1*e3723e1fSApple OSS Distributions #include <mach/mach.h>
2*e3723e1fSApple OSS Distributions #include <stdlib.h>
3*e3723e1fSApple OSS Distributions #include <pthread.h>
4*e3723e1fSApple OSS Distributions #include <unistd.h>
5*e3723e1fSApple OSS Distributions #include <stdio.h>
6*e3723e1fSApple OSS Distributions #include <assert.h>
7*e3723e1fSApple OSS Distributions #include <mach/task.h>
8*e3723e1fSApple OSS Distributions #include <stdbool.h>
9*e3723e1fSApple OSS Distributions #include <mach/mk_timer.h>
10*e3723e1fSApple OSS Distributions #include "cs_helpers.h"
11*e3723e1fSApple OSS Distributions
12*e3723e1fSApple OSS Distributions /*
13*e3723e1fSApple OSS Distributions * DO NOT run this test file by itself.
14*e3723e1fSApple OSS Distributions * This test is meant to be invoked by control_port_options darwintest.
15*e3723e1fSApple OSS Distributions *
16*e3723e1fSApple OSS Distributions * If hard enforcement for pinned control port is on, pinned tests are
17*e3723e1fSApple OSS Distributions * expected to generate fatal EXC_GUARD.
18*e3723e1fSApple OSS Distributions *
19*e3723e1fSApple OSS Distributions * If hard enforcement for immovable control port is on, immovable tests are
20*e3723e1fSApple OSS Distributions * expected to generate fatal EXC_GUARD.
21*e3723e1fSApple OSS Distributions *
22*e3723e1fSApple OSS Distributions * The type of exception raised (if any) is checked on control_port_options side.
23*e3723e1fSApple OSS Distributions */
24*e3723e1fSApple OSS Distributions #define MAX_TEST_NUM 21
25*e3723e1fSApple OSS Distributions
26*e3723e1fSApple OSS Distributions #ifndef MACH64_SEND_ANY
27*e3723e1fSApple OSS Distributions #define MACH64_SEND_ANY 0x0000000800000000ull
28*e3723e1fSApple OSS Distributions #define MACH64_SEND_MQ_CALL 0x0000000400000000ull
29*e3723e1fSApple OSS Distributions #endif
30*e3723e1fSApple OSS Distributions
31*e3723e1fSApple OSS Distributions static int
attempt_send_immovable_port(mach_port_name_t port,mach_msg_type_name_t disp)32*e3723e1fSApple OSS Distributions attempt_send_immovable_port(mach_port_name_t port, mach_msg_type_name_t disp)
33*e3723e1fSApple OSS Distributions {
34*e3723e1fSApple OSS Distributions mach_port_t server;
35*e3723e1fSApple OSS Distributions kern_return_t kr;
36*e3723e1fSApple OSS Distributions kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &server);
37*e3723e1fSApple OSS Distributions assert(kr == 0);
38*e3723e1fSApple OSS Distributions
39*e3723e1fSApple OSS Distributions kr = mach_port_insert_right(mach_task_self(), server, server, MACH_MSG_TYPE_MAKE_SEND);
40*e3723e1fSApple OSS Distributions assert(kr == 0);
41*e3723e1fSApple OSS Distributions
42*e3723e1fSApple OSS Distributions struct {
43*e3723e1fSApple OSS Distributions mach_msg_header_t header;
44*e3723e1fSApple OSS Distributions mach_msg_body_t body;
45*e3723e1fSApple OSS Distributions mach_msg_port_descriptor_t desc;
46*e3723e1fSApple OSS Distributions } msg;
47*e3723e1fSApple OSS Distributions
48*e3723e1fSApple OSS Distributions msg.header.msgh_remote_port = server;
49*e3723e1fSApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
50*e3723e1fSApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;
51*e3723e1fSApple OSS Distributions msg.header.msgh_size = sizeof msg;
52*e3723e1fSApple OSS Distributions
53*e3723e1fSApple OSS Distributions msg.body.msgh_descriptor_count = 1;
