1*699cd480SApple OSS Distributions #include <mach/mach.h>
2*699cd480SApple OSS Distributions #include <stdlib.h>
3*699cd480SApple OSS Distributions #include <pthread.h>
4*699cd480SApple OSS Distributions #include <unistd.h>
5*699cd480SApple OSS Distributions #include <stdio.h>
6*699cd480SApple OSS Distributions #include <assert.h>
7*699cd480SApple OSS Distributions #include <mach/task.h>
8*699cd480SApple OSS Distributions #include <mach/mk_timer.h>
9*699cd480SApple OSS Distributions
10*699cd480SApple OSS Distributions /*
11*699cd480SApple OSS Distributions * DO NOT run this test file by itself.
12*699cd480SApple OSS Distributions * This test is meant to be invoked by control_port_options darwintest.
13*699cd480SApple OSS Distributions *
14*699cd480SApple OSS Distributions * If hard enforcement for pinned control port is on, pinned tests are
15*699cd480SApple OSS Distributions * expected to generate fatal EXC_GUARD.
16*699cd480SApple OSS Distributions *
17*699cd480SApple OSS Distributions * If hard enforcement for immovable control port is on, immovable tests are
18*699cd480SApple OSS Distributions * expected to generate fatal EXC_GUARD.
19*699cd480SApple OSS Distributions *
20*699cd480SApple OSS Distributions * The type of exception raised (if any) is checked on control_port_options side.
21*699cd480SApple OSS Distributions */
22*699cd480SApple OSS Distributions #define MAX_TEST_NUM 21
23*699cd480SApple OSS Distributions
24*699cd480SApple OSS Distributions #ifndef MACH64_SEND_ANY
25*699cd480SApple OSS Distributions #define MACH64_SEND_ANY 0x0000000800000000ull
26*699cd480SApple OSS Distributions #define MACH64_SEND_MQ_CALL 0x0000000400000000ull
27*699cd480SApple OSS Distributions #endif
28*699cd480SApple OSS Distributions
29*699cd480SApple OSS Distributions static int
attempt_send_immovable_port(mach_port_name_t port,mach_msg_type_name_t disp)30*699cd480SApple OSS Distributions attempt_send_immovable_port(mach_port_name_t port, mach_msg_type_name_t disp)
31*699cd480SApple OSS Distributions {
32*699cd480SApple OSS Distributions mach_port_t server;
33*699cd480SApple OSS Distributions kern_return_t kr;
34*699cd480SApple OSS Distributions kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &server);
35*699cd480SApple OSS Distributions assert(kr == 0);
36*699cd480SApple OSS Distributions
37*699cd480SApple OSS Distributions kr = mach_port_insert_right(mach_task_self(), server, server, MACH_MSG_TYPE_MAKE_SEND);
38*699cd480SApple OSS Distributions assert(kr == 0);
39*699cd480SApple OSS Distributions
40*699cd480SApple OSS Distributions struct {
41*699cd480SApple OSS Distributions mach_msg_header_t header;
42*699cd480SApple OSS Distributions mach_msg_body_t body;
43*699cd480SApple OSS Distributions mach_msg_port_descriptor_t desc;
44*699cd480SApple OSS Distributions } msg;
45*699cd480SApple OSS Distributions
46*699cd480SApple OSS Distributions msg.header.msgh_remote_port = server;
47*699cd480SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
48*699cd480SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;
49*699cd480SApple OSS Distributions msg.header.msgh_size = sizeof msg;
50*699cd480SApple OSS Distributions
51*699cd480SApple OSS Distributions msg.body.msgh_descriptor_count = 1;
52*699cd480SApple OSS Distributions
53*699cd480SApple OSS Distributions msg.desc.name = port;
54*699cd480SApple OSS Distributions msg.desc.disposition = disp;
55*699cd480SApple OSS Distributions msg.desc.type = MACH_MSG_PORT_DESCRIPTOR;
56*699cd480SApple OSS Distributions
57*699cd480SApple OSS Distributions return mach_msg_send(&msg.header);
58*699cd480SApple OSS Distributions }
59*699cd480SApple OSS Distributions
60*699cd480SApple OSS Distributions static void
pinned_test_main_thread_mod_ref(void)61*699cd480SApple OSS Distributions pinned_test_main_thread_mod_ref(void)
62*699cd480SApple OSS Distributions {
63*699cd480SApple OSS Distributions printf("[Crasher]: Mod refs main thread's self port to 0\n");
64*699cd480SApple OSS Distributions mach_port_t thread_self = mach_thread_self();
65*699cd480SApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), thread_self, MACH_PORT_RIGHT_SEND, -2);
