1 /* $NetBSD: t_mmap.c,v 1.12 2017/01/16 16:31:05 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2011 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Jukka Ruohonen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /*- 33 * Copyright (c)2004 YAMAMOTO Takashi, 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms, with or without 37 * modification, are permitted provided that the following conditions 38 * are met: 39 * 1. Redistributions of source code must retain the above copyright 40 * notice, this list of conditions and the following disclaimer. 41 * 2. Redistributions in binary form must reproduce the above copyright 42 * notice, this list of conditions and the following disclaimer in the 43 * documentation and/or other materials provided with the distribution. 44 * 45 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 46 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 47 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 48 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 49 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 50 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 51 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 53 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 54 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 55 * SUCH DAMAGE. 56 */ 57 #include <sys/cdefs.h> 58 __RCSID("$NetBSD: t_mmap.c,v 1.12 2017/01/16 16:31:05 christos Exp $"); 59 60 #include <sys/param.h> 61 #include <sys/disklabel.h> 62 #include <sys/mman.h> 63 #include <sys/stat.h> 64 #include <sys/socket.h> 65 #include <sys/sysctl.h> 66 #include <sys/wait.h> 67 68 #include <atf-c.h> 69 #include <errno.h> 70 #include <fcntl.h> 71 #include <signal.h> 72 #include <stdio.h> 73 #include <stdlib.h> 74 #include <string.h> 75 #include <unistd.h> 76 #include <paths.h> 77 78 static long page = 0; 79 static char path[] = "mmap"; 80 static void map_check(void *, int); 81 static void map_sighandler(int); 82 static void testloan(void *, void *, char, int); 83 84 #define BUFSIZE (32 * 1024) /* enough size to trigger sosend_loan */ 85 86 static void 87 map_check(void *map, int flag) 88 { 89 90 if (flag != 0) { 91 ATF_REQUIRE(map == MAP_FAILED); 92 return; 93 } 94 95 ATF_REQUIRE(map != MAP_FAILED); 96 ATF_REQUIRE(munmap(map, page) == 0); 97 } 98 99 void 100 testloan(void *vp, void *vp2, char pat, int docheck) 101 { 102 char buf[BUFSIZE]; 103 char backup[BUFSIZE]; 104 ssize_t nwritten; 105 ssize_t nread; 106 int fds[2]; 107 int val; 108 109 val = BUFSIZE; 110 111 if (docheck != 0) 112 (void)memcpy(backup, vp, BUFSIZE); 113 114 if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, fds) != 0) 115 atf_tc_fail("socketpair() failed"); 116 117 val = BUFSIZE; 118 119 if (setsockopt(fds[1], SOL_SOCKET, SO_RCVBUF, &val, sizeof(val)) != 