54*e3723e1fSApple OSS Distributions
55*e3723e1fSApple OSS Distributions msg.desc.name = port;
56*e3723e1fSApple OSS Distributions msg.desc.disposition = disp;
57*e3723e1fSApple OSS Distributions msg.desc.type = MACH_MSG_PORT_DESCRIPTOR;
58*e3723e1fSApple OSS Distributions
59*e3723e1fSApple OSS Distributions return mach_msg_send(&msg.header);
60*e3723e1fSApple OSS Distributions }
61*e3723e1fSApple OSS Distributions
62*e3723e1fSApple OSS Distributions static void
pinned_test_main_thread_mod_ref(void)63*e3723e1fSApple OSS Distributions pinned_test_main_thread_mod_ref(void)
64*e3723e1fSApple OSS Distributions {
65*e3723e1fSApple OSS Distributions printf("[Crasher]: Mod refs main thread's self port to 0\n");
66*e3723e1fSApple OSS Distributions mach_port_t thread_self = mach_thread_self();
67*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), thread_self, MACH_PORT_RIGHT_SEND, -2);
68*e3723e1fSApple OSS Distributions
69*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_main_thread_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
70*e3723e1fSApple OSS Distributions }
71*e3723e1fSApple OSS Distributions
72*e3723e1fSApple OSS Distributions static void* _Nullable
pthread_run(void * _Nullable)73*e3723e1fSApple OSS Distributions pthread_run(void *_Nullable)
74*e3723e1fSApple OSS Distributions {
75*e3723e1fSApple OSS Distributions printf("[Crasher]: Deallocate pthread_self\n");
76*e3723e1fSApple OSS Distributions mach_port_t th_self = pthread_mach_thread_np(pthread_self());
77*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), th_self);
78*e3723e1fSApple OSS Distributions
79*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_pthread_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
80*e3723e1fSApple OSS Distributions return NULL;
81*e3723e1fSApple OSS Distributions }
82*e3723e1fSApple OSS Distributions
83*e3723e1fSApple OSS Distributions static void
pinned_test_pthread_dealloc(void)84*e3723e1fSApple OSS Distributions pinned_test_pthread_dealloc(void)
85*e3723e1fSApple OSS Distributions {
86*e3723e1fSApple OSS Distributions printf("[Crasher]: Create a pthread and deallocate its self port\n");
87*e3723e1fSApple OSS Distributions pthread_t thread;
88*e3723e1fSApple OSS Distributions int ret = pthread_create(&thread, NULL, pthread_run, NULL);
89*e3723e1fSApple OSS Distributions assert(ret == 0);
90*e3723e1fSApple OSS Distributions ret = pthread_join(thread, NULL);
91*e3723e1fSApple OSS Distributions assert(ret == 0);
92*e3723e1fSApple OSS Distributions }
93*e3723e1fSApple OSS Distributions
94*e3723e1fSApple OSS Distributions static void
pinned_test_task_self_dealloc(void)95*e3723e1fSApple OSS Distributions pinned_test_task_self_dealloc(void)
96*e3723e1fSApple OSS Distributions {
97*e3723e1fSApple OSS Distributions printf("[Crasher]: Deallocate mach_task_self twice\n");
98*e3723e1fSApple OSS Distributions mach_port_t task_self = mach_task_self();
99*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_deallocate(task_self, task_self);
100*e3723e1fSApple OSS Distributions assert(kr == 0);
101*e3723e1fSApple OSS Distributions kr = mach_port_deallocate(task_self, task_self);
102*e3723e1fSApple OSS Distributions
103*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_task_self_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