66*699cd480SApple OSS Distributions
67*699cd480SApple OSS Distributions printf("[Crasher pinned_test_main_thread_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
68*699cd480SApple OSS Distributions }
69*699cd480SApple OSS Distributions
70*699cd480SApple OSS Distributions static void* _Nullable
pthread_run(void * _Nullable)71*699cd480SApple OSS Distributions pthread_run(void *_Nullable)
72*699cd480SApple OSS Distributions {
73*699cd480SApple OSS Distributions printf("[Crasher]: Deallocate pthread_self\n");
74*699cd480SApple OSS Distributions mach_port_t th_self = pthread_mach_thread_np(pthread_self());
75*699cd480SApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), th_self);
76*699cd480SApple OSS Distributions
77*699cd480SApple OSS Distributions printf("[Crasher pinned_test_pthread_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
78*699cd480SApple OSS Distributions return NULL;
79*699cd480SApple OSS Distributions }
80*699cd480SApple OSS Distributions
81*699cd480SApple OSS Distributions static void
pinned_test_pthread_dealloc(void)82*699cd480SApple OSS Distributions pinned_test_pthread_dealloc(void)
83*699cd480SApple OSS Distributions {
84*699cd480SApple OSS Distributions printf("[Crasher]: Create a pthread and deallocate its self port\n");
85*699cd480SApple OSS Distributions pthread_t thread;
86*699cd480SApple OSS Distributions int ret = pthread_create(&thread, NULL, pthread_run, NULL);
87*699cd480SApple OSS Distributions assert(ret == 0);
88*699cd480SApple OSS Distributions ret = pthread_join(thread, NULL);
89*699cd480SApple OSS Distributions assert(ret == 0);
90*699cd480SApple OSS Distributions }
91*699cd480SApple OSS Distributions
92*699cd480SApple OSS Distributions static void
pinned_test_task_self_dealloc(void)93*699cd480SApple OSS Distributions pinned_test_task_self_dealloc(void)
94*699cd480SApple OSS Distributions {
95*699cd480SApple OSS Distributions printf("[Crasher]: Deallocate mach_task_self twice\n");
96*699cd480SApple OSS Distributions mach_port_t task_self = mach_task_self();
97*699cd480SApple OSS Distributions kern_return_t kr = mach_port_deallocate(task_self, task_self);
98*699cd480SApple OSS Distributions assert(kr == 0);
99*699cd480SApple OSS Distributions kr = mach_port_deallocate(task_self, task_self);
100*699cd480SApple OSS Distributions
101*699cd480SApple OSS Distributions printf("[Crasher pinned_test_task_self_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
102*699cd480SApple OSS Distributions }
103*699cd480SApple OSS Distributions
104*699cd480SApple OSS Distributions static void
pinned_test_task_self_mod_ref(void)105*699cd480SApple OSS Distributions pinned_test_task_self_mod_ref(void)
106*699cd480SApple OSS Distributions {
107*699cd480SApple OSS Distributions printf("[Crasher]: Mod refs mach_task_self() to 0\n");
108*699cd480SApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), mach_task_self(), MACH_PORT_RIGHT_SEND, -2);
109*699cd480SApple OSS Distributions
110*699cd480SApple OSS Distributions printf("[Crasher pinned_test_task_self_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
111*699cd480SApple OSS Distributions }
112*699cd480SApple OSS Distributions
113*699cd480SApple OSS Distributions static void
pinned_test_task_threads_mod_ref(void)114*699cd480SApple OSS Distributions pinned_test_task_threads_mod_ref(void)
115*699cd480SApple OSS Distributions {
116*699cd480SApple OSS Distributions printf("[Crasher]: task_threads should return pinned thread ports. Mod refs them to 0\n");
117*699cd480SApple OSS Distributions thread_array_t th_list;
118*699cd480SApple OSS Distributions mach_msg_type_number_t th_cnt;
119*699cd480SApple OSS Distributions kern_return_t kr;
120*699cd480SApple OSS Distributions mach_port_t th_kp = mach_thread_self();
121*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_kp);
122*699cd480SApple OSS Distributions
123*699cd480SApple OSS Distributions kr = task_threads(mach_task_self(), &th_list, &th_cnt);
124*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_list[0]);
125*699cd480SApple OSS Distributions
126*699cd480SApple OSS Distributions kr = mach_port_mod_refs(mach_task_self(), th_list[0], MACH_PORT_RIGHT_SEND, -1);