0) 120 atf_tc_fail("setsockopt() failed, SO_RCVBUF"); 121 122 val = BUFSIZE; 123 124 if (setsockopt(fds[0], SOL_SOCKET, SO_SNDBUF, &val, sizeof(val)) != 0) 125 atf_tc_fail("setsockopt() failed, SO_SNDBUF"); 126 127 if (fcntl(fds[0], F_SETFL, O_NONBLOCK) != 0) 128 atf_tc_fail("fcntl() failed"); 129 130 nwritten = write(fds[0], (char *)vp + page, BUFSIZE - page); 131 132 if (nwritten == -1) 133 atf_tc_fail("write() failed"); 134 135 /* Break loan. */ 136 (void)memset(vp2, pat, BUFSIZE); 137 138 nread = read(fds[1], buf + page, BUFSIZE - page); 139 140 if (nread == -1) 141 atf_tc_fail("read() failed"); 142 143 if (nread != nwritten) 144 atf_tc_fail("too short read"); 145 146 if (docheck != 0 && memcmp(backup, buf + page, nread) != 0) 147 atf_tc_fail("data mismatch"); 148 149 ATF_REQUIRE(close(fds[0]) == 0); 150 ATF_REQUIRE(close(fds[1]) == 0); 151 } 152 153 static void 154 map_sighandler(int signo) 155 { 156 _exit(signo); 157 } 158 159 ATF_TC(mmap_block); 160 ATF_TC_HEAD(mmap_block, tc) 161 { 162 atf_tc_set_md_var(tc, "descr", "Test mmap(2) with a block device"); 163 atf_tc_set_md_var(tc, "require.user", "root"); 164 } 165 166 ATF_TC_BODY(mmap_block, tc) 167 { 168 static const int mib[] = { CTL_HW, HW_DISKNAMES }; 169 static const unsigned int miblen = __arraycount(mib); 170 char *map, *dk, *drives, dev[PATH_MAX]; 171 size_t len; 172 int fd = -1; 173 174 atf_tc_skip("The test case causes a panic (PR kern/38889, kern/46592)"); 175 176 ATF_REQUIRE(sysctl(mib, miblen, NULL, &len, NULL, 0) == 0); 177 drives = malloc(len); 178 ATF_REQUIRE(drives != NULL); 179 ATF_REQUIRE(sysctl(mib, miblen, drives, &len, NULL, 0) == 0); 180 for (dk = strtok(drives, " "); dk != NULL; dk = strtok(NULL, " ")) { 181 sprintf(dev, _PATH_DEV "%s%c", dk, 'a'+RAW_PART); 182 fprintf(stderr, "trying: %s\n", dev); 183 184 if ((fd = open(dev, O_RDONLY)) >= 0) { 185 (void)fprintf(stderr, "using %s\n", dev); 186 break; 187 } 188 } 189 free(drives); 190 191 if (fd < 0) 192 atf_tc_skip("failed to find suitable block device"); 193 194 map = mmap(NULL, 4096, PROT_READ, MAP_FILE, fd, 0); 195 ATF_REQUIRE(map != MAP_FAILED); 196 197 (void)fprintf(stderr, "first byte %x\n", *map); 198 ATF_REQUIRE(close(fd) == 0); 199 (void)fprintf(stderr, "first byte %x\n", *map); 200 201 ATF_REQUIRE(munmap(map, 4096) == 0); 202 } 203 204 ATF_TC(mmap_err); 205 ATF_TC_HEAD(mmap_err, tc) 206 { 207 atf_tc_set_md_var(tc, "descr", "Test error conditions of mmap(2)"); 208 } 209 210 ATF_TC_BODY(mmap_err, tc) 211 { 212 size_t addr = SIZE_MAX; 213 void *map; 214 215 errno = 0; 216 map = mmap(NULL, 3, PROT_READ, MAP_FILE|MAP_PRIVATE, -1, 0); 217 218 ATF_REQUIRE(map == MAP_FAILED); 219 ATF_REQUIRE(errno == EBADF); 220 221 errno = 0; 222 map = mmap(&addr, page, PROT_READ, MAP_FIXED|MAP_PRIVATE, -1, 0); 223 224 ATF_REQUIRE(map == MAP_FAILED); 225 ATF_REQUIRE(errno == EINVAL); 226 227 errno = 0; 228 map = mmap(NULL, page, PROT_READ, MAP_ANON|MAP_PRIVATE, INT_MAX, 0); 229 230 ATF_REQUIRE(map == MAP_FAILED); 231 ATF_REQUIRE(errno == EINVAL); 232 } 233 234 ATF_TC_WITH_CLEANUP(mmap_loan); 235 ATF_TC_HEAD(mmap_loan, tc) 236 { 237 atf_tc_set_md_var(tc, "descr", "Test uvm page loanout with mmap(2)"); 238 } 239 240 ATF_TC_BODY(mmap_loan, tc) 241 { 242 char buf[BUFSIZE]; 243 char *vp, *vp2; 244 int fd; 245 246 fd = open(path, O_RDWR | O_CREAT, 0600); 247 ATF_REQUIRE(fd >= 0); 248 249 (void)memset(buf, 'x', sizeof(buf)); 250 (void)write(fd, buf, sizeof(buf)); 251 252 vp = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 253 MAP_FILE | MAP_PRIVATE, fd, 0); 254 255 ATF_REQUIRE(vp != MAP_FAILED); 256 257 vp2 = vp; 258 259 testloan(vp, vp2, 'A', 0); 260 testloan(vp, vp2, 'B', 1); 261 262 ATF_REQUIRE(munmap(vp, BUFSIZE) == 0); 263 264 vp = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 265 MAP_FILE | MAP_SHARED, fd, 0); 266 267 vp2 = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE, 268 MAP_FILE | MAP_SHARED, fd, 0); 269 270 ATF_REQUIRE(vp != MAP_FAILED); 271 ATF_REQUIRE(vp2 != MAP_FAILED); 272 273 testloan(vp, vp2, 'E', 1); 274 275 ATF_REQUIRE(munmap(vp, BUFSIZE) == 0); 276 ATF_REQUIRE(munmap(vp2, BUFSIZE) == 0); 277 } 278 279 ATF_TC_CLEANUP(mmap_loan, tc) 280 { 281 (void)unlink(path); 282 } 283 284 ATF_TC_WITH_CLEANUP(mmap_prot_1); 285 ATF_TC_HEAD(mmap_prot_1, tc) 286 { 287 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #1"); 288 } 289 290 ATF_TC_BODY(mmap_prot_1, tc) 291 { 292 void *map; 293 int fd; 294 295 /* 296 * Open a file write-only and try to 297 * map it read-only. This should fail. 298 */ 299 fd = open(path, O_WRONLY | O_CREAT, 0700); 300 301 if (fd < 0) 302 return; 303 304 ATF_REQUIRE(write(fd, "XXX", 3) == 3); 305 306 map = mmap(NULL, 3, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0); 307 map_check(map, 1); 308 309 map = mmap(NULL, 3, PROT_WRITE, MAP_FILE|MAP_PRIVATE, fd, 0); 310 map_check(map, 0); 311 312 ATF_REQUIRE(close(fd) == 0); 313 } 314 315 ATF_TC_CLEANUP(mmap_prot_1, tc) 316 { 317 (void)unlink(path); 318 } 319 320 ATF_TC(mmap_prot_2); 321 ATF_TC_HEAD(mmap_prot_2, tc) 322 { 323 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #2"); 324 } 325 326 ATF_TC_BODY(mmap_prot_2, tc) 327 { 328 char buf[2]; 329 void *map; 330 pid_t pid; 331 int sta; 332 333 /* 334 * Make a PROT_NONE mapping and try to access it. 335 * If we catch a SIGSEGV, all works as expected. 