104*e3723e1fSApple OSS Distributions }
105*e3723e1fSApple OSS Distributions
106*e3723e1fSApple OSS Distributions static void
pinned_test_task_self_mod_ref(void)107*e3723e1fSApple OSS Distributions pinned_test_task_self_mod_ref(void)
108*e3723e1fSApple OSS Distributions {
109*e3723e1fSApple OSS Distributions printf("[Crasher]: Mod refs mach_task_self() to 0\n");
110*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), mach_task_self(), MACH_PORT_RIGHT_SEND, -2);
111*e3723e1fSApple OSS Distributions
112*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_task_self_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
113*e3723e1fSApple OSS Distributions }
114*e3723e1fSApple OSS Distributions
115*e3723e1fSApple OSS Distributions static void
pinned_test_task_threads_mod_ref(void)116*e3723e1fSApple OSS Distributions pinned_test_task_threads_mod_ref(void)
117*e3723e1fSApple OSS Distributions {
118*e3723e1fSApple OSS Distributions printf("[Crasher]: task_threads should return pinned thread ports. Mod refs them to 0\n");
119*e3723e1fSApple OSS Distributions thread_array_t th_list;
120*e3723e1fSApple OSS Distributions mach_msg_type_number_t th_cnt;
121*e3723e1fSApple OSS Distributions kern_return_t kr;
122*e3723e1fSApple OSS Distributions mach_port_t th_kp = mach_thread_self();
123*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), th_kp);
124*e3723e1fSApple OSS Distributions
125*e3723e1fSApple OSS Distributions kr = task_threads(mach_task_self(), &th_list, &th_cnt);
126*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), th_list[0]);
127*e3723e1fSApple OSS Distributions
128*e3723e1fSApple OSS Distributions kr = mach_port_mod_refs(mach_task_self(), th_list[0], MACH_PORT_RIGHT_SEND, -1);
129*e3723e1fSApple OSS Distributions
130*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_task_threads_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
131*e3723e1fSApple OSS Distributions }
132*e3723e1fSApple OSS Distributions
133*e3723e1fSApple OSS Distributions static void
pinned_test_mach_port_destroy(void)134*e3723e1fSApple OSS Distributions pinned_test_mach_port_destroy(void)
135*e3723e1fSApple OSS Distributions {
136*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_destroy(mach_task_self(), mach_task_self());
137*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_mach_port_destroy] mach_port_destroy returned %s \n.", mach_error_string(kr));
138*e3723e1fSApple OSS Distributions }
139*e3723e1fSApple OSS Distributions
140*e3723e1fSApple OSS Distributions static void
pinned_test_move_send_as_remote_port(void)141*e3723e1fSApple OSS Distributions pinned_test_move_send_as_remote_port(void)
142*e3723e1fSApple OSS Distributions {
143*e3723e1fSApple OSS Distributions struct {
144*e3723e1fSApple OSS Distributions mach_msg_header_t header;
145*e3723e1fSApple OSS Distributions } msg;
146*e3723e1fSApple OSS Distributions
147*e3723e1fSApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), mach_task_self());
148*e3723e1fSApple OSS Distributions assert(kr == 0);
149*e3723e1fSApple OSS Distributions
150*e3723e1fSApple OSS Distributions /*
151*e3723e1fSApple OSS Distributions * We allow move send on remote kobject port but this should trip on pinning on last ref.
152*e3723e1fSApple OSS Distributions * See: IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND.