127*699cd480SApple OSS Distributions
128*699cd480SApple OSS Distributions printf("[Crasher pinned_test_task_threads_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
129*699cd480SApple OSS Distributions }
130*699cd480SApple OSS Distributions
131*699cd480SApple OSS Distributions static void
pinned_test_mach_port_destroy(void)132*699cd480SApple OSS Distributions pinned_test_mach_port_destroy(void)
133*699cd480SApple OSS Distributions {
134*699cd480SApple OSS Distributions kern_return_t kr = mach_port_destroy(mach_task_self(), mach_task_self());
135*699cd480SApple OSS Distributions printf("[Crasher pinned_test_mach_port_destroy] mach_port_destroy returned %s \n.", mach_error_string(kr));
136*699cd480SApple OSS Distributions }
137*699cd480SApple OSS Distributions
138*699cd480SApple OSS Distributions static void
pinned_test_move_send_as_remote_port(void)139*699cd480SApple OSS Distributions pinned_test_move_send_as_remote_port(void)
140*699cd480SApple OSS Distributions {
141*699cd480SApple OSS Distributions struct {
142*699cd480SApple OSS Distributions mach_msg_header_t header;
143*699cd480SApple OSS Distributions } msg;
144*699cd480SApple OSS Distributions
145*699cd480SApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), mach_task_self());
146*699cd480SApple OSS Distributions assert(kr == 0);
147*699cd480SApple OSS Distributions
148*699cd480SApple OSS Distributions /*
149*699cd480SApple OSS Distributions * We allow move send on remote kobject port but this should trip on pinning on last ref.
150*699cd480SApple OSS Distributions * See: IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND.
151*699cd480SApple OSS Distributions */
152*699cd480SApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
153*699cd480SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
154*699cd480SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, 0);
155*699cd480SApple OSS Distributions msg.header.msgh_id = 2000;
156*699cd480SApple OSS Distributions msg.header.msgh_size = sizeof msg;
157*699cd480SApple OSS Distributions
158*699cd480SApple OSS Distributions kr = mach_msg_send(&msg.header);
159*699cd480SApple OSS Distributions
160*699cd480SApple OSS Distributions printf("[Crasher pinned_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
161*699cd480SApple OSS Distributions }
162*699cd480SApple OSS Distributions
163*699cd480SApple OSS Distributions static void
immovable_test_move_send_as_remote_port(void)164*699cd480SApple OSS Distributions immovable_test_move_send_as_remote_port(void)
165*699cd480SApple OSS Distributions {
166*699cd480SApple OSS Distributions struct {
167*699cd480SApple OSS Distributions mach_msg_header_t header;
168*699cd480SApple OSS Distributions } msg;
169*699cd480SApple OSS Distributions
170*699cd480SApple OSS Distributions /* Local port cannot be immovable. See: ipc_right_copyin_check_reply() */
171*699cd480SApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
172*699cd480SApple OSS Distributions msg.header.msgh_local_port = mach_task_self();
173*699cd480SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, MACH_MSG_TYPE_MOVE_SEND);
174*699cd480SApple OSS Distributions msg.header.msgh_id = 2000;
175*699cd480SApple OSS Distributions msg.header.msgh_size = sizeof msg;
176*699cd480SApple OSS Distributions
177*699cd480SApple OSS Distributions kern_return_t kr = mach_msg_send(&msg.header);
178*699cd480SApple OSS Distributions
179*699cd480SApple OSS Distributions printf("[Crasher immovable_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
180*699cd480SApple OSS Distributions }
181*699cd480SApple OSS Distributions
182*699cd480SApple OSS Distributions static void
immovable_test_move_send_task_self(void)183*699cd480SApple OSS Distributions immovable_test_move_send_task_self(void)
184*699cd480SApple OSS Distributions {
185*699cd480SApple OSS Distributions kern_return_t kr;
186*699cd480SApple OSS Distributions printf("[Crasher]: Move send mach_task_self_\n");
187*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_MOVE_SEND);
188*699cd480SApple OSS Distributions
189*699cd480SApple OSS Distributions printf("[Crasher immovable_test_move_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
