1*bbb1b6f9SApple OSS Distributions /*
2*bbb1b6f9SApple OSS Distributions * Copyright (c) 2024 Apple Computer, Inc. All rights reserved.
3*bbb1b6f9SApple OSS Distributions *
4*bbb1b6f9SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*bbb1b6f9SApple OSS Distributions *
6*bbb1b6f9SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*bbb1b6f9SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*bbb1b6f9SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*bbb1b6f9SApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*bbb1b6f9SApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*bbb1b6f9SApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*bbb1b6f9SApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*bbb1b6f9SApple OSS Distributions * terms of an Apple operating system software license agreement.
14*bbb1b6f9SApple OSS Distributions *
15*bbb1b6f9SApple OSS Distributions * Please obtain a copy of the License at
16*bbb1b6f9SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*bbb1b6f9SApple OSS Distributions *
18*bbb1b6f9SApple OSS Distributions * The Original Code and all software distributed under the License are
19*bbb1b6f9SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*bbb1b6f9SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*bbb1b6f9SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*bbb1b6f9SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*bbb1b6f9SApple OSS Distributions * Please see the License for the specific language governing rights and
24*bbb1b6f9SApple OSS Distributions * limitations under the License.
25*bbb1b6f9SApple OSS Distributions *
26*bbb1b6f9SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*bbb1b6f9SApple OSS Distributions */
28*bbb1b6f9SApple OSS Distributions
29*bbb1b6f9SApple OSS Distributions #include <arm_acle.h>
30*bbb1b6f9SApple OSS Distributions #include <darwintest.h>
31*bbb1b6f9SApple OSS Distributions #include <mach-o/dyld.h>
32*bbb1b6f9SApple OSS Distributions #include <mach/mach.h>
33*bbb1b6f9SApple OSS Distributions #include <spawn_private.h>
34*bbb1b6f9SApple OSS Distributions #include <stdlib.h>
35*bbb1b6f9SApple OSS Distributions #include <sys/spawn_internal.h>
36*bbb1b6f9SApple OSS Distributions
37*bbb1b6f9SApple OSS Distributions #include "arm_mte_utilities.h"
38*bbb1b6f9SApple OSS Distributions #include "test_utils.h"
39*bbb1b6f9SApple OSS Distributions
40*bbb1b6f9SApple OSS Distributions T_GLOBAL_META(T_META_NAMESPACE("xnu.arm.mte"),
41*bbb1b6f9SApple OSS Distributions T_META_RADAR_COMPONENT_NAME("Darwin Testing"),
42*bbb1b6f9SApple OSS Distributions T_META_RADAR_COMPONENT_VERSION("all"), T_META_OWNER("n_sabo"),
43*bbb1b6f9SApple OSS Distributions T_META_RUN_CONCURRENTLY(false),
44*bbb1b6f9SApple OSS Distributions T_META_IGNORECRASHES(".*knob.*"),
45*bbb1b6f9SApple OSS Distributions T_META_CHECK_LEAKS(false));
46*bbb1b6f9SApple OSS Distributions
47*bbb1b6f9SApple OSS Distributions static void
tag_violate_template(void)48*bbb1b6f9SApple OSS Distributions tag_violate_template(void)
49*bbb1b6f9SApple OSS Distributions {
50*bbb1b6f9SApple OSS Distributions static const size_t ALLOC_SIZE = MTE_GRANULE_SIZE * 2;
51*bbb1b6f9SApple OSS Distributions
52*bbb1b6f9SApple OSS Distributions vm_address_t address = 0;
53*bbb1b6f9SApple OSS Distributions kern_return_t kr = vm_allocate(mach_task_self(), &address, ALLOC_SIZE, VM_FLAGS_ANYWHERE | VM_FLAGS_MTE);
54*bbb1b6f9SApple OSS Distributions T_ASSERT_MACH_SUCCESS(kr, "allocate tagged memory");
55*bbb1b6f9SApple OSS Distributions char *untagged_ptr = (char *) address;
56*bbb1b6f9SApple OSS Distributions
57*bbb1b6f9SApple OSS Distributions char *orig_tagged_ptr = __arm_mte_get_tag(untagged_ptr);
58*bbb1b6f9SApple OSS Distributions unsigned int orig_tag = extract_mte_tag(orig_tagged_ptr);
59*bbb1b6f9SApple OSS Distributions T_ASSERT_EQ_UINT(orig_tag, 0U, "originally assigned tag is zero");
60*bbb1b6f9SApple OSS Distributions