153*e3723e1fSApple OSS Distributions */
154*e3723e1fSApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
155*e3723e1fSApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
156*e3723e1fSApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, 0);
157*e3723e1fSApple OSS Distributions msg.header.msgh_id = 2000;
158*e3723e1fSApple OSS Distributions msg.header.msgh_size = sizeof msg;
159*e3723e1fSApple OSS Distributions
160*e3723e1fSApple OSS Distributions kr = mach_msg_send(&msg.header);
161*e3723e1fSApple OSS Distributions
162*e3723e1fSApple OSS Distributions printf("[Crasher pinned_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
163*e3723e1fSApple OSS Distributions }
164*e3723e1fSApple OSS Distributions
165*e3723e1fSApple OSS Distributions static void
immovable_test_move_send_as_remote_port(void)166*e3723e1fSApple OSS Distributions immovable_test_move_send_as_remote_port(void)
167*e3723e1fSApple OSS Distributions {
168*e3723e1fSApple OSS Distributions struct {
169*e3723e1fSApple OSS Distributions mach_msg_header_t header;
170*e3723e1fSApple OSS Distributions } msg;
171*e3723e1fSApple OSS Distributions
172*e3723e1fSApple OSS Distributions /* Local port cannot be immovable. See: ipc_right_copyin_check_reply() */
173*e3723e1fSApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
174*e3723e1fSApple OSS Distributions msg.header.msgh_local_port = mach_task_self();
175*e3723e1fSApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, MACH_MSG_TYPE_MOVE_SEND);
176*e3723e1fSApple OSS Distributions msg.header.msgh_id = 2000;
177*e3723e1fSApple OSS Distributions msg.header.msgh_size = sizeof msg;
178*e3723e1fSApple OSS Distributions
179*e3723e1fSApple OSS Distributions kern_return_t kr = mach_msg_send(&msg.header);
180*e3723e1fSApple OSS Distributions
181*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
182*e3723e1fSApple OSS Distributions }
183*e3723e1fSApple OSS Distributions
184*e3723e1fSApple OSS Distributions static void
immovable_test_move_send_task_self(void)185*e3723e1fSApple OSS Distributions immovable_test_move_send_task_self(void)
186*e3723e1fSApple OSS Distributions {
187*e3723e1fSApple OSS Distributions kern_return_t kr;
188*e3723e1fSApple OSS Distributions printf("[Crasher]: Move send mach_task_self_\n");
189*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_MOVE_SEND);
190*e3723e1fSApple OSS Distributions
191*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_move_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
192*e3723e1fSApple OSS Distributions }
193*e3723e1fSApple OSS Distributions
194*e3723e1fSApple OSS Distributions static void
immovable_test_copy_send_task_self(void)195*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_self(void)
196*e3723e1fSApple OSS Distributions {
197*e3723e1fSApple OSS Distributions kern_return_t kr;
198*e3723e1fSApple OSS Distributions printf("[Crasher]: Copy send mach_task_self_\n");
199*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_COPY_SEND);
200*e3723e1fSApple OSS Distributions
201*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
202*e3723e1fSApple OSS Distributions }
203*e3723e1fSApple OSS Distributions
204*e3723e1fSApple OSS Distributions static void
immovable_test_move_send_thread_self(void)205*e3723e1fSApple OSS Distributions immovable_test_move_send_thread_self(void)
206*e3723e1fSApple OSS Distributions {
207*e3723e1fSApple OSS Distributions kern_return_t kr;
208*e3723e1fSApple OSS Distributions printf("[Crasher]: Move send main thread's self port\n");
209*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(mach_thread_self(), MACH_MSG_TYPE_MOVE_SEND);
210*e3723e1fSApple OSS Distributions
211*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
212*e3723e1fSApple OSS Distributions }
213*e3723e1fSApple OSS Distributions
214*e3723e1fSApple OSS Distributions static void
immovable_test_copy_send_thread_self(void)215*e3723e1fSApple OSS Distributions immovable_test_copy_send_thread_self(void)
216*e3723e1fSApple OSS Distributions {
217*e3723e1fSApple OSS Distributions kern_return_t kr;
