]> git.saurik.com Git - apple/xnu.git/blob - san/kasan-test.c
projects / apple / xnu.git / blob
? search:


820af1b7f17441672d3ce20bb73ce106f6c844e4
[apple/xnu.git] / san / kasan-test.c
1 /*
2 * Copyright (c) 2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <stdint.h>
30 #include <string.h>
31 #include <vm/vm_map.h>
32 #include <kern/assert.h>
33 #include <kern/locks.h>
34 #include <kern/kalloc.h>
35 #include <kern/simple_lock.h>
36 #include <kern/debug.h>
37 #include <mach/mach_vm.h>
38 #include <mach/vm_param.h>
39 #include <libkern/libkern.h>
40 #include <libkern/kernel_mach_header.h>
41 #include <sys/queue.h>
42 #include <kasan.h>
43 #include <kasan_internal.h>
44 #include <memintrinsics.h>
45
46 #define STATIC_ARRAY_SZ 66
47 #define STACK_ARRAY_SZ 9
48 #define BUFSZ 34
49 #define LBUFSZ 255
50
51 enum {
52 TEST_PASS,
53 TEST_FAIL_NOFAULT,
54 TEST_FAIL_BADFAULT,
55 TEST_SETUP_FAIL = 1,
56 TEST_INVALID,
57 TEST_UNKNOWN
58 };
59
60 unsigned long static_array[STATIC_ARRAY_SZ];
61
62 static jmp_buf jbuf;
63 static volatile int in_test = 0;
64
65 struct kasan_test {
66 int (* func)(struct kasan_test *);
67 void (* cleanup)(struct kasan_test *);
68 const char *name;
69 int result;
70 void *data;
71 size_t datasz;
72 };
73
74 #define TEST_BARRIER() do { __asm__ __volatile__ ("" ::: "memory"); } while(0)
75 #define TEST_START(t) do { t->result = 1; TEST_BARRIER(); } while (0)
76 #define TEST_FAULT(t) do { TEST_BARRIER(); t->result = 0; TEST_BARRIER(); } while (0)
77 #define TEST_NOFAULT(t) do { TEST_BARRIER(); t->result = 1; TEST_BARRIER(); } while (0)
78 #define TEST_DONE(t,res) do { t->result = (res); kasan_handle_test(); } while (0)
79 #define DECLARE_TEST(f,s) { .func = f, .name = s }
80 #define DECLARE_TEST3(f,c,s) { .func = f, .cleanup = c, .name = s }
81
82 static void heap_cleanup(struct kasan_test *t)
83 {
84 if (t->data) {
85 kfree(t->data, t->datasz);
86 t->data = NULL;
87 }
88 }
89
90 static int test_global_overflow(struct kasan_test __unused *t)
91 {
92 int i;
93 /* rookie error */
94 for (i = 0; i <= STATIC_ARRAY_SZ; i++) {
95 static_array[i] = i;
96 }
97 return 0;
98 }
99
100 static int test_heap_underflow(struct kasan_test __unused *t)
101 {
102 uint8_t *x = kalloc(BUFSZ);
103 if (!x) {
104 return 1;
105 }
106 t->datasz = BUFSZ;
107 t->data = x;
108 x[-1] = 0x12;
109 return 0;
110 }
111
112 static int test_heap_overflow(struct kasan_test __unused *t)
113 {
114 uint8_t *x = kalloc(BUFSZ);
115 if (!x) {
116 return 1;
117 }
118 t->datasz = BUFSZ;
119 t->data = x;
120 x[BUFSZ] = 0x11;
121 return 0;
122 }
123
124 static int test_heap_uaf(struct kasan_test __unused *t)
125 {
126 uint8_t *x = kalloc(LBUFSZ);
127 if (!x) {
128 return 1;
129 }
130 kfree(x, LBUFSZ);
131 x[0] = 0x10;
132 return 0;
133 }
134
135 static int test_heap_inval_free(struct kasan_test __unused *t)
136 {
137 int x;
138 kfree(&x, BUFSZ);
139 return 0;
140 }
141
142 static int test_heap_double_free(struct kasan_test *t)
143 {
144 TEST_START(t);
145
146 uint8_t *x = kalloc(BUFSZ);
147 if (!x) {
148 return 1;
149 }
150 kfree(x, BUFSZ);
151
152 TEST_FAULT(t);
153 kfree(x, BUFSZ);
154
155 return 0;
156 }
157
158 static int test_heap_small_free(struct kasan_test *t)
159 {
160 TEST_START(t);
161
162 uint8_t *x = kalloc(BUFSZ);
163 if (!x) {
164 return 1;
165 }