61*bbb1b6f9SApple OSS Distributions uint64_t mask = __arm_mte_exclude_tag(orig_tagged_ptr, 0);
62*bbb1b6f9SApple OSS Distributions T_ASSERT_EQ_LLONG(mask, (1LL << 0), "zero tag is excluded");
63*bbb1b6f9SApple OSS Distributions
64*bbb1b6f9SApple OSS Distributions char *random_tagged_ptr = NULL;
65*bbb1b6f9SApple OSS Distributions for (unsigned int i = 0; i < NUM_MTE_TAGS * 4; i++) {
66*bbb1b6f9SApple OSS Distributions random_tagged_ptr = __arm_mte_create_random_tag(untagged_ptr, mask);
67*bbb1b6f9SApple OSS Distributions T_QUIET; T_ASSERT_NE_PTR(orig_tagged_ptr, random_tagged_ptr,
68*bbb1b6f9SApple OSS Distributions "random tag was not taken from excluded tag set");
69*bbb1b6f9SApple OSS Distributions
70*bbb1b6f9SApple OSS Distributions ptrdiff_t diff = __arm_mte_ptrdiff(untagged_ptr, random_tagged_ptr);
71*bbb1b6f9SApple OSS Distributions T_QUIET; T_ASSERT_EQ_ULONG(diff, (ptrdiff_t)0, "untagged %p and tagged %p have identical address bits",
72*bbb1b6f9SApple OSS Distributions untagged_ptr, random_tagged_ptr);
73*bbb1b6f9SApple OSS Distributions }
74*bbb1b6f9SApple OSS Distributions
75*bbb1b6f9SApple OSS Distributions __arm_mte_set_tag(random_tagged_ptr);
76*bbb1b6f9SApple OSS Distributions
77*bbb1b6f9SApple OSS Distributions char *read_back = __arm_mte_get_tag(untagged_ptr);
78*bbb1b6f9SApple OSS Distributions T_ASSERT_EQ_PTR(read_back, random_tagged_ptr, "tag was committed to memory correctly");
79*bbb1b6f9SApple OSS Distributions
80*bbb1b6f9SApple OSS Distributions random_tagged_ptr[0] = 't';
81*bbb1b6f9SApple OSS Distributions random_tagged_ptr[1] = 'e';
82*bbb1b6f9SApple OSS Distributions random_tagged_ptr[2] = 's';
83*bbb1b6f9SApple OSS Distributions random_tagged_ptr[3] = 't';
84*bbb1b6f9SApple OSS Distributions T_EXPECT_EQ_STR(random_tagged_ptr, "test", "read/write from tagged memory");
85*bbb1b6f9SApple OSS Distributions
86*bbb1b6f9SApple OSS Distributions void *next_granule_ptr = orig_tagged_ptr + MTE_GRANULE_SIZE;
87*bbb1b6f9SApple OSS Distributions unsigned int next_granule_tag = extract_mte_tag(next_granule_ptr);
88*bbb1b6f9SApple OSS Distributions T_QUIET; T_ASSERT_EQ_UINT(next_granule_tag, 0U,
89*bbb1b6f9SApple OSS Distributions "next MTE granule still has its originally assigned tag");
90*bbb1b6f9SApple OSS Distributions
91*bbb1b6f9SApple OSS Distributions T_LOG("attempting out-of-bounds access to tagged memory");
92*bbb1b6f9SApple OSS Distributions random_tagged_ptr[MTE_GRANULE_SIZE] = '!';
93*bbb1b6f9SApple OSS Distributions T_LOG("bypass: survived OOB access");
94*bbb1b6f9SApple OSS Distributions
95*bbb1b6f9SApple OSS Distributions /* We should not just have survived, but also re-issued the instruction */
96*bbb1b6f9SApple OSS Distributions T_ASSERT_EQ_CHAR(random_tagged_ptr[MTE_GRANULE_SIZE], '!', "faulting instruction wasn't re-issued correctly");
97*bbb1b6f9SApple OSS Distributions
98*bbb1b6f9SApple OSS Distributions __arm_mte_set_tag(orig_tagged_ptr);
99*bbb1b6f9SApple OSS Distributions __arm_mte_set_tag(orig_tagged_ptr + MTE_GRANULE_SIZE);
100*bbb1b6f9SApple OSS Distributions vm_deallocate(mach_task_self(), address, ALLOC_SIZE);
101*bbb1b6f9SApple OSS Distributions exit(0);
102*bbb1b6f9SApple OSS Distributions }
103*bbb1b6f9SApple OSS Distributions
104*bbb1b6f9SApple OSS Distributions T_HELPER_DECL(mte_tag_violate, "helper to trigger an MTE violation")
105*bbb1b6f9SApple OSS Distributions {
106*bbb1b6f9SApple OSS Distributions tag_violate_template();
107*bbb1b6f9SApple OSS Distributions }
108*bbb1b6f9SApple OSS Distributions
109*bbb1b6f9SApple OSS Distributions T_HELPER_DECL(mte_tag_violate_with_fork, "helper to trigger an MTE violation from a forked process")
110*bbb1b6f9SApple OSS Distributions {
111*bbb1b6f9SApple OSS Distributions tag_violate_template();
112*bbb1b6f9SApple OSS Distributions T_LOG("Knob enforced on main process\n");
113*bbb1b6f9SApple OSS Distributions /* Now fork a child and verifying the knob was inherited */