218*e3723e1fSApple OSS Distributions mach_port_t port;
219*e3723e1fSApple OSS Distributions printf("[Crasher]: Copy send main thread's self port\n");
220*e3723e1fSApple OSS Distributions port = mach_thread_self();
221*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
222*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
223*e3723e1fSApple OSS Distributions
224*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
225*e3723e1fSApple OSS Distributions }
226*e3723e1fSApple OSS Distributions
227*e3723e1fSApple OSS Distributions static void
immovable_test_copy_send_task_read(void)228*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_read(void)
229*e3723e1fSApple OSS Distributions {
230*e3723e1fSApple OSS Distributions kern_return_t kr;
231*e3723e1fSApple OSS Distributions mach_port_t port;
232*e3723e1fSApple OSS Distributions printf("[Crasher]: Copy send task read port\n");
233*e3723e1fSApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_READ_PORT, &port);
234*e3723e1fSApple OSS Distributions assert(kr == 0);
235*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
236*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
237*e3723e1fSApple OSS Distributions
238*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
239*e3723e1fSApple OSS Distributions }
240*e3723e1fSApple OSS Distributions
241*e3723e1fSApple OSS Distributions static void
immovable_test_copy_send_task_inspect(void)242*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_inspect(void)
243*e3723e1fSApple OSS Distributions {
244*e3723e1fSApple OSS Distributions kern_return_t kr;
245*e3723e1fSApple OSS Distributions mach_port_t port;
246*e3723e1fSApple OSS Distributions printf("[Crasher]: Move send task inspect port\n");
247*e3723e1fSApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_INSPECT_PORT, &port);
248*e3723e1fSApple OSS Distributions assert(kr == 0);
249*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
250*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
251*e3723e1fSApple OSS Distributions }
252*e3723e1fSApple OSS Distributions
253*e3723e1fSApple OSS Distributions static void
immovable_test_move_send_thread_inspect(void)254*e3723e1fSApple OSS Distributions immovable_test_move_send_thread_inspect(void)
255*e3723e1fSApple OSS Distributions {
256*e3723e1fSApple OSS Distributions kern_return_t kr;
257*e3723e1fSApple OSS Distributions mach_port_t port;
258*e3723e1fSApple OSS Distributions mach_port_t th_port = mach_thread_self();
259*e3723e1fSApple OSS Distributions
260*e3723e1fSApple OSS Distributions printf("[Crasher]: Move send thread inspect port\n");
261*e3723e1fSApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_INSPECT_PORT, &port);
262*e3723e1fSApple OSS Distributions assert(kr == 0);
263*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
264*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
265*e3723e1fSApple OSS Distributions
266*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
267*e3723e1fSApple OSS Distributions }
268*e3723e1fSApple OSS Distributions
269*e3723e1fSApple OSS Distributions static void
immovable_test_move_send_raw_thread(void)270*e3723e1fSApple OSS Distributions immovable_test_move_send_raw_thread(void)
271*e3723e1fSApple OSS Distributions {
272*e3723e1fSApple OSS Distributions kern_return_t kr;
273*e3723e1fSApple OSS Distributions mach_port_t port;
274*e3723e1fSApple OSS Distributions
275*e3723e1fSApple OSS Distributions kr = thread_create(mach_task_self(), &port);
276*e3723e1fSApple OSS Distributions assert(kr == 0);
277*e3723e1fSApple OSS Distributions kr = mach_port_deallocate(mach_task_self(), port); /* not pinned, should not crash */
278*e3723e1fSApple OSS Distributions
279*e3723e1fSApple OSS Distributions kr = thread_create(mach_task_self(), &port);
280*e3723e1fSApple OSS Distributions assert(kr == 0);
281*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND); /* immovable, should crash here */
282*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_move_send_raw_thread] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