166 t->datasz = BUFSZ;
167 t->data = x;
168
169 TEST_FAULT(t);
170 kfree(x, BUFSZ-2);
171 t->data = NULL;
172 t->datasz = 0;
173
174 return 0;
175 }
176
177 static int test_stack_overflow(struct kasan_test *t)
178 {
179 TEST_START(t);
180
181 int i;
182 volatile uint8_t a[STACK_ARRAY_SZ];
183
184 for (i = 0; i < STACK_ARRAY_SZ; i++) {
185 a[i] = i;
186 }
187
188 TEST_FAULT(t);
189 a[i] = i; /* rookie error */
190 TEST_NOFAULT(t);
191
192 TEST_BARRIER();
193
194 return !(a[0] == 0);
195 }
196
197 static int test_stack_underflow(struct kasan_test *t)
198 {
199 TEST_START(t);
200
201 long idx;
202 uint8_t a[STACK_ARRAY_SZ];
203
204 __nosan_memset(a, 0, STACK_ARRAY_SZ);
205
206 /* generate a negative index without the compiler noticing */
207 #if __x86_64__
208 __asm__ __volatile__("movq $-1, %0" : "=r"(idx) :: "memory");
209 #else
210 __asm__ __volatile__("mov %0, #-1" : "=r"(idx) :: "memory");
211 #endif
212
213 TEST_FAULT(t);
214 a[idx] = 0xbd;
215 TEST_NOFAULT(t);
216
217 TEST_BARRIER();
218 return (a[0] == 0);
219 }
220
221 static int test_memcpy(struct kasan_test *t)
222 {
223 TEST_START(t);
224 uint8_t a1[STACK_ARRAY_SZ];
225 uint8_t a2[STACK_ARRAY_SZ];
226
227 /* should work */
228 memcpy(a1, a2, STACK_ARRAY_SZ);
229
230 TEST_BARRIER();
231
232 /* should fail */
233 TEST_FAULT(t);
234 memcpy(a2, a1, STACK_ARRAY_SZ+1);
235 TEST_NOFAULT(t);
236
237 return 0;
238 }
239
240 static int test_memmove(struct kasan_test *t)
241 {
242 TEST_START(t);
243 uint8_t a1[STACK_ARRAY_SZ];
244 uint8_t a2[STACK_ARRAY_SZ];
245
246 /* should work */
247 memmove(a1, a2, STACK_ARRAY_SZ);
248
249 TEST_BARRIER();
250
251 /* should fail */
252 TEST_FAULT(t);
253 memmove(a2, a1, STACK_ARRAY_SZ+1);
254 TEST_NOFAULT(t);
255
256 return 0;
257 }
258
259 static int test_bcopy(struct kasan_test *t)
260 {
261 TEST_START(t);
262 uint8_t a1[STACK_ARRAY_SZ];
263 uint8_t a2[STACK_ARRAY_SZ];
264
265 /* should work */
266 bcopy(a1, a2, STACK_ARRAY_SZ);
267
268 TEST_BARRIER();
269
270 /* should fail */
271 TEST_FAULT(t);
272 bcopy(a2, a1, STACK_ARRAY_SZ+1);
273 TEST_NOFAULT(t);
274
275 return 0;
276 }
277
278 static int test_memset(struct kasan_test *t)
279 {
280 TEST_START(t);
281 uint8_t a1[STACK_ARRAY_SZ];
282
283 /* should work */
284 memset(a1, 'e', STACK_ARRAY_SZ);
285
286 TEST_BARRIER();
287
288 /* should fail */
289 TEST_FAULT(t);
290 memset(a1, 'f', STACK_ARRAY_SZ+1);
291 TEST_NOFAULT(t);
292
293 return 0;
294 }
295
296 static int test_memcmp(struct kasan_test *t)
297 {
298 TEST_START(t);
299 uint8_t *a1;
300 uint8_t *a2;
301
302 a1 = kalloc(STACK_ARRAY_SZ);
303 if (!a1)
304 return 1;
305 a2 = kalloc(STACK_ARRAY_SZ+1);
306 if (!a2)
307 return 1;
308
309 /* should work */
310 memcmp(a1, a2, STACK_ARRAY_SZ);
311 memcmp(a1, a2+1, STACK_ARRAY_SZ);
312
313 TEST_BARRIER();
314
315 /* should fail */
316 TEST_FAULT(t);
317 memcmp(a1, a2, STACK_ARRAY_SZ+1);
318 TEST_NOFAULT(t);
319
320 return 0;
321 }
322
323 static int test_bcmp(struct kasan_test *t)
324 {
325 TEST_START(t);
326 uint8_t *a1;
327 uint8_t *a2;
328
329 a1 = kalloc(STACK_ARRAY_SZ);
330 if (!a1)
331 return 1;
332 a2 = kalloc(STACK_ARRAY_SZ+1);
333 if (!a2)
334 return 1;
335
336 /* should work */
337 bcmp(a1, a2, STACK_ARRAY_SZ);
338 bcmp(a1, a2+1, STACK_ARRAY_SZ);
339
340 TEST_BARRIER();
341
342 /* should fail */