336 */ 337 map = mmap(NULL, page, PROT_NONE, MAP_ANON|MAP_PRIVATE, -1, 0); 338 ATF_REQUIRE(map != MAP_FAILED); 339 340 pid = fork(); 341 ATF_REQUIRE(pid >= 0); 342 343 if (pid == 0) { 344 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 345 ATF_REQUIRE(strlcpy(buf, map, sizeof(buf)) != 0); 346 } 347 348 (void)wait(&sta); 349 350 ATF_REQUIRE(WIFEXITED(sta) != 0); 351 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 352 ATF_REQUIRE(munmap(map, page) == 0); 353 } 354 355 ATF_TC_WITH_CLEANUP(mmap_prot_3); 356 ATF_TC_HEAD(mmap_prot_3, tc) 357 { 358 atf_tc_set_md_var(tc, "descr", "Test mmap(2) protections, #3"); 359 } 360 361 ATF_TC_BODY(mmap_prot_3, tc) 362 { 363 char buf[2]; 364 int fd, sta; 365 void *map; 366 pid_t pid; 367 368 /* 369 * Open a file, change the permissions 370 * to read-only, and try to map it as 371 * PROT_NONE. This should succeed, but 372 * the access should generate SIGSEGV. 373 */ 374 fd = open(path, O_RDWR | O_CREAT, 0700); 375 376 if (fd < 0) 377 return; 378 379 ATF_REQUIRE(write(fd, "XXX", 3) == 3); 380 ATF_REQUIRE(close(fd) == 0); 381 ATF_REQUIRE(chmod(path, 0444) == 0); 382 383 fd = open(path, O_RDONLY); 384 ATF_REQUIRE(fd != -1); 385 386 map = mmap(NULL, 3, PROT_NONE, MAP_FILE | MAP_SHARED, fd, 0); 387 ATF_REQUIRE(map != MAP_FAILED); 388 389 pid = fork(); 390 391 ATF_REQUIRE(pid >= 0); 392 393 if (pid == 0) { 394 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 395 ATF_REQUIRE(strlcpy(buf, map, sizeof(buf)) != 0); 396 } 397 398 (void)wait(&sta); 399 400 ATF_REQUIRE(WIFEXITED(sta) != 0); 401 ATF_REQUIRE(WEXITSTATUS(sta) == SIGSEGV); 402 ATF_REQUIRE(munmap(map, 3) == 0); 403 } 404 405 ATF_TC_CLEANUP(mmap_prot_3, tc) 406 { 407 (void)unlink(path); 408 } 409 410 ATF_TC_WITH_CLEANUP(mmap_truncate); 411 ATF_TC_HEAD(mmap_truncate, tc) 412 { 413 atf_tc_set_md_var(tc, "descr", "Test mmap(2) and ftruncate(2)"); 414 } 415 416 ATF_TC_BODY(mmap_truncate, tc) 417 { 418 char *map; 419 long i; 420 int fd; 421 422 fd = open(path, O_RDWR | O_CREAT, 0700); 423 424 if (fd < 0) 425 return; 426 427 /* 428 * See that ftruncate(2) works 429 * while the file is mapped. 430 */ 431 ATF_REQUIRE(ftruncate(fd, page) == 0); 432 433 map = mmap(NULL, page, PROT_READ | PROT_WRITE, MAP_FILE|MAP_PRIVATE, 434 fd, 0); 435 ATF_REQUIRE(map != MAP_FAILED); 436 437 for (i = 0; i < page; i++) 438 map[i] = 'x'; 439 440 ATF_REQUIRE(ftruncate(fd, 0) == 0); 441 ATF_REQUIRE(ftruncate(fd, page / 8) == 0); 442 ATF_REQUIRE(ftruncate(fd, page / 4) == 0); 443 ATF_REQUIRE(ftruncate(fd, page / 2) == 0); 444 ATF_REQUIRE(ftruncate(fd, page / 12) == 0); 445 ATF_REQUIRE(ftruncate(fd, page / 64) == 0); 446 447 (void)munmap(map, page); 448 ATF_REQUIRE(close(fd) == 0); 449 } 450 451 ATF_TC_CLEANUP(mmap_truncate, tc) 452 { 453 (void)unlink(path); 454 } 455 456 ATF_TC_WITH_CLEANUP(mmap_truncate_signal); 457 ATF_TC_HEAD(mmap_truncate_signal, tc) 458 { 459 atf_tc_set_md_var(tc, "descr", 460 "Test mmap(2) ftruncate(2) causing signal"); 461 } 462 463 ATF_TC_BODY(mmap_truncate_signal, tc) 464 { 465 char *map; 466 long i; 467 int fd, sta; 468 pid_t