283*e3723e1fSApple OSS Distributions
284*e3723e1fSApple OSS Distributions kr = thread_terminate(port);
285*e3723e1fSApple OSS Distributions assert(kr == 0);
286*e3723e1fSApple OSS Distributions }
287*e3723e1fSApple OSS Distributions
288*e3723e1fSApple OSS Distributions static void
immovable_test_copy_send_thread_read(void)289*e3723e1fSApple OSS Distributions immovable_test_copy_send_thread_read(void)
290*e3723e1fSApple OSS Distributions {
291*e3723e1fSApple OSS Distributions kern_return_t kr;
292*e3723e1fSApple OSS Distributions mach_port_t port;
293*e3723e1fSApple OSS Distributions mach_port_t th_port = mach_thread_self();
294*e3723e1fSApple OSS Distributions
295*e3723e1fSApple OSS Distributions printf("[Crasher]: Copy send thread read port\n");
296*e3723e1fSApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_READ_PORT, &port);
297*e3723e1fSApple OSS Distributions assert(kr == 0);
298*e3723e1fSApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
299*e3723e1fSApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
300*e3723e1fSApple OSS Distributions
301*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
302*e3723e1fSApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
303*e3723e1fSApple OSS Distributions }
304*e3723e1fSApple OSS Distributions
305*e3723e1fSApple OSS Distributions static void
cfi_test_no_bit_set(void)306*e3723e1fSApple OSS Distributions cfi_test_no_bit_set(void)
307*e3723e1fSApple OSS Distributions {
308*e3723e1fSApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() without setting CFI bits\n");
309*e3723e1fSApple OSS Distributions
310*e3723e1fSApple OSS Distributions mach_msg_header_t header;
311*e3723e1fSApple OSS Distributions kern_return_t kr;
312*e3723e1fSApple OSS Distributions
313*e3723e1fSApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
314*e3723e1fSApple OSS Distributions header.msgh_remote_port = mach_task_self();
315*e3723e1fSApple OSS Distributions header.msgh_id = 3409;
316*e3723e1fSApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
317*e3723e1fSApple OSS Distributions header.msgh_size = sizeof(header);
318*e3723e1fSApple OSS Distributions
319*e3723e1fSApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG, header, header.msgh_size, 0, MACH_PORT_NULL,
320*e3723e1fSApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
321*e3723e1fSApple OSS Distributions /* crash */
322*e3723e1fSApple OSS Distributions printf("[Crasher cfi_test_no_bit_set]: mach_msg2() returned %d\n", kr);
323*e3723e1fSApple OSS Distributions }
324*e3723e1fSApple OSS Distributions
325*e3723e1fSApple OSS Distributions static void
cfi_test_two_bits_set(void)326*e3723e1fSApple OSS Distributions cfi_test_two_bits_set(void)
327*e3723e1fSApple OSS Distributions {
328*e3723e1fSApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting 2 CFI bits\n");
329*e3723e1fSApple OSS Distributions
330*e3723e1fSApple OSS Distributions mach_msg_header_t header;
331*e3723e1fSApple OSS Distributions kern_return_t kr;
332*e3723e1fSApple OSS Distributions
333*e3723e1fSApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
334*e3723e1fSApple OSS Distributions header.msgh_remote_port = mach_task_self();
335*e3723e1fSApple OSS Distributions header.msgh_id = 3409;
336*e3723e1fSApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
337*e3723e1fSApple OSS Distributions header.msgh_size = sizeof(header);
338*e3723e1fSApple OSS Distributions
339*e3723e1fSApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_ANY | MACH64_SEND_KOBJECT_CALL,
340*e3723e1fSApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
341*e3723e1fSApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
342*e3723e1fSApple OSS Distributions /* crash */
343*e3723e1fSApple OSS Distributions printf("[Crasher cfi_test_two_bits_set]: mach_msg2() returned %d\n", kr);
344*e3723e1fSApple OSS Distributions }
345*e3723e1fSApple OSS Distributions
346*e3723e1fSApple OSS Distributions static void
cfi_test_msg_to_timer_port(void)347*e3723e1fSApple OSS Distributions cfi_test_msg_to_timer_port(void)