190*699cd480SApple OSS Distributions }
191*699cd480SApple OSS Distributions
192*699cd480SApple OSS Distributions static void
immovable_test_copy_send_task_self(void)193*699cd480SApple OSS Distributions immovable_test_copy_send_task_self(void)
194*699cd480SApple OSS Distributions {
195*699cd480SApple OSS Distributions kern_return_t kr;
196*699cd480SApple OSS Distributions printf("[Crasher]: Copy send mach_task_self_\n");
197*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_COPY_SEND);
198*699cd480SApple OSS Distributions
199*699cd480SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
200*699cd480SApple OSS Distributions }
201*699cd480SApple OSS Distributions
202*699cd480SApple OSS Distributions static void
immovable_test_move_send_thread_self(void)203*699cd480SApple OSS Distributions immovable_test_move_send_thread_self(void)
204*699cd480SApple OSS Distributions {
205*699cd480SApple OSS Distributions kern_return_t kr;
206*699cd480SApple OSS Distributions printf("[Crasher]: Move send main thread's self port\n");
207*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(mach_thread_self(), MACH_MSG_TYPE_MOVE_SEND);
208*699cd480SApple OSS Distributions
209*699cd480SApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
210*699cd480SApple OSS Distributions }
211*699cd480SApple OSS Distributions
212*699cd480SApple OSS Distributions static void
immovable_test_copy_send_thread_self(void)213*699cd480SApple OSS Distributions immovable_test_copy_send_thread_self(void)
214*699cd480SApple OSS Distributions {
215*699cd480SApple OSS Distributions kern_return_t kr;
216*699cd480SApple OSS Distributions mach_port_t port;
217*699cd480SApple OSS Distributions printf("[Crasher]: Copy send main thread's self port\n");
218*699cd480SApple OSS Distributions port = mach_thread_self();
219*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
220*699cd480SApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
221*699cd480SApple OSS Distributions
222*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
223*699cd480SApple OSS Distributions }
224*699cd480SApple OSS Distributions
225*699cd480SApple OSS Distributions static void
immovable_test_copy_send_task_read(void)226*699cd480SApple OSS Distributions immovable_test_copy_send_task_read(void)
227*699cd480SApple OSS Distributions {
228*699cd480SApple OSS Distributions kern_return_t kr;
229*699cd480SApple OSS Distributions mach_port_t port;
230*699cd480SApple OSS Distributions printf("[Crasher]: Copy send task read port\n");
231*699cd480SApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_READ_PORT, &port);
232*699cd480SApple OSS Distributions assert(kr == 0);
233*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
234*699cd480SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
235*699cd480SApple OSS Distributions
236*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
237*699cd480SApple OSS Distributions }
238*699cd480SApple OSS Distributions
239*699cd480SApple OSS Distributions static void
immovable_test_copy_send_task_inspect(void)240*699cd480SApple OSS Distributions immovable_test_copy_send_task_inspect(void)
241*699cd480SApple OSS Distributions {
242*699cd480SApple OSS Distributions kern_return_t kr;
243*699cd480SApple OSS Distributions mach_port_t port;
244*699cd480SApple OSS Distributions printf("[Crasher]: Move send task inspect port\n");
245*699cd480SApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_INSPECT_PORT, &port);
246*699cd480SApple OSS Distributions assert(kr == 0);
247*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
248*699cd480SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
249*699cd480SApple OSS Distributions }
250*699cd480SApple OSS Distributions
251*699cd480SApple OSS Distributions static void
immovable_test_move_send_thread_inspect(void)252*699cd480SApple OSS Distributions immovable_test_move_send_thread_inspect(void)
253*699cd480SApple OSS Distributions {
254*699cd480SApple OSS Distributions kern_return_t kr;
255*699cd480SApple OSS Distributions mach_port_t port;
256*699cd480SApple OSS Distributions mach_port_t th_port = mach_thread_self();
