1 #include <darwintest.h>
2
3 #include <errno.h>
4 #include <fcntl.h>
5 #include <signal.h>
6 #include <spawn.h>
7 #include <spawn_private.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/spawn_internal.h>
14 #include <sys/sysctl.h>
15 #include <sys/syslimits.h>
16 #include <sys/reason.h>
17 #include <sysexits.h>
18 #include <unistd.h>
19 #include <signal.h>
20 #include <libproc.h>
21
22 #include <mach-o/dyld.h>
23 #include <mach-o/dyld_priv.h>
24 #include <dlfcn.h>
25
26 #define SHARED_CACHE_HELPER "get_shared_cache_address"
27 #define DO_RUSAGE_CHECK "check_rusage_flag"
28 #define DO_DUMMY "dummy"
29 #define ADDRESS_OUTPUT_SIZE 12L
30
31 #ifndef _POSIX_SPAWN_RESLIDE
32 #define _POSIX_SPAWN_RESLIDE 0x0800
33 #endif
34
35 #ifndef OS_REASON_FLAG_SHAREDREGION_FAULT
36 #define OS_REASON_FLAG_SHAREDREGION_FAULT 0x400
37 #endif
38
39 T_GLOBAL_META(T_META_RUN_CONCURRENTLY(true));
40
41 #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
42 static void *
get_current_slide_address(bool reslide)43 get_current_slide_address(bool reslide)
44 {
45 pid_t pid;
46 int pipefd[2];
47 posix_spawnattr_t attr;
48 posix_spawn_file_actions_t action;
49 uintptr_t addr;
50
51 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_init(&attr), "posix_spawnattr_init");
52 /* spawn the helper requesting a reslide */
53 if (reslide) {
54 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_setflags(&attr, _POSIX_SPAWN_RESLIDE), "posix_spawnattr_setflags");
55 }
56
57 T_ASSERT_POSIX_SUCCESS(pipe(pipefd), "pipe");
58 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_init(&action), "posix_spawn_fileactions_init");
59 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[0]), "posix_spawn_file_actions_addclose");
60 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_adddup2(&action, pipefd[1], 1), "posix_spawn_file_actions_addup2");
61 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[1]), "posix_spawn_file_actions_addclose");
62
63 char *argvs[3];
64 argvs[0] = SHARED_CACHE_HELPER;
65 argvs[1] = reslide ? DO_RUSAGE_CHECK : DO_DUMMY;
66 argvs[2] = NULL;
67 char *const envps[] = {NULL};
68
69 T_ASSERT_POSIX_ZERO(posix_spawn(&pid, SHARED_CACHE_HELPER, &action, &attr, argvs, envps), "helper posix_spawn");
70 T_ASSERT_POSIX_SUCCESS(close(pipefd[1]), "close child end of the pipe");
71
72 char buf[ADDRESS_OUTPUT_SIZE] = {0};
73
74 ssize_t read_bytes = 0;
75 do {
76 if (read_bytes == -1) {
77 T_LOG("reading off get_shared_cache_address got interrupted");
78 }
79 read_bytes = read(pipefd[0], buf, sizeof(buf));
80 } while (read_bytes == -1 && errno == EINTR);
81
82 T_ASSERT_EQ_LONG(ADDRESS_OUTPUT_SIZE, read_bytes, "read helper output");
83
84 int status = 0;
85 int waitpid_result = waitpid(pid, &status, 0);
86 T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
87 T_ASSERT_EQ(waitpid_result, pid, "waitpid should return child we spawned");
88 T_ASSERT_EQ(WIFEXITED(status), 1, "child should have exited normally");
89 T_ASSERT_EQ(WEXITSTATUS(status), EX_OK, "child should have exited with success");
90
91 addr = strtoul(buf, NULL, 16);
92 T_ASSERT_GE_LONG(addr, 0L, "convert address to uintptr_t");
93
94 return (void *)addr;
95 }
96
97 /*
98 * build_faulting_shared_cache_address creates a pointer to an address that is
99 * within the shared_cache range but that is guaranteed to not be mapped.