pid; 469 470 fd = open(path, O_RDWR | O_CREAT, 0700); 471 472 if (fd < 0) 473 return; 474 475 ATF_REQUIRE(write(fd, "foo\n", 5) == 5); 476 477 map = mmap(NULL, page, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0); 478 ATF_REQUIRE(map != MAP_FAILED); 479 480 sta = 0; 481 for (i = 0; i < 5; i++) 482 sta += map[i]; 483 ATF_REQUIRE(sta == 334); 484 485 ATF_REQUIRE(ftruncate(fd, 0) == 0); 486 pid = fork(); 487 ATF_REQUIRE(pid >= 0); 488 489 if (pid == 0) { 490 ATF_REQUIRE(signal(SIGBUS, map_sighandler) != SIG_ERR); 491 ATF_REQUIRE(signal(SIGSEGV, map_sighandler) != SIG_ERR); 492 sta = 0; 493 for (i = 0; i < page; i++) 494 sta += map[i]; 495 /* child never will get this far, but the compiler will 496 not know, so better use the values calculated to 497 prevent the access to be optimized out */ 498 ATF_REQUIRE(i == 0); 499 ATF_REQUIRE(sta == 0); 500 (void)munmap(map, page); 501 (void)close(fd); 502 return; 503 } 504 505 (void)wait(&sta); 506 507 ATF_REQUIRE(WIFEXITED(sta) != 0); 508 if (WEXITSTATUS(sta) == SIGSEGV) 509 atf_tc_fail("child process got SIGSEGV instead of SIGBUS"); 510 ATF_REQUIRE(WEXITSTATUS(sta) == SIGBUS); 511 ATF_REQUIRE(munmap(map, page) == 0); 512 ATF_REQUIRE(close(fd) == 0); 513 } 514 515 ATF_TC_CLEANUP(mmap_truncate_signal, tc) 516 { 517 (void)unlink(path); 518 } 519 520 ATF_TC(mmap_va0); 521 ATF_TC_HEAD(mmap_va0, tc) 522 { 523 atf_tc_set_md_var(tc, "descr", "Test mmap(2) and vm.user_va0_disable"); 524 } 525 526 ATF_TC_BODY(mmap_va0, tc) 527 { 528 int flags = MAP_ANON | MAP_FIXED | MAP_PRIVATE; 529 size_t len = sizeof(int); 530 void *map; 531 int val; 532 533 /* 534 * Make an anonymous fixed mapping at zero address. If the address 535 * is restricted as noted in security(7), the syscall should fail. 536 */ 537 if (sysctlbyname("vm.user_va0_disable", &val, &len, NULL, 0) != 0) 538 atf_tc_fail("failed to read vm.user_va0_disable"); 539 540 map = mmap(NULL, page, PROT_EXEC, flags, -1, 0); 541 map_check(map, val); 542 543 map = mmap(NULL, page, PROT_READ, flags, -1, 0); 544 map_check(map, val); 545 546 map = mmap(NULL, page, PROT_WRITE, flags, -1, 0); 547 map_check(map, val); 548 549 map = mmap(NULL, page, PROT_READ|PROT_WRITE, flags, -1, 0); 550 map_check(map, val); 551 552 map = mmap(NULL, page, PROT_EXEC|PROT_READ|PROT_WRITE, flags, -1, 0); 553 map_check(map, val); 554 } 555 556 ATF_TP_ADD_TCS(tp) 557 { 558 page = sysconf(_SC_PAGESIZE); 559 ATF_REQUIRE(page >= 0); 560 561 ATF_TP_ADD_TC(tp, mmap_block); 562 ATF_TP_ADD_TC(tp, mmap_err); 563 ATF_TP_ADD_TC(tp, mmap_loan); 564 ATF_TP_ADD_TC(tp, mmap_prot_1); 565 ATF_TP_ADD_TC(tp, mmap_prot_2); 566 ATF_TP_ADD_TC(tp, mmap_prot_3); 567 ATF_TP_ADD_TC(tp, mmap_truncate); 568 ATF_TP_ADD_TC(tp, mmap_truncate_signal); 569 ATF_TP_ADD_TC(tp, mmap_va0); 570 571 return atf_no_error(); 572 } 573