257*699cd480SApple OSS Distributions
258*699cd480SApple OSS Distributions printf("[Crasher]: Move send thread inspect port\n");
259*699cd480SApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_INSPECT_PORT, &port);
260*699cd480SApple OSS Distributions assert(kr == 0);
261*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
262*699cd480SApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
263*699cd480SApple OSS Distributions
264*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
265*699cd480SApple OSS Distributions }
266*699cd480SApple OSS Distributions
267*699cd480SApple OSS Distributions static void
immovable_test_move_send_raw_thread(void)268*699cd480SApple OSS Distributions immovable_test_move_send_raw_thread(void)
269*699cd480SApple OSS Distributions {
270*699cd480SApple OSS Distributions kern_return_t kr;
271*699cd480SApple OSS Distributions mach_port_t port;
272*699cd480SApple OSS Distributions
273*699cd480SApple OSS Distributions kr = thread_create(mach_task_self(), &port);
274*699cd480SApple OSS Distributions assert(kr == 0);
275*699cd480SApple OSS Distributions kr = mach_port_deallocate(mach_task_self(), port); /* not pinned, should not crash */
276*699cd480SApple OSS Distributions
277*699cd480SApple OSS Distributions kr = thread_create(mach_task_self(), &port);
278*699cd480SApple OSS Distributions assert(kr == 0);
279*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND); /* immovable, should crash here */
280*699cd480SApple OSS Distributions printf("[Crasher immovable_test_move_send_raw_thread] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
281*699cd480SApple OSS Distributions
282*699cd480SApple OSS Distributions kr = thread_terminate(port);
283*699cd480SApple OSS Distributions assert(kr == 0);
284*699cd480SApple OSS Distributions }
285*699cd480SApple OSS Distributions
286*699cd480SApple OSS Distributions static void
immovable_test_copy_send_thread_read(void)287*699cd480SApple OSS Distributions immovable_test_copy_send_thread_read(void)
288*699cd480SApple OSS Distributions {
289*699cd480SApple OSS Distributions kern_return_t kr;
290*699cd480SApple OSS Distributions mach_port_t port;
291*699cd480SApple OSS Distributions mach_port_t th_port = mach_thread_self();
292*699cd480SApple OSS Distributions
293*699cd480SApple OSS Distributions printf("[Crasher]: Copy send thread read port\n");
294*699cd480SApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_READ_PORT, &port);
295*699cd480SApple OSS Distributions assert(kr == 0);
296*699cd480SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
297*699cd480SApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
298*699cd480SApple OSS Distributions
299*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
300*699cd480SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
301*699cd480SApple OSS Distributions }
302*699cd480SApple OSS Distributions
303*699cd480SApple OSS Distributions static void
cfi_test_no_bit_set(void)304*699cd480SApple OSS Distributions cfi_test_no_bit_set(void)
305*699cd480SApple OSS Distributions {
306*699cd480SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() without setting CFI bits\n");
307*699cd480SApple OSS Distributions
308*699cd480SApple OSS Distributions mach_msg_header_t header;
309*699cd480SApple OSS Distributions kern_return_t kr;
310*699cd480SApple OSS Distributions
311*699cd480SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
312*699cd480SApple OSS Distributions header.msgh_remote_port = mach_task_self();
313*699cd480SApple OSS Distributions header.msgh_id = 3409;
314*699cd480SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
315*699cd480SApple OSS Distributions header.msgh_size = sizeof(header);
316*699cd480SApple OSS Distributions
317*699cd480SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG, header, header.msgh_size, 0, MACH_PORT_NULL,
318*699cd480SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
319*699cd480SApple OSS Distributions /* crash */
320*699cd480SApple OSS Distributions printf("[Crasher cfi_test_no_bit_set]: mach_msg2() returned %d\n", kr);
321*699cd480SApple OSS Distributions }
322*699cd480SApple OSS Distributions
