1/*-
2 * Copyright (c) 2009	Simon L. Nielsen <simon@FreeBSD.org>,
3 * 			Bjoern A. Zeeb <bz@FreeBSD.org>
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/param.h>
28#include <sys/mman.h>
29#include <sys/sysctl.h>
30
31#include <atf-c.h>
32#include <errno.h>
33#include <fcntl.h>
34#include <stdarg.h>
35#include <stdbool.h>
36#include <stdio.h>
37#include <stdlib.h>
38
39static const struct {
40	void	*addr;
41	int	ok[2];	/* Depending on security.bsd.map_at_zero {0, !=0}. */
42} map_at_zero_tests[] = {
43	{ (void *)0,			{ 0, 1 } }, /* Test sysctl. */
44	{ (void *)1,			{ 0, 0 } },
45	{ (void *)(PAGE_SIZE - 1),	{ 0, 0 } },
46	{ (void *)PAGE_SIZE,		{ 1, 1 } },
47	{ (void *)-1,			{ 0, 0 } },
48	{ (void *)(-PAGE_SIZE),		{ 0, 0 } },
49	{ (void *)(-1 - PAGE_SIZE),	{ 0, 0 } },
50	{ (void *)(-1 - PAGE_SIZE - 1),	{ 0, 0 } },
51	{ (void *)(0x1000 * PAGE_SIZE),	{ 1, 1 } },
52};
53
54#define	MAP_AT_ZERO	"security.bsd.map_at_zero"
55
56#ifdef __LP64__
57#define ALLOW_WX "kern.elf64.allow_wx"
58#else
59#define ALLOW_WX "kern.elf32.allow_wx"
60#endif
61
62ATF_TC_WITHOUT_HEAD(mmap__map_at_zero);
63ATF_TC_BODY(mmap__map_at_zero, tc)
64{
65	void *p;
66	size_t len;
67	unsigned int i;
68	int map_at_zero;
69	bool allow_wx;
70	int prot_flags;
71
72	len = sizeof(map_at_zero);
73	if (sysctlbyname(MAP_AT_ZERO, &map_at_zero, &len, NULL, 0) == -1) {
74		atf_tc_skip("sysctl for %s failed: %s\n", MAP_AT_ZERO,
75		    strerror(errno));
76		return;
77	}
78
79	len = sizeof(allow_wx);
80	if (sysctlbyname(ALLOW_WX, &allow_wx, &len, NULL, 0) == -1) {
81		if (errno == ENOENT) {
82			/* Allow W+X if sysctl isn't present */
83			allow_wx = true;
84		} else {
85			atf_tc_skip("sysctl for %s failed: %s\n", ALLOW_WX,
86			    strerror(errno));
87			return;
88		}
89	}
90
91	/* Normalize to 0 or 1 for array access. */
92	map_at_zero = !!map_at_zero;
93
94	for (i = 0; i < nitems(map_at_zero_tests); i++) {
95		prot_flags = PROT_READ | PROT_WRITE;
96		if (allow_wx)
97			prot_flags |= PROT_EXEC;
98		p = mmap((void *)map_at_zero_tests[i].addr, PAGE_SIZE,
99		    prot_flags, MAP_ANON | MAP_FIXED, -1, 0);
100		if (p == MAP_FAILED) {
101			ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 0,
102			    "mmap(%p, ...) failed", map_at_zero_tests[i].addr);
103		} else {
104			ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 1,
105			    "mmap(%p, ...) succeeded: p=%p\n",
106			    map_at_zero_tests[i].addr, p);
107		}
108	}
109}
110
111static void
112checked_mmap(int prot, int flags, int fd, int error, const char *msg)
113{
114	void *p;
115	int pagesize;
116
117	ATF_REQUIRE((pagesize = getpagesize()) > 0);
118	p = mmap(NULL, pagesize, prot, flags, fd, 0);
119	if (p == MAP_FAILED) {
120		if (error == 0)
121			ATF_CHECK_MSG(0, "%s failed with errno %d", msg,
122			    errno);
123		else
124			ATF_CHECK_EQ_MSG(error, errno,
125			    "%s failed with wrong errno %d (expected %d)", msg,
126			    errno, error);
127	} else {
128		ATF_CHECK_MSG(error == 0, "%s succeeded", msg);
129		munmap(p, pagesize);
130	}
131}
132
133ATF_TC_WITHOUT_HEAD(mmap__bad_arguments);
134ATF_TC_BODY(mmap__bad_arguments, tc)
135{
136	int devstatfd, pagesize, shmfd, zerofd;
137
138	ATF_REQUIRE((pagesize = getpagesize()) > 0);
139	ATF_REQUIRE((devstatfd = open("/dev/devstat", O_RDONLY)) >= 0);
140	ATF_REQUIRE((shmfd = shm_open(SHM_ANON, O_RDWR, 0644)) >= 0);
141	ATF_REQUIRE(ftruncate(shmfd, pagesize) == 0);
142	ATF_REQUIRE((zerofd = open("/dev/zero", O_RDONLY)) >= 0);
143
144	/* These should work. */
145	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON, -1, 0,
146	    "simple MAP_ANON");
147	checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, shmfd, 0,
148	    "simple shm fd shared");
149	checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, shmfd, 0,
150	    "simple shm fd private");
151	checked_mmap(PROT_READ, MAP_SHARED, zerofd, 0,
152	    "simple /dev/zero shared");
153	checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, zerofd, 0,
154	    "simple /dev/zero private");
155	checked_mmap(PROT_READ, MAP_SHARED, devstatfd, 0,
156	    "simple /dev/devstat shared");
157
158	/* Extra PROT flags. */
159	checked_mmap(PROT_READ | PROT_WRITE | 0x100000, MAP_ANON, -1, EINVAL,