348*e3723e1fSApple OSS Distributions {
349*e3723e1fSApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() to timer port\n");
350*e3723e1fSApple OSS Distributions
351*e3723e1fSApple OSS Distributions mach_port_t timer = MACH_PORT_NULL;
352*e3723e1fSApple OSS Distributions struct oversize_msg {
353*e3723e1fSApple OSS Distributions mach_msg_header_t header;
354*e3723e1fSApple OSS Distributions char data[2048];
355*e3723e1fSApple OSS Distributions } msg;
356*e3723e1fSApple OSS Distributions
357*e3723e1fSApple OSS Distributions kern_return_t kr;
358*e3723e1fSApple OSS Distributions natural_t kotype;
359*e3723e1fSApple OSS Distributions mach_vm_address_t addr;
360*e3723e1fSApple OSS Distributions
361*e3723e1fSApple OSS Distributions #define IKOT_TIMER 8
362*e3723e1fSApple OSS Distributions timer = mk_timer_create();
363*e3723e1fSApple OSS Distributions assert(timer != MACH_PORT_NULL);
364*e3723e1fSApple OSS Distributions
365*e3723e1fSApple OSS Distributions /* Make sure it's a kobject port */
366*e3723e1fSApple OSS Distributions kr = mach_port_kobject(mach_task_self(), timer, &kotype, &addr);
367*e3723e1fSApple OSS Distributions assert(kr == KERN_SUCCESS);
368*e3723e1fSApple OSS Distributions assert(kotype == IKOT_TIMER);
369*e3723e1fSApple OSS Distributions
370*e3723e1fSApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
371*e3723e1fSApple OSS Distributions msg.header.msgh_remote_port = timer;
372*e3723e1fSApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MAKE_SEND, 0, 0, 0);
373*e3723e1fSApple OSS Distributions msg.header.msgh_size = sizeof(msg);
374*e3723e1fSApple OSS Distributions
375*e3723e1fSApple OSS Distributions /* Timer port must use MACH64_SEND_MQ_CALL */
376*e3723e1fSApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
377*e3723e1fSApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
378*e3723e1fSApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
379*e3723e1fSApple OSS Distributions assert(kr == KERN_SUCCESS);
380*e3723e1fSApple OSS Distributions printf("Message sent to timer port successfully\n");
381*e3723e1fSApple OSS Distributions
382*e3723e1fSApple OSS Distributions /* Using MACH64_SEND_KOBJECT_CALL should crash */
383*e3723e1fSApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_KOBJECT_CALL,
384*e3723e1fSApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
385*e3723e1fSApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
386*e3723e1fSApple OSS Distributions /* crash */
387*e3723e1fSApple OSS Distributions printf("[Crasher cfi_test_timer_port]: mach_msg2() returned %d\n", kr);
388*e3723e1fSApple OSS Distributions }
389*e3723e1fSApple OSS Distributions
390*e3723e1fSApple OSS Distributions static void
cfi_test_wrong_bit_set(void)391*e3723e1fSApple OSS Distributions cfi_test_wrong_bit_set(void)
392*e3723e1fSApple OSS Distributions {
393*e3723e1fSApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting wrong CFI bits\n");
394*e3723e1fSApple OSS Distributions
395*e3723e1fSApple OSS Distributions mach_msg_header_t header;
396*e3723e1fSApple OSS Distributions kern_return_t kr;
397*e3723e1fSApple OSS Distributions
398*e3723e1fSApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
399*e3723e1fSApple OSS Distributions header.msgh_remote_port = mach_task_self();
400*e3723e1fSApple OSS Distributions header.msgh_id = 3409;
401*e3723e1fSApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
402*e3723e1fSApple OSS Distributions header.msgh_size = sizeof(header);
403*e3723e1fSApple OSS Distributions
404*e3723e1fSApple OSS Distributions /* Using MACH64_SEND_MQ_CALL but destination is a kobject port */
405*e3723e1fSApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
406*e3723e1fSApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
407*e3723e1fSApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
408*e3723e1fSApple OSS Distributions /* crash */
409*e3723e1fSApple OSS Distributions printf("[Crasher cfi_test_wrong_bit_set]: mach_msg2() returned %d\n", kr);