323*699cd480SApple OSS Distributions static void
cfi_test_two_bits_set(void)324*699cd480SApple OSS Distributions cfi_test_two_bits_set(void)
325*699cd480SApple OSS Distributions {
326*699cd480SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting 2 CFI bits\n");
327*699cd480SApple OSS Distributions
328*699cd480SApple OSS Distributions mach_msg_header_t header;
329*699cd480SApple OSS Distributions kern_return_t kr;
330*699cd480SApple OSS Distributions
331*699cd480SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
332*699cd480SApple OSS Distributions header.msgh_remote_port = mach_task_self();
333*699cd480SApple OSS Distributions header.msgh_id = 3409;
334*699cd480SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
335*699cd480SApple OSS Distributions header.msgh_size = sizeof(header);
336*699cd480SApple OSS Distributions
337*699cd480SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_ANY | MACH64_SEND_KOBJECT_CALL,
338*699cd480SApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
339*699cd480SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
340*699cd480SApple OSS Distributions /* crash */
341*699cd480SApple OSS Distributions printf("[Crasher cfi_test_two_bits_set]: mach_msg2() returned %d\n", kr);
342*699cd480SApple OSS Distributions }
343*699cd480SApple OSS Distributions
344*699cd480SApple OSS Distributions static void
cfi_test_msg_to_timer_port(void)345*699cd480SApple OSS Distributions cfi_test_msg_to_timer_port(void)
346*699cd480SApple OSS Distributions {
347*699cd480SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() to timer port\n");
348*699cd480SApple OSS Distributions
349*699cd480SApple OSS Distributions mach_port_t timer = MACH_PORT_NULL;
350*699cd480SApple OSS Distributions struct oversize_msg {
351*699cd480SApple OSS Distributions mach_msg_header_t header;
352*699cd480SApple OSS Distributions char data[2048];
353*699cd480SApple OSS Distributions } msg;
354*699cd480SApple OSS Distributions
355*699cd480SApple OSS Distributions kern_return_t kr;
356*699cd480SApple OSS Distributions natural_t kotype;
357*699cd480SApple OSS Distributions mach_vm_address_t addr;
358*699cd480SApple OSS Distributions
359*699cd480SApple OSS Distributions #define IKOT_TIMER 8
360*699cd480SApple OSS Distributions timer = mk_timer_create();
361*699cd480SApple OSS Distributions assert(timer != MACH_PORT_NULL);
362*699cd480SApple OSS Distributions
363*699cd480SApple OSS Distributions /* Make sure it's a kobject port */
364*699cd480SApple OSS Distributions kr = mach_port_kobject(mach_task_self(), timer, &kotype, &addr);
365*699cd480SApple OSS Distributions assert(kr == KERN_SUCCESS);
366*699cd480SApple OSS Distributions assert(kotype == IKOT_TIMER);
367*699cd480SApple OSS Distributions
368*699cd480SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
369*699cd480SApple OSS Distributions msg.header.msgh_remote_port = timer;
370*699cd480SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MAKE_SEND, 0, 0, 0);
371*699cd480SApple OSS Distributions msg.header.msgh_size = sizeof(msg);
372*699cd480SApple OSS Distributions
373*699cd480SApple OSS Distributions /* Timer port must use MACH64_SEND_MQ_CALL */
374*699cd480SApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
375*699cd480SApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
376*699cd480SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
377*699cd480SApple OSS Distributions assert(kr == KERN_SUCCESS);
378*699cd480SApple OSS Distributions printf("Message sent to timer port successfully\n");
379*699cd480SApple OSS Distributions
380*699cd480SApple OSS Distributions /* Using MACH64_SEND_KOBJECT_CALL should crash */
381*699cd480SApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_KOBJECT_CALL,
382*699cd480SApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
383*699cd480SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
384*699cd480SApple OSS Distributions /* crash */
385*699cd480SApple OSS Distributions printf("[Crasher cfi_test_timer_port]: mach_msg2() returned %d\n", kr);
386*699cd480SApple OSS Distributions }
387*699cd480SApple OSS Distributions
388*699cd480SApple OSS Distributions static void