160	    "MAP_ANON with extra PROT flags");
161	checked_mmap(0xffff, MAP_SHARED, shmfd, EINVAL,
162	    "shm fd with garbage PROT");
163
164	/* Undefined flag. */
165	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_RESERVED0080, -1,
166	    EINVAL, "Undefined flag");
167
168	/* Both MAP_SHARED and MAP_PRIVATE */
169	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE |
170	    MAP_SHARED, -1, EINVAL, "MAP_ANON with both SHARED and PRIVATE");
171	checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_SHARED, shmfd,
172	    EINVAL, "shm fd with both SHARED and PRIVATE");
173
174	/* At least one of MAP_SHARED or MAP_PRIVATE without ANON */
175	checked_mmap(PROT_READ | PROT_WRITE, 0, shmfd, EINVAL,
176	    "shm fd without sharing flag");
177
178	/* MAP_ANON with either sharing flag (impacts fork). */
179	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0,
180	    "shared MAP_ANON");
181	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0,
182	    "private MAP_ANON");
183
184	/* MAP_ANON should require an fd of -1. */
185	checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, EINVAL,
186	    "MAP_ANON with fd != -1");
187
188	/* Writable MAP_SHARED should fail on read-only descriptors. */
189	checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, zerofd, EACCES,
190	    "MAP_SHARED of read-only /dev/zero");
191
192	/*
193	 * Character devices other than /dev/zero do not support private
194	 * mappings.
195	 */
196	checked_mmap(PROT_READ, MAP_PRIVATE, devstatfd, EINVAL,
197	    "MAP_PRIVATE of /dev/devstat");
198
199	close(devstatfd);
200	close(shmfd);
201	close(zerofd);
202}
203
204ATF_TC_WITHOUT_HEAD(mmap__dev_zero_private);
205ATF_TC_BODY(mmap__dev_zero_private, tc)
206{
207	char *p1, *p2, *p3;
208	int fd, i, pagesize;
209
210	ATF_REQUIRE((pagesize = getpagesize()) > 0);
211	ATF_REQUIRE((fd = open("/dev/zero", O_RDONLY)) >= 0);
212
213	p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
214	ATF_REQUIRE(p1 != MAP_FAILED);
215
216	p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
217	ATF_REQUIRE(p2 != MAP_FAILED);
218
219	for (i = 0; i < pagesize; i++)
220		ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
221
222	ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
223
224	p1[0] = 1;
225
226	ATF_REQUIRE(p2[0] == 0);
227
228	p2[0] = 2;
229
230	ATF_REQUIRE(p1[0] == 1);
231
232	p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
233	ATF_REQUIRE(p3 != MAP_FAILED);
234
235	ATF_REQUIRE(p3[0] == 0);
236
237	munmap(p1, pagesize);
238	munmap(p2, pagesize);
239	munmap(p3, pagesize);
240	close(fd);
241}
242
243ATF_TC_WITHOUT_HEAD(mmap__dev_zero_shared);
244ATF_TC_BODY(mmap__dev_zero_shared, tc)
245{
246	char *p1, *p2, *p3;
247	int fd, i, pagesize;
248
249	ATF_REQUIRE((pagesize = getpagesize()) > 0);
250	ATF_REQUIRE((fd = open("/dev/zero", O_RDWR)) >= 0);
251
252	p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
253	ATF_REQUIRE(p1 != MAP_FAILED);
254
255	p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
256	ATF_REQUIRE(p2 != MAP_FAILED);
257
258	for (i = 0; i < pagesize; i++)
259		ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
260
261	ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
262
263	p1[0] = 1;
264
265	ATF_REQUIRE(p2[0] == 0);
266
267	p2[0] = 2;
268
269	ATF_REQUIRE(p1[0] == 1);
270
271	p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd,
272	    0);
273	ATF_REQUIRE(p3 != MAP_FAILED);
274
275	ATF_REQUIRE(p3[0] == 0);
276
277	munmap(p1, pagesize);
278	munmap(p2, pagesize);
279	munmap(p3, pagesize);
280	close(fd);
281}
282
283ATF_TC_WITHOUT_HEAD(mmap__write_only);
284ATF_TC_BODY(mmap__write_only, tc)
285{
286	void *p;
287	int pagesize;
288
289	ATF_REQUIRE((pagesize = getpagesize()) > 0);
290	p = mmap(NULL, pagesize, PROT_WRITE, MAP_ANON, -1, 0);
291	ATF_REQUIRE(p != MAP_FAILED);
292
293	*(volatile uint32_t *)p = 0x12345678;
294
295	munmap(p, pagesize);
296}
297
298ATF_TP_ADD_TCS(tp)
299{
300
301	ATF_TP_ADD_TC(tp, mmap__map_at_zero);
302	ATF_TP_ADD_TC(tp, mmap__bad_arguments);
303	ATF_TP_ADD_TC(tp, mmap__dev_zero_private);
304	ATF_TP_ADD_TC(tp, mmap__dev_zero_shared);
305	ATF_TP_ADD_TC(tp, mmap__write_only);
306
307	return (atf_no_error());
308}
309