343 TEST_FAULT(t);
344 bcmp(a1, a2, STACK_ARRAY_SZ+1);
345 TEST_NOFAULT(t);
346
347 return 0;
348 }
349
350 static int test_bzero(struct kasan_test *t)
351 {
352 TEST_START(t);
353 uint8_t a1[STACK_ARRAY_SZ];
354
355 /* should work */
356 bzero(a1, STACK_ARRAY_SZ);
357
358 TEST_BARRIER();
359
360 /* should fail */
361 TEST_FAULT(t);
362 bzero(a1, STACK_ARRAY_SZ+1);
363 TEST_NOFAULT(t);
364
365 return 0;
366 }
367
368 static int test_strlcpy(struct kasan_test *t)
369 {
370 TEST_START(t);
371 char a1[8];
372
373 /* should not fault */
374 strlcpy(a1, "small", 8);
375 strlcpy(a1, "looooonnnnggg", 8);
376
377 TEST_FAULT(t);
378 strlcpy(a1, "looooooooonnnnggg", 9);
379 TEST_NOFAULT(t);
380
381 return 0;
382 }
383
384 static int test_strncpy(struct kasan_test *t)
385 {
386 TEST_START(t);
387 char a1[9];
388
389 /* should not fault */
390 strncpy(a1, "small", 9);
391 strncpy(a1, "looooonnnnggg", 9);
392
393 TEST_FAULT(t);
394 strncpy(a1, "looooonnnnggg", 10);
395 TEST_NOFAULT(t);
396
397 return a1[0] != 'l';
398 }
399
400 static int test_strlcat(struct kasan_test *t)
401 {
402 TEST_START(t);
403 char a1[9] = {};
404
405 /* should not fault */
406 strlcat(a1, "abcd", 9);
407 strlcat(a1, "efgh", 9);
408 strlcat(a1, "ijkl", 9);
409 a1[0] = '\0';
410 strlcat(a1, "looooonnnnggg", 9);
411
412 a1[0] = '\0';
413 TEST_FAULT(t);
414 strlcat(a1, "looooonnnnggg", 10);
415 TEST_NOFAULT(t);
416
417 return a1[0] != 'l';
418 }
419
420 static int test_strncat(struct kasan_test *t)
421 {
422 TEST_START(t);
423 char a1[9] = {};
424
425 /* should not fault */
426 strncat(a1, "abcd", 4);
427 strncat(a1, "efgh", 4);
428
429 TEST_FAULT(t);
430 strncat(a1, "i", 1);
431 TEST_NOFAULT(t);
432
433 return a1[0] != 'a';
434 }
435
436 /* we ignore the top *two* frames in backtrace - so add an extra one */
437 static int NOINLINE test_blacklist_helper(void)
438 {
439 return kasan_is_blacklisted(TYPE_TEST);
440 }
441
442 static int NOINLINE test_blacklist(struct kasan_test *t)
443 {
444 TEST_START(t);
445 int res = (int)!test_blacklist_helper();
446 TEST_DONE(t, res);
447 return 0;
448 }
449
450 static int NOINLINE test_blacklist_str(struct kasan_test *t)
451 {
452 TEST_START(t);
453 char a1[8];
454
455 strlcpy(a1, "looooooooonnnnggg", 9);
456
457 TEST_DONE(t, 0); /* success */
458 return 0;
459 }
460
461 #if 0
462 static int test_strnlen(struct kasan_test *t)
463 {
464 TEST_START(t);
465 const char *a1 = "abcdef";
466
467 /* should not fault */
468 if (strnlen(a1, 6) != 6)
469 return 1;
470 if (strnlen(a1, 7) != 6)
471 return 1;
472
473 TEST_FAULT(t);
474 if (strnlen(a1, 8) != 6)
475 return 1;
476 TEST_NOFAULT(t);
477
478 return a1[0] != 'a';
479 }
480 #endif
481
482 int *uaf_ptr;
483 static int * NOINLINE
484 stack_uaf_helper(void)
485 {
486 int x;
487 uaf_ptr = &x;
488 return uaf_ptr;
489 }
490
491 static int test_stack_uaf(struct kasan_test __unused *t)
492 {
493 int *x = stack_uaf_helper();
494 *x = 0xb4d;
495 TEST_BARRIER();
496 return !(*x == 0xb4d);
497 }
498
499 static struct kasan_test xnu_tests[] = {
500 DECLARE_TEST(NULL, NULL),
501 DECLARE_TEST(test_global_overflow, "Global overflow"),
502 DECLARE_TEST3(test_heap_underflow, heap_cleanup, "Heap underflow"),
503 DECLARE_TEST3(test_heap_overflow, heap_cleanup, "Heap overflow"),
504 DECLARE_TEST(test_heap_uaf, "Heap use-after-free"),
