]> git.saurik.com Git - apple/xnu.git/blob - tests/shared_cache_reslide_test.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-7195.101.1.tar.gz
[apple/xnu.git] / tests / shared_cache_reslide_test.c
1 #define PRIVATE
2 #include <darwintest.h>
3
4 #include <errno.h>
5 #include <fcntl.h>
6 #include <signal.h>
7 #include <spawn.h>
8 #include <spawn_private.h>
9 #include <stdbool.h>
10 #include <stdint.h>
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <sys/spawn_internal.h>
15 #include <sys/sysctl.h>
16 #include <sys/syslimits.h>
17 #include <sys/reason.h>
18 #include <sysexits.h>
19 #include <unistd.h>
20 #include <signal.h>
21 #include <libproc.h>
22 #undef PRIVATE
23
24 #include <mach-o/dyld.h>
25 #include <mach-o/dyld_priv.h>
26 #include <dlfcn.h>
27
28 #define SHARED_CACHE_HELPER "get_shared_cache_address"
29 #define DO_RUSAGE_CHECK "check_rusage_flag"
30 #define DO_DUMMY "dummy"
31 #define ADDRESS_OUTPUT_SIZE 12L
32
33 #ifndef _POSIX_SPAWN_RESLIDE
34 #define _POSIX_SPAWN_RESLIDE 0x0800
35 #endif
36
37 #ifndef OS_REASON_FLAG_SHAREDREGION_FAULT
38 #define OS_REASON_FLAG_SHAREDREGION_FAULT 0x400
39 #endif
40
41 T_GLOBAL_META(T_META_RUN_CONCURRENTLY(true));
42
43 #if (__arm64e__ && TARGET_OS_IPHONE)
44 static void *
45 get_current_slide_address(bool reslide)
46 {
47 pid_t pid;
48 int pipefd[2];
49 posix_spawnattr_t attr;
50 posix_spawn_file_actions_t action;
51 uintptr_t addr;
52
53 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_init(&attr), "posix_spawnattr_init");
54 /* spawn the helper requesting a reslide */
55 if (reslide) {
56 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_setflags(&attr, _POSIX_SPAWN_RESLIDE), "posix_spawnattr_setflags");
57 }
58
59 T_ASSERT_POSIX_SUCCESS(pipe(pipefd), "pipe");
60 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_init(&action), "posix_spawn_fileactions_init");
61 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[0]), "posix_spawn_file_actions_addclose");
62 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_adddup2(&action, pipefd[1], 1), "posix_spawn_file_actions_addup2");
63 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[1]), "posix_spawn_file_actions_addclose");
64
65 char *argvs[3];
66 argvs[0] = SHARED_CACHE_HELPER;
67 argvs[1] = reslide ? DO_RUSAGE_CHECK : DO_DUMMY;
68 argvs[2] = NULL;
69 char *const envps[] = {NULL};
70
71 T_ASSERT_POSIX_ZERO(posix_spawn(&pid, SHARED_CACHE_HELPER, &action, &attr, argvs, envps), "helper posix_spawn");
72 T_ASSERT_POSIX_SUCCESS(close(pipefd[1]), "close child end of the pipe");
73
74 char buf[ADDRESS_OUTPUT_SIZE] = {0};
75
76 ssize_t read_bytes = 0;
77 do {
78 if (read_bytes == -1) {
79 T_LOG("reading off get_shared_cache_address got interrupted");
80 }
81 read_bytes = read(pipefd[0], buf, sizeof(buf));
82 } while (read_bytes == -1 && errno == EINTR);
83
84 T_ASSERT_EQ_LONG(ADDRESS_OUTPUT_SIZE, read_bytes, "read helper output");
85
86 int status = 0;
87 int waitpid_result = waitpid(pid, &status, 0);
88 T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
89 T_ASSERT_EQ(waitpid_result, pid, "waitpid should return child we spawned");
90 T_ASSERT_EQ(WIFEXITED(status), 1, "child should have exited normally");
91 T_ASSERT_EQ(WEXITSTATUS(status), EX_OK, "child should have exited with success");
92
93 addr = strtoul(buf, NULL, 16);
94 T_ASSERT_GE_LONG(addr, 0L, "convert address to uintptr_t");
95
96 return (void *)addr;
97 }
98
99 /*
100 * build_faulting_shared_cache_address creates a pointer to an address that is
101 * within the shared_cache range but that is guaranteed to not be mapped.
