 249 char *vp, *vp2; 250 int fd; 251 252 fd = open(path, O_RDWR | O_CREAT, 0600); 253 ATF_REQUIRE(fd >= 0); 254 255 (void)memset(buf, 'x', sizeof(buf)); 256 (void)write(fd, buf, sizeof(buf)); 257 258 vp = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 259 MAP_FILE | MAP_PRIVATE, fd, 0); 260 261 ATF_REQUIRE(vp != MAP_FAILED); 262 263 vp2 = vp; 264 265 testloan(vp, vp2, 'A', 0); 266 testloan(vp, vp2, 'B', 1); 267 268 ATF_REQUIRE(munmap(vp, BUFSIZE) == 0); 269 270 vp = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 271 MAP_FILE | MAP_SHARED, fd, 0); 272 273 vp2 = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 274 MAP_FILE | MAP_SHARED, fd, 0); 275 276 ATF_REQUIRE(vp != MAP_FAILED); 277 ATF_REQUIRE(vp2 != MAP_FAILED); 278 279 testloan(vp, vp2, 'E', 1); 280 281 ATF_REQUIRE(munmap(vp, BUFSIZE) == 0); 282 ATF_REQUIRE(munmap(vp2, BUFSIZE) == 0); 283 } 284 285 ATF_TC_CLEANUP(mmap_loan, tc) 286 { 287 (void)unlink(path); 288 } 289 290 ATF_TC_WITH_CLEANUP(mmap_prot_1); 291 ATF_TC_HEAD(mmap_prot_1, tc) 292 { 293 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #1"); 294 } 295 296 ATF_TC_BODY(mmap_prot_1, tc) 297 { 298 void *map; 299 int fd; 300 301 /* 302 * Open a file write-only and try to 303 * map it read-only. This should fail. 304 */ 305 fd = open(path, O_WRONLY | O_CREAT, 0700); 306 307 if (fd < 0) 308 return; 309 310 ATF_REQUIRE(write(fd, "XXX", 3) == 3); 311 312 map = mmap(NULL, 3, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0); 313 map_check(map, 1); 314 315 map = mmap(NULL, 3, PROT_WRITE, MAP_FILE|MAP_PRIVATE, fd, 0); 316 map_check(map, 0); 317 318 ATF_REQUIRE(close(fd) == 0); 319 } 320 321 ATF_TC_CLEANUP(mmap_prot_1, tc) 322 { 323 (void)unlink(path); 324 } 325 326 ATF_TC(mmap_prot_2); 327 ATF_TC_HEAD(mmap_prot_2, tc) 328 { 329 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #2"); 330 } 331 332 ATF_TC_BODY(mmap_prot_2, tc) 333 { 334 char buf[2]; 335 void *map; 336 pid_t pid; 337 int sta; 338 339 /* 340 * Make a PROT_NONE mapping and try to access it. 341 * If we catch a SIGSEGV, all works as expected. 342 */ 343 map = mmap(NULL, page, PROT_NONE, MAP_ANON|MAP_PRIVATE, -1, 0); 344 ATF_REQUIRE(map != MAP_FAILED); 345 346 pid = fork(); 347 ATF_REQUIRE(pid >= 0); 348 349 if (pid == 0) { 350 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 351 ATF_REQUIRE(strlcpy(buf, map, sizeof(buf)) != 0); 352 } 353 354 (void)wait(&sta); 355 356 ATF_REQUIRE(WIFEXITED(sta) != 0); 357 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 358 ATF_REQUIRE(munmap(map, page) == 0); 359 } 360 361 ATF_TC_WITH_CLEANUP(mmap_prot_3); 362 ATF_TC_HEAD(mmap_prot_3, tc) 363 { 364 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #3"); 365 } 366 367 ATF_TC_BODY(mmap_prot_3, tc) 368 { 369 char buf[2]; 370 int fd, sta; 371 void *map; 372 pid_t pid; 373 374 /* 375 * Open a file, change the permissions 376 * to read-only, and try to map it as 377 * PROT_NONE. This should succeed, but 378 * the access should generate SIGSEGV. 379 */ 380 fd = open(path, O_RDWR | O_CREAT, 0700); 381 382 if (fd < 0) 383 return; 384 385 ATF_REQUIRE(write(fd, "XXX", 3) == 3); 386 ATF_REQUIRE(close(fd) == 0); 387 ATF_REQUIRE(chmod(path, 0444) == 0); 388 389 fd = open(path, O_RDONLY); 390 ATF_REQUIRE(fd != -1); 391 392 map = mmap(NULL, 3, PROT_NONE, MAP_FILE | MAP_SHARED, fd, 0); 393 ATF_REQUIRE(map != MAP_FAILED); 394 395 pid = fork(); 396 397 ATF_REQUIRE(pid >= 0); 398 399 if (pid == 0) { 400 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 401 ATF_REQUIRE(strlcpy(buf, map, sizeof(buf)) != 0); 402 } 403 404 (void)wait(&sta); 405 406 ATF_REQUIRE(WIFEXITED(sta) != 0); 407 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 408 ATF_REQUIRE(munmap(map, 3) == 0); 409 } 410 411 ATF_TC_CLEANUP(mmap_prot_3, tc) 412 { 413 (void)unlink(path); 414 } 415 416 ATF_TC_WITH_CLEANUP(mmap_truncate); 417 ATF_TC_HEAD(mmap_truncate, tc) 418 { 419 atf_tc_set_md_var(tc, "descr", "Test mmap(2) and ftruncate(2)"); 420 } 421 422 ATF_TC_BODY(mmap_truncate, tc) 423 { 424 char *map; 425 long i; 426 int fd; 427 428 fd = open(path, O_RDWR | O_CREAT, 0700); 429 430 if (fd < 0) 431 return; 432 433 /* 434 * See that ftruncate(2) works 435 * while the file is mapped. 