100 */
101 static char *
build_faulting_shared_cache_address(bool tbi)102 build_faulting_shared_cache_address(bool tbi)
103 {
104 uintptr_t fault_address;
105
106 // Grab currently mapped shared cache location and size
107 size_t shared_cache_len = 0;
108 const void *shared_cache_location = _dyld_get_shared_cache_range(&shared_cache_len);
109 if (shared_cache_location == NULL || shared_cache_len == 0) {
110 return NULL;
111 }
112
113 // Locate a mach_header in the shared cache
114 Dl_info info;
115 if (dladdr((const void *)fork, &info) == 0) {
116 return NULL;
117 }
118
119 const struct mach_header *mh = info.dli_fbase;
120 uintptr_t slide = (uintptr_t)_dyld_get_image_slide(mh);
121
122 if (slide == 0) {
123 fault_address = (uintptr_t)shared_cache_location + shared_cache_len + PAGE_SIZE;
124 } else {
125 fault_address = (uintptr_t)shared_cache_location - PAGE_SIZE;
126 }
127
128 if (tbi) {
129 fault_address |= 0x2000000000000000;
130 }
131
132 return (char *)fault_address;
133 }
134
135 static void
induce_crash(volatile char * ptr)136 induce_crash(volatile char *ptr)
137 {
138 pid_t child = fork();
139 T_ASSERT_POSIX_SUCCESS(child, "fork");
140
141 if (child == 0) {
142 ptr[1];
143 } else {
144 sleep(1);
145 struct proc_exitreasonbasicinfo exit_reason = {0};
146 T_ASSERT_POSIX_SUCCESS(proc_pidinfo(child, PROC_PIDEXITREASONBASICINFO, 1, &exit_reason, sizeof(exit_reason)), "basic exit reason");
147
148 int status = 0;
149 int waitpid_result;
150 do {
151 waitpid_result = waitpid(child, &status, 0);
152 } while (waitpid_result < 0 && errno == EINTR);
153 T_QUIET; T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
154 T_ASSERT_EQ(waitpid_result, child, "waitpid should return forked child");
155 T_ASSERT_EQ(exit_reason.beri_namespace, OS_REASON_SIGNAL, "child should have exited with a signal");
156
157 if (ptr) {
158 T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGSEGV, "child should have received SIGSEGV");
159 T_ASSERT_NE((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should detect shared cache fault");
160 } else {
161 T_ASSERT_EQ((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should not detect shared cache fault");
162 }
163 }
164 }
165
166 static int saved_status;
167 static void
cleanup_sysctl(void)168 cleanup_sysctl(void)
169 {
170 int ret;
171
172 if (saved_status == 0) {
173 ret = sysctlbyname("vm.vm_shared_region_reslide_aslr", NULL, NULL, &saved_status, sizeof(saved_status));
174 T_QUIET; T_EXPECT_POSIX_SUCCESS(ret, "set shared region resliding back off");
175 }
176 }
177 #endif /* arm64e && (TARGET_OS_IOS || TARGET_OS_OSX) */
178
179 T_DECL(reslide_sharedcache, "crash induced reslide of the shared cache",
180 T_META_CHECK_LEAKS(false), T_META_IGNORECRASHES(".*shared_cache_reslide_test.*"),
181 T_META_ASROOT(true))
182 {
183 #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
184 void *system_address;
185 void *reslide_address;
186 void *confirm_address;
187 char *ptr;
188 int on = 1;
189 size_t size;
190
191 /* Force resliding on */
192 T_ASSERT_POSIX_SUCCESS(sysctlbyname("vm.vm_shared_region_reslide_aslr", &saved_status, &size, &on, sizeof(on)), "force enable reslide");
193 T_ATEND(cleanup_sysctl);
194
195 system_address = get_current_slide_address(false);
196 confirm_address = get_current_slide_address(false);
197 T_ASSERT_EQ_PTR(system_address, confirm_address, "system and current addresses should not diverge %p %p", system_address, confirm_address);
198
199 reslide_address = get_current_slide_address(true);
200 confirm_address = get_current_slide_address(true);
201 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide addresses should diverge %p %p", system_address, reslide_address);
202 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide (no crash) shouldn't diverge %p %p", reslide_address, confirm_address);
203
204 /* Crash into the shared cache area */
205 ptr = build_faulting_shared_cache_address(false);
206 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
207 induce_crash(ptr);
208 reslide_address = get_current_slide_address(true);
209 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash) %p %p", system_address, reslide_address);
210 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash) %p %p", confirm_address, reslide_address);
211
212 confirm_address = get_current_slide_address(true);
213 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide shouldn't diverge (no crash) %p %p", reslide_address, confirm_address);
214
215 /* Crash somewhere else */
216 ptr = NULL;
217 induce_crash(ptr);
218 confirm_address = get_current_slide_address(true);
219 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide after a non-tracked crash shouldn't diverge %p %p", reslide_address, confirm_address);
220
221 /* Ensure we still get the system address */
222 confirm_address = get_current_slide_address(false);
223 T_ASSERT_EQ_PTR(system_address, confirm_address, "system address and new process without resliding shouldn't diverge %p %p", system_address, confirm_address);
224
225 /* Ensure we detect a crash into the shared area with a TBI tagged address */
226 ptr = build_faulting_shared_cache_address(true);
227 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
228 confirm_address = get_current_slide_address(true);
229 induce_crash(ptr);
230 reslide_address = get_current_slide_address(true);
231 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, TBI test) %p %p", system_address, reslide_address);
232 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, TBI test) %p %p", confirm_address, reslide_address);
233 #else /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
234 T_SKIP("shared cache reslide is currently only supported on arm64e iPhones and Apple Silicon Macs");
235 #endif /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
236 }
237