102 */
103 static char *
104 build_faulting_shared_cache_address(bool tbi)
105 {
106 uintptr_t fault_address;
107
108 // Grab currently mapped shared cache location and size
109 size_t shared_cache_len = 0;
110 const void *shared_cache_location = _dyld_get_shared_cache_range(&shared_cache_len);
111 if (shared_cache_location == NULL || shared_cache_len == 0) {
112 return NULL;
113 }
114
115 // Locate a mach_header in the shared cache
116 Dl_info info;
117 if (dladdr((const void *)fork, &info) == 0) {
118 return NULL;
119 }
120
121 const struct mach_header *mh = info.dli_fbase;
122 uintptr_t slide = (uintptr_t)_dyld_get_image_slide(mh);
123
124 if (slide == 0) {
125 fault_address = (uintptr_t)shared_cache_location + shared_cache_len + PAGE_SIZE;
126 } else {
127 fault_address = (uintptr_t)shared_cache_location - PAGE_SIZE;
128 }
129
130 if (tbi) {
131 fault_address |= 0x2000000000000000;
132 }
133
134 return (char *)fault_address;
135 }
136
137 static void
138 induce_crash(volatile char *ptr)
139 {
140 pid_t child = fork();
141 T_ASSERT_POSIX_SUCCESS(child, "fork");
142
143 if (child == 0) {
144 ptr[1];
145 } else {
146 sleep(1);
147 struct proc_exitreasonbasicinfo exit_reason = {0};
148 T_ASSERT_POSIX_SUCCESS(proc_pidinfo(child, PROC_PIDEXITREASONBASICINFO, 1, &exit_reason, sizeof(exit_reason)), "basic exit reason");
149
150 int status = 0;
151 int waitpid_result;
152 do {
153 waitpid_result = waitpid(child, &status, 0);
154 } while (waitpid_result < 0 && errno == EINTR);
155 T_QUIET; T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
156 T_ASSERT_EQ(waitpid_result, child, "waitpid should return forked child");
157 T_ASSERT_EQ(exit_reason.beri_namespace, OS_REASON_SIGNAL, "child should have exited with a signal");
158
159 if (ptr) {
160 T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGSEGV, "child should have received SIGSEGV");
161 T_ASSERT_NE((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should detect shared cache fault");
162 } else {
163 T_ASSERT_EQ((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should not detect shared cache fault");
164 }
165 }
166 }
167
168 static int saved_status;
169 static void
170 cleanup_sysctl(void)
171 {
172 int ret;
173
174 if (saved_status == 0) {
175 ret = sysctlbyname("vm.vm_shared_region_reslide_aslr", NULL, NULL, &saved_status, sizeof(saved_status));
176 T_QUIET; T_EXPECT_POSIX_SUCCESS(ret, "set shared region resliding back off");
177 }
178 }
179 #endif /* __arm64e && TARGET_OS_IPHONE */
180
181 T_DECL(reslide_sharedcache, "crash induced reslide of the shared cache",
182 T_META_CHECK_LEAKS(false), T_META_IGNORECRASHES(".*shared_cache_reslide_test.*"),
183 T_META_ASROOT(true))
184 {
185 #if (__arm64e__ && TARGET_OS_IOS)
186 void *system_address;
187 void *reslide_address;
188 void *confirm_address;
189 char *ptr;
190 int on = 1;
191 size_t size;
192
193 /* Force resliding on */
194 T_ASSERT_POSIX_SUCCESS(sysctlbyname("vm.vm_shared_region_reslide_aslr", &saved_status, &size, &on, sizeof(on)), "force enable reslide");
195 T_ATEND(cleanup_sysctl);
196
197 system_address = get_current_slide_address(false);
198 confirm_address = get_current_slide_address(false);
199 T_ASSERT_EQ_PTR(system_address, confirm_address, "system and current addresses should not diverge %p %p", system_address, confirm_address);
200
201 reslide_address = get_current_slide_address(true);
202 confirm_address = get_current_slide_address(true);
203 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide addresses should diverge %p %p", system_address, reslide_address);
204 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide (no crash) shouldn't diverge %p %p", reslide_address, confirm_address);
205
206 /* Crash into the shared cache area */
207 ptr = build_faulting_shared_cache_address(false);
208 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
209 induce_crash(ptr);
210 reslide_address = get_current_slide_address(true);
211 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash) %p %p", system_address, reslide_address);
212 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash) %p %p", confirm_address, reslide_address);
213
214 confirm_address = get_current_slide_address(true);
215 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide shouldn't diverge (no crash) %p %p", reslide_address, confirm_address);
216
217 /* Crash somewhere else */
218 ptr = NULL;
219 induce_crash(ptr);
220 confirm_address = get_current_slide_address(true);
221 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide after a non-tracked crash shouldn't diverge %p %p", reslide_address, confirm_address);
222
223 /* Ensure we still get the system address */
224 confirm_address = get_current_slide_address(false);
225 T_ASSERT_EQ_PTR(system_address, confirm_address, "system address and new process without resliding shouldn't diverge %p %p", system_address, confirm_address);
226
227 /* Ensure we detect a crash into the shared area with a TBI tagged address */
228 ptr = build_faulting_shared_cache_address(true);
229 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
230 confirm_address = get_current_slide_address(true);
231 induce_crash(ptr);
232 reslide_address = get_current_slide_address(true);
233 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, TBI test) %p %p", system_address, reslide_address);
234 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, TBI test) %p %p", confirm_address, reslide_address);
235 #else /* __arm64e__ && TARGET_OS_IPHONE */
236 T_SKIP("shared cache reslide is currently only supported on arm64e iPhones");
237 #endif /* __arm64e__ && TARGET_OS_IPHONE */
238 }
mirror of XNU