cfi_test_wrong_bit_set(void)389*699cd480SApple OSS Distributions cfi_test_wrong_bit_set(void)
390*699cd480SApple OSS Distributions {
391*699cd480SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting wrong CFI bits\n");
392*699cd480SApple OSS Distributions
393*699cd480SApple OSS Distributions mach_msg_header_t header;
394*699cd480SApple OSS Distributions kern_return_t kr;
395*699cd480SApple OSS Distributions
396*699cd480SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
397*699cd480SApple OSS Distributions header.msgh_remote_port = mach_task_self();
398*699cd480SApple OSS Distributions header.msgh_id = 3409;
399*699cd480SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
400*699cd480SApple OSS Distributions header.msgh_size = sizeof(header);
401*699cd480SApple OSS Distributions
402*699cd480SApple OSS Distributions /* Using MACH64_SEND_MQ_CALL but destination is a kobject port */
403*699cd480SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
404*699cd480SApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
405*699cd480SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
406*699cd480SApple OSS Distributions /* crash */
407*699cd480SApple OSS Distributions printf("[Crasher cfi_test_wrong_bit_set]: mach_msg2() returned %d\n", kr);
408*699cd480SApple OSS Distributions }
409*699cd480SApple OSS Distributions
410*699cd480SApple OSS Distributions int
main(int argc,char * argv[])411*699cd480SApple OSS Distributions main(int argc, char *argv[])
412*699cd480SApple OSS Distributions {
413*699cd480SApple OSS Distributions void (*tests[MAX_TEST_NUM])(void) = {
414*699cd480SApple OSS Distributions pinned_test_main_thread_mod_ref,
415*699cd480SApple OSS Distributions pinned_test_pthread_dealloc,
416*699cd480SApple OSS Distributions pinned_test_task_self_dealloc,
417*699cd480SApple OSS Distributions pinned_test_task_self_mod_ref,
418*699cd480SApple OSS Distributions pinned_test_task_threads_mod_ref,
419*699cd480SApple OSS Distributions pinned_test_mach_port_destroy,
420*699cd480SApple OSS Distributions pinned_test_move_send_as_remote_port,
421*699cd480SApple OSS Distributions
422*699cd480SApple OSS Distributions immovable_test_move_send_task_self,
423*699cd480SApple OSS Distributions immovable_test_copy_send_task_self,
424*699cd480SApple OSS Distributions immovable_test_move_send_thread_self,
425*699cd480SApple OSS Distributions immovable_test_copy_send_thread_self,
426*699cd480SApple OSS Distributions immovable_test_copy_send_task_read,
427*699cd480SApple OSS Distributions immovable_test_copy_send_task_inspect,
428*699cd480SApple OSS Distributions immovable_test_move_send_thread_inspect,
429*699cd480SApple OSS Distributions immovable_test_copy_send_thread_read,
430*699cd480SApple OSS Distributions immovable_test_move_send_as_remote_port,
431*699cd480SApple OSS Distributions immovable_test_move_send_raw_thread,
432*699cd480SApple OSS Distributions
433*699cd480SApple OSS Distributions cfi_test_no_bit_set,
434*699cd480SApple OSS Distributions cfi_test_two_bits_set,
435*699cd480SApple OSS Distributions cfi_test_wrong_bit_set,
436*699cd480SApple OSS Distributions cfi_test_msg_to_timer_port,
437*699cd480SApple OSS Distributions };
438*699cd480SApple OSS Distributions printf("[Crasher]: My Pid: %d\n", getpid());
439*699cd480SApple OSS Distributions
440*699cd480SApple OSS Distributions if (argc < 2) {
441*699cd480SApple OSS Distributions printf("[Crasher]: Specify a test to run.");
442*699cd480SApple OSS Distributions exit(-1);
443*699cd480SApple OSS Distributions }
444*699cd480SApple OSS Distributions
445*699cd480SApple OSS Distributions int test_num = atoi(argv[1]);
446*699cd480SApple OSS Distributions
447*699cd480SApple OSS Distributions if (test_num >= 0 && test_num < MAX_TEST_NUM) {
448*699cd480SApple OSS Distributions (*tests[test_num])();
449*699cd480SApple OSS Distributions } else {
450*699cd480SApple OSS Distributions printf("[Crasher]: Invalid test num. Exiting...\n");
451*699cd480SApple OSS Distributions exit(-1);
452*699cd480SApple OSS Distributions }
453*699cd480SApple OSS Distributions
454*699cd480SApple OSS Distributions exit(0);
455*699cd480SApple OSS Distributions }
456