xref: /xnu-8019.80.24/tests/shared_cache_reslide_test.c (revision a325d9c4a84054e40bbe985afedcb50ab80993ea) 
1*a325d9c4SApple OSS Distributions #include <darwintest.h>
2*a325d9c4SApple OSS Distributions 
3*a325d9c4SApple OSS Distributions #include <errno.h>
4*a325d9c4SApple OSS Distributions #include <fcntl.h>
5*a325d9c4SApple OSS Distributions #include <signal.h>
6*a325d9c4SApple OSS Distributions #include <spawn.h>
7*a325d9c4SApple OSS Distributions #include <spawn_private.h>
8*a325d9c4SApple OSS Distributions #include <stdbool.h>
9*a325d9c4SApple OSS Distributions #include <stdint.h>
10*a325d9c4SApple OSS Distributions #include <stdio.h>
11*a325d9c4SApple OSS Distributions #include <stdlib.h>
12*a325d9c4SApple OSS Distributions #include <string.h>
13*a325d9c4SApple OSS Distributions #include <sys/spawn_internal.h>
14*a325d9c4SApple OSS Distributions #include <sys/sysctl.h>
15*a325d9c4SApple OSS Distributions #include <sys/syslimits.h>
16*a325d9c4SApple OSS Distributions #include <sys/reason.h>
17*a325d9c4SApple OSS Distributions #include <sysexits.h>
18*a325d9c4SApple OSS Distributions #include <unistd.h>
19*a325d9c4SApple OSS Distributions #include <signal.h>
20*a325d9c4SApple OSS Distributions #include <libproc.h>
21*a325d9c4SApple OSS Distributions 
22*a325d9c4SApple OSS Distributions #include <mach-o/dyld.h>
23*a325d9c4SApple OSS Distributions #include <mach-o/dyld_priv.h>
24*a325d9c4SApple OSS Distributions #include <dlfcn.h>
25*a325d9c4SApple OSS Distributions 
26*a325d9c4SApple OSS Distributions #define SHARED_CACHE_HELPER "get_shared_cache_address"
27*a325d9c4SApple OSS Distributions #define DO_RUSAGE_CHECK "check_rusage_flag"
28*a325d9c4SApple OSS Distributions #define DO_DUMMY "dummy"
29*a325d9c4SApple OSS Distributions #define ADDRESS_OUTPUT_SIZE     12L
30*a325d9c4SApple OSS Distributions 
31*a325d9c4SApple OSS Distributions #ifndef _POSIX_SPAWN_RESLIDE
32*a325d9c4SApple OSS Distributions #define _POSIX_SPAWN_RESLIDE    0x0800
33*a325d9c4SApple OSS Distributions #endif
34*a325d9c4SApple OSS Distributions 
35*a325d9c4SApple OSS Distributions #ifndef OS_REASON_FLAG_SHAREDREGION_FAULT
36*a325d9c4SApple OSS Distributions #define OS_REASON_FLAG_SHAREDREGION_FAULT       0x400
37*a325d9c4SApple OSS Distributions #endif
38*a325d9c4SApple OSS Distributions 
39*a325d9c4SApple OSS Distributions T_GLOBAL_META(T_META_RUN_CONCURRENTLY(true));
40*a325d9c4SApple OSS Distributions 
41*a325d9c4SApple OSS Distributions #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
42*a325d9c4SApple OSS Distributions static void *
get_current_slide_address(bool reslide)43*a325d9c4SApple OSS Distributions get_current_slide_address(bool reslide)
44*a325d9c4SApple OSS Distributions {
45*a325d9c4SApple OSS Distributions 	pid_t                                           pid;
46*a325d9c4SApple OSS Distributions 	int                             pipefd[2];
47*a325d9c4SApple OSS Distributions 	posix_spawnattr_t               attr;
48*a325d9c4SApple OSS Distributions 	posix_spawn_file_actions_t      action;
49*a325d9c4SApple OSS Distributions 	uintptr_t                       addr;
50*a325d9c4SApple OSS Distributions 
51*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(posix_spawnattr_init(&attr), "posix_spawnattr_init");
52*a325d9c4SApple OSS Distributions 	/* spawn the helper requesting a reslide */
53*a325d9c4SApple OSS Distributions 	if (reslide) {
54*a325d9c4SApple OSS Distributions 		T_ASSERT_POSIX_SUCCESS(posix_spawnattr_setflags(&attr, _POSIX_SPAWN_RESLIDE), "posix_spawnattr_setflags");
55*a325d9c4SApple OSS Distributions 	}
56*a325d9c4SApple OSS Distributions 
57*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(pipe(pipefd), "pipe");
58*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_init(&action), "posix_spawn_fileactions_init");
59*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[0]), "posix_spawn_file_actions_addclose");
60*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_adddup2(&action, pipefd[1], 1), "posix_spawn_file_actions_addup2");
61*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[1]), "posix_spawn_file_actions_addclose");
62*a325d9c4SApple OSS Distributions 
63*a325d9c4SApple OSS Distributions 	char *argvs[3];
64*a325d9c4SApple OSS Distributions 	argvs[0] = SHARED_CACHE_HELPER;
65*a325d9c4SApple OSS Distributions 	argvs[1] = reslide ? DO_RUSAGE_CHECK : DO_DUMMY;
66*a325d9c4SApple OSS Distributions 	argvs[2] = NULL;
67*a325d9c4SApple OSS Distributions 	char *const envps[] = {NULL};
68*a325d9c4SApple OSS Distributions 
69*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_ZERO(posix_spawn(&pid, SHARED_CACHE_HELPER, &action, &attr, argvs, envps), "helper posix_spawn");
70*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(close(pipefd[1]), "close child end of the pipe");
71*a325d9c4SApple OSS Distributions 
72*a325d9c4SApple OSS Distributions 	char buf[ADDRESS_OUTPUT_SIZE] = {0};
73*a325d9c4SApple OSS Distributions 
74*a325d9c4SApple OSS Distributions 	ssize_t read_bytes = 0;
75*a325d9c4SApple OSS Distributions 	do {
76*a325d9c4SApple OSS Distributions 		if (read_bytes == -1) {
77*a325d9c4SApple OSS Distributions 			T_LOG("reading off get_shared_cache_address got interrupted");
78*a325d9c4SApple OSS Distributions 		}
79*a325d9c4SApple OSS Distributions 		read_bytes = read(pipefd[0], buf, sizeof(buf));
80*a325d9c4SApple OSS Distributions 	} while (read_bytes == -1 && errno == EINTR);
81*a325d9c4SApple OSS Distributions 
82*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_LONG(ADDRESS_OUTPUT_SIZE, read_bytes, "read helper output");
83*a325d9c4SApple OSS Distributions 
84*a325d9c4SApple OSS Distributions 	int status = 0;
85*a325d9c4SApple OSS Distributions 	int waitpid_result = waitpid(pid, &status, 0);
86*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
87*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ(waitpid_result, pid, "waitpid should return child we spawned");
88*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ(WIFEXITED(status), 1, "child should have exited normally");
89*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ(WEXITSTATUS(status), EX_OK, "child should have exited with success");
90*a325d9c4SApple OSS Distributions 
91*a325d9c4SApple OSS Distributions 	addr