410*e3723e1fSApple OSS Distributions }
411*e3723e1fSApple OSS Distributions
412*e3723e1fSApple OSS Distributions int
main(int argc,char * argv[])413*e3723e1fSApple OSS Distributions main(int argc, char *argv[])
414*e3723e1fSApple OSS Distributions {
415*e3723e1fSApple OSS Distributions void (*tests[MAX_TEST_NUM])(void) = {
416*e3723e1fSApple OSS Distributions pinned_test_main_thread_mod_ref,
417*e3723e1fSApple OSS Distributions pinned_test_pthread_dealloc,
418*e3723e1fSApple OSS Distributions pinned_test_task_self_dealloc,
419*e3723e1fSApple OSS Distributions pinned_test_task_self_mod_ref,
420*e3723e1fSApple OSS Distributions pinned_test_task_threads_mod_ref,
421*e3723e1fSApple OSS Distributions pinned_test_mach_port_destroy,
422*e3723e1fSApple OSS Distributions pinned_test_move_send_as_remote_port,
423*e3723e1fSApple OSS Distributions
424*e3723e1fSApple OSS Distributions immovable_test_move_send_task_self,
425*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_self,
426*e3723e1fSApple OSS Distributions immovable_test_move_send_thread_self,
427*e3723e1fSApple OSS Distributions immovable_test_copy_send_thread_self,
428*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_read,
429*e3723e1fSApple OSS Distributions immovable_test_copy_send_task_inspect,
430*e3723e1fSApple OSS Distributions immovable_test_move_send_thread_inspect,
431*e3723e1fSApple OSS Distributions immovable_test_copy_send_thread_read,
432*e3723e1fSApple OSS Distributions immovable_test_move_send_as_remote_port,
433*e3723e1fSApple OSS Distributions immovable_test_move_send_raw_thread,
434*e3723e1fSApple OSS Distributions
435*e3723e1fSApple OSS Distributions cfi_test_no_bit_set,
436*e3723e1fSApple OSS Distributions cfi_test_two_bits_set,
437*e3723e1fSApple OSS Distributions cfi_test_wrong_bit_set,
438*e3723e1fSApple OSS Distributions cfi_test_msg_to_timer_port,
439*e3723e1fSApple OSS Distributions };
440*e3723e1fSApple OSS Distributions printf("[Crasher]: My Pid: %d\n", getpid());
441*e3723e1fSApple OSS Distributions
442*e3723e1fSApple OSS Distributions if (argc < 2) {
443*e3723e1fSApple OSS Distributions printf("[Crasher]: Specify a test to run.");
444*e3723e1fSApple OSS Distributions exit(-1);
445*e3723e1fSApple OSS Distributions }
446*e3723e1fSApple OSS Distributions
447*e3723e1fSApple OSS Distributions bool third_party_hardened = !strcmp(argv[0], "imm_pinned_control_port_crasher_3P_hardened");
448*e3723e1fSApple OSS Distributions if (third_party_hardened) {
449*e3723e1fSApple OSS Distributions // Ensure that we can set this crasher as a non-platform binary
450*e3723e1fSApple OSS Distributions if (remove_platform_binary() != 0) {
451*e3723e1fSApple OSS Distributions /*
452*e3723e1fSApple OSS Distributions * CS_OPS_CLEARPLATFORM always fail on release build, and it can also
453*e3723e1fSApple OSS Distributions * fail depending on global/mac policies of the BATS container (ref: csops_internal).
454*e3723e1fSApple OSS Distributions * Skip instead of failing the test.
455*e3723e1fSApple OSS Distributions */
456*e3723e1fSApple OSS Distributions printf("Failed to remove platform binary, skipping test\n");
457*e3723e1fSApple OSS Distributions exit(0);
458*e3723e1fSApple OSS Distributions }
459*e3723e1fSApple OSS Distributions }
460*e3723e1fSApple OSS Distributions
461*e3723e1fSApple OSS Distributions int test_num = atoi(argv[1]);
462*e3723e1fSApple OSS Distributions
463*e3723e1fSApple OSS Distributions
464*e3723e1fSApple OSS Distributions if (test_num >= 0 && test_num < MAX_TEST_NUM) {
465*e3723e1fSApple OSS Distributions printf("[Crasher]: Running test num %d\n", test_num);
466*e3723e1fSApple OSS Distributions (*tests[test_num])();
467*e3723e1fSApple OSS Distributions } else {
468*e3723e1fSApple OSS Distributions printf("[Crasher]: Invalid test num: %d. Exiting...\n", test_num);
469*e3723e1fSApple OSS Distributions exit(-1);
470*e3723e1fSApple OSS Distributions }
471*e3723e1fSApple OSS Distributions
472*e3723e1fSApple OSS Distributions exit(0);
473*e3723e1fSApple OSS Distributions }
474