114*bbb1b6f9SApple OSS Distributions assert_normal_exit(^{
115*bbb1b6f9SApple OSS Distributions tag_violate_template();
116*bbb1b6f9SApple OSS Distributions }, "forked a child");
117*bbb1b6f9SApple OSS Distributions T_LOG("Knob enforced on forked process\n");
118*bbb1b6f9SApple OSS Distributions }
119*bbb1b6f9SApple OSS Distributions
120*bbb1b6f9SApple OSS Distributions static void
default_tag_check_bypass_template(posix_spawn_secflag_options flags,bool expect_mte,bool should_kill_child,char * helper_name)121*bbb1b6f9SApple OSS Distributions default_tag_check_bypass_template(
122*bbb1b6f9SApple OSS Distributions posix_spawn_secflag_options flags,
123*bbb1b6f9SApple OSS Distributions bool expect_mte,
124*bbb1b6f9SApple OSS Distributions bool should_kill_child,
125*bbb1b6f9SApple OSS Distributions char *helper_name
126*bbb1b6f9SApple OSS Distributions )
127*bbb1b6f9SApple OSS Distributions {
128*bbb1b6f9SApple OSS Distributions char path[PATH_MAX];
129*bbb1b6f9SApple OSS Distributions uint32_t path_size = sizeof(path);
130*bbb1b6f9SApple OSS Distributions char *args[] = { path, "-n", helper_name, NULL};
131*bbb1b6f9SApple OSS Distributions T_ASSERT_POSIX_ZERO(_NSGetExecutablePath(path, &path_size), "_NSGetExecutablePath");
132*bbb1b6f9SApple OSS Distributions posix_spawn_with_flags_and_assert_successful_exit(args, flags, expect_mte, should_kill_child);
133*bbb1b6f9SApple OSS Distributions }
134*bbb1b6f9SApple OSS Distributions
135*bbb1b6f9SApple OSS Distributions T_DECL(test_posix_spawn_explicit_check_bypass_knob,
136*bbb1b6f9SApple OSS Distributions "Test MTE tag check bypass works with posix_spawnattr and flag POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS",
137*bbb1b6f9SApple OSS Distributions T_META_ENABLED(TARGET_CPU_ARM64),
138*bbb1b6f9SApple OSS Distributions T_META_REQUIRES_SYSCTL_EQ("hw.optional.arm.FEAT_MTE4", 1),
139*bbb1b6f9SApple OSS Distributions XNU_T_META_SOC_SPECIFIC)
140*bbb1b6f9SApple OSS Distributions {
141*bbb1b6f9SApple OSS Distributions default_tag_check_bypass_template(POSIX_SPAWN_SECFLAG_EXPLICIT_ENABLE | POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS, true, false, "mte_tag_violate");
142*bbb1b6f9SApple OSS Distributions }
143*bbb1b6f9SApple OSS Distributions
144*bbb1b6f9SApple OSS Distributions T_DECL(test_explicit_never_check_enable_with_bypass_knobs,
145*bbb1b6f9SApple OSS Distributions "Test that combining POSIX_SPAWN_SECFLAG_EXPLICIT_NEVER_CHECK_ENABLE &"
146*bbb1b6f9SApple OSS Distributions "POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS results in relaxed enforcement "
147*bbb1b6f9SApple OSS Distributions "on out of bounds memory access",
148*bbb1b6f9SApple OSS Distributions T_META_ENABLED(TARGET_CPU_ARM64),
149*bbb1b6f9SApple OSS Distributions T_META_REQUIRES_SYSCTL_EQ("hw.optional.arm.FEAT_MTE4", 1),
150*bbb1b6f9SApple OSS Distributions XNU_T_META_SOC_SPECIFIC)
151*bbb1b6f9SApple OSS Distributions {
152*bbb1b6f9SApple OSS Distributions default_tag_check_bypass_template(POSIX_SPAWN_SECFLAG_EXPLICIT_NEVER_CHECK_ENABLE | POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS, true, false, "mte_tag_violate");
153*bbb1b6f9SApple OSS Distributions }
154*bbb1b6f9SApple OSS Distributions
155*bbb1b6f9SApple OSS Distributions T_DECL(test_posix_spawn_secflag_explict_check_bypass_knob_inherited_on_fork,
156*bbb1b6f9SApple OSS Distributions "Test that POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS is inherited on fork",
157*bbb1b6f9SApple OSS Distributions T_META_ENABLED(TARGET_CPU_ARM64),
158*bbb1b6f9SApple OSS Distributions T_META_REQUIRES_SYSCTL_EQ("hw.optional.arm.FEAT_MTE4", 1),
159*bbb1b6f9SApple OSS Distributions XNU_T_META_SOC_SPECIFIC)
160*bbb1b6f9SApple OSS Distributions {
161*bbb1b6f9SApple OSS Distributions default_tag_check_bypass_template(POSIX_SPAWN_SECFLAG_EXPLICIT_CHECK_BYPASS, true, false, "mte_tag_violate_with_fork");
162*bbb1b6f9SApple OSS Distributions }
163