436 */ 437 ATF_REQUIRE(ftruncate(fd, page) == 0); 438 439 map = mmap(NULL, page, PROT_READ | PROT_WRITE, MAP_FILE|MAP_PRIVATE, 440 fd, 0); 441 ATF_REQUIRE(map != MAP_FAILED); 442 443 for (i = 0; i < page; i++) 444 map[i] = 'x'; 445 446 ATF_REQUIRE(ftruncate(fd, 0) == 0); 447 ATF_REQUIRE(ftruncate(fd, page / 8) == 0); 448 ATF_REQUIRE(ftruncate(fd, page / 4) == 0); 449 ATF_REQUIRE(ftruncate(fd, page / 2) == 0); 450 ATF_REQUIRE(ftruncate(fd, page / 12) == 0); 451 ATF_REQUIRE(ftruncate(fd, page / 64) == 0); 452 453 (void)munmap(map, page); 454 ATF_REQUIRE(close(fd) == 0); 455 } 456 457 ATF_TC_CLEANUP(mmap_truncate, tc) 458 { 459 (void)unlink(path); 460 } 461 462 ATF_TC_WITH_CLEANUP(mmap_truncate_signal); 463 ATF_TC_HEAD(mmap_truncate_signal, tc) 464 { 465 atf_tc_set_md_var(tc, "descr", 466 "Test mmap(2) ftruncate(2) causing signal"); 467 } 468 469 ATF_TC_BODY(mmap_truncate_signal, tc) 470 { 471 char *map; 472 long i; 473 int fd, sta; 474 pid_t pid; 475 476 fd = open(path, O_RDWR | O_CREAT, 0700); 477 478 if (fd < 0) 479 return; 480 481 ATF_REQUIRE(write(fd, "foo\n", 5) == 5); 482 483 map = mmap(NULL, page, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0); 484 ATF_REQUIRE(map != MAP_FAILED); 485 486 sta = 0; 487 for (i = 0; i < 5; i++) 488 sta += map[i]; 489 ATF_REQUIRE(sta == 334); 490 491 ATF_REQUIRE(ftruncate(fd, 0) == 0); 492 pid = fork(); 493 ATF_REQUIRE(pid >= 0); 494 495 if (pid == 0) { 496 ATF_REQUIRE(signal(SIGBUS, map_sighandler) != SIG_ERR); 497 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 498 sta = 0; 499 for (i = 0; i < page; i++) 500 sta += map[i]; 501 /* child never will get this far, but the compiler will 502 not know, so better use the values calculated to 503 prevent the access to be optimized out */ 504 ATF_REQUIRE(i == 0); 505 ATF_REQUIRE(sta == 0); 506 (void)munmap(map, page); 507 (void)close(fd); 508 return; 509 } 510 511 (void)wait(&sta); 512 513 ATF_REQUIRE(WIFEXITED(sta) != 0); 514 if (WEXITSTATUS(sta) == SIGSEGV) 515 atf_tc_fail("child process got SIGSEGV instead of SIGBUS"); 516 ATF_REQUIRE(WEXITSTATUS(sta) == SIGBUS); 517 ATF_REQUIRE(munmap(map, page) == 0); 518 ATF_REQUIRE(close(fd) == 0); 519 } 520 521 ATF_TC_CLEANUP(mmap_truncate_signal, tc) 522 { 523 (void)unlink(path); 524 } 525 526 ATF_TC(mmap_va0); 527 ATF_TC_HEAD(mmap_va0, tc) 528 { 529 atf_tc_set_md_var(tc, "descr", "Test mmap(2) and vm.user_va0_disable"); 530 } 531 532 ATF_TC_BODY(mmap_va0, tc) 533 { 534 int flags = MAP_ANON | MAP_FIXED | MAP_PRIVATE; 535 size_t len = sizeof(int); 536 void *map; 537 int val; 538 539 /* 540 * Make an anonymous fixed mapping at zero address. If the address 541 * is restricted as noted in security(7), the syscall should fail. 542 */ 543 if (sysctlbyname("vm.user_va0_disable", &val, &len, NULL, 0) != 0) 544 atf_tc_fail("failed to read vm.user_va0_disable"); 545 546 map = mmap(NULL, page, PROT_EXEC, flags, -1, 0); 547 map_check(map, val); 548 549 map = mmap(NULL, page, PROT_READ, flags, -1, 0); 550 map_check(map, val); 551 552 map = mmap(NULL, page, PROT_WRITE, flags, -1, 0); 553 map_check(map, val); 554 555 map = mmap(NULL, page, PROT_READ|PROT_WRITE, flags, -1, 0); 556 map_check(map, val); 557 558 map = mmap(NULL, page, PROT_EXEC|PROT_READ|PROT_WRITE, flags, -1, 0); 559 map_check(map, val); 560 } 561 562 ATF_TP_ADD_TCS(tp) 563 { 564 page = sysconf(_SC_PAGESIZE); 565 ATF_REQUIRE(page >= 0); 566 567 ATF_TP_ADD_TC(tp, mmap_block); 568 ATF_TP_ADD_TC(tp, mmap_err); 569 ATF_TP_ADD_TC(tp, mmap_loan); 570 ATF_TP_ADD_TC(tp, mmap_prot_1); 571 ATF_TP_ADD_TC(tp, mmap_prot_2); 572 ATF_TP_ADD_TC(tp, mmap_prot_3); 573 ATF_TP_ADD_TC(tp, mmap_truncate); 574 ATF_TP_ADD_TC(tp, mmap_truncate_signal); 575 ATF_TP_ADD_TC(tp, mmap_va0); 576 577 return atf_no_error(); 578 } 579