505 DECLARE_TEST(test_heap_inval_free, "Heap invalid free"),
506 DECLARE_TEST(test_heap_double_free,"Heap double free"),
507 DECLARE_TEST3(test_heap_small_free, heap_cleanup, "Heap small free"),
508 DECLARE_TEST(test_stack_overflow, "Stack overflow"),
509 DECLARE_TEST(test_stack_underflow, "Stack underflow"),
510 DECLARE_TEST(test_stack_uaf, "Stack use-after-return"),
511 DECLARE_TEST(test_memcpy, "memcpy"),
512 DECLARE_TEST(test_memmove, "memmmove"),
513 DECLARE_TEST(test_bcopy, "bcopy"),
514 DECLARE_TEST(test_memset, "memset"),
515 DECLARE_TEST(test_memcmp, "memcmp"),
516 DECLARE_TEST(test_bcmp, "bcmp"),
517 DECLARE_TEST(test_bzero, "bzero"),
518 DECLARE_TEST(test_strlcpy, "strlcpy"),
519 DECLARE_TEST(test_strlcat, "strlcat"),
520 DECLARE_TEST(test_strncpy, "strncpy"),
521 DECLARE_TEST(test_strncat, "strncat"),
522 DECLARE_TEST(test_blacklist, "blacklist"),
523 DECLARE_TEST(test_blacklist_str, "blacklist_str"),
524 // DECLARE_TEST(test_strnlen, "strnlen"),
525 };
526 static int num_xnutests = sizeof(xnu_tests)/sizeof(xnu_tests[0]);
527
528 static int
529 kasan_run_test(struct kasan_test *test_list, int testno, int fail)
530 {
531 int status = TEST_UNKNOWN;
532 struct kasan_test *t = &test_list[testno];
533
534 if (testno < 0 || testno >= num_xnutests || !t->func) {
535 printf("KASan: test.%02d INVALID\n", testno);
536 return TEST_INVALID;
537 }
538
539 // printf("KASan: test.%02d RUNNING (%s)\n", testno, t->name);
540
541 if (!fail) {
542 in_test = 1;
543 }
544
545 if (_setjmp(jbuf) == 0) {
546 t->result = 0;
547 int ret = t->func(t);
548 if (ret) {
549 printf("KASan: test.%02d SETUP FAIL (%s)\n", testno, t->name);
550 status = ret;
551 } else {
552 /* did not fault when it should have */
553 printf("KASan: test.%02d FAIL (%s)\n", testno, t->name);
554 status = TEST_FAIL_NOFAULT;
555 }
556 } else {
557 /* Triggering a KASan violation will return here by longjmp, bypassing
558 * stack unpoisoning, so do it here explicitly. We just hope that
559 * fakestack free will happen later... */
560 kasan_unpoison_curstack();
561
562 if (t->result) {
563 /* faulted, but at the wrong place */
564 printf("KASan: test.%02d FAIL %d (%s)\n", testno, t->result, t->name);
565 status = TEST_FAIL_BADFAULT;
566 } else {
567 printf("KASan: test.%02d PASS (%s)\n", testno, t->name);
568 status = TEST_PASS;
569 }
570 }
571 in_test = 0;
572 if (t->cleanup) {
573 t->cleanup(t);
574 }
575
576 return status;
577 }
578
579 void
580 kasan_test(int testno, int fail)
581 {
582 int i = 1;
583 int pass = 0, total = 0;
584 int ret;
585
586 if (testno == -1) {
587 /* shorthand for all tests */
588 testno = (1U << (num_xnutests-1)) - 1;
589 }
590
591 while (testno) {
592 if (testno & 0x1) {
593 ret = kasan_run_test(xnu_tests, i, fail);
594 if (ret == TEST_PASS) {
595 pass++;
596 }
597 if (ret != TEST_INVALID) {
598 total++;
599 }
600 }
601
602 i++;
603 testno >>= 1;
604 }
605 printf("KASan: TEST SUMMARY %d/%d passed\n", pass, total);
606 }
607
608 void
609 kasan_handle_test(void)
610 {
611 if (in_test) {
612 _longjmp(jbuf, 1);
613 /* NOTREACHED */
614 }
615 }
616
617 void
618 __kasan_runtests(struct kasan_test *kext_tests, int numtests)
619 {
620 int i;
621 for (i = 0; i < numtests; i++) {
622 kasan_run_test(kext_tests, i, 0);
623 }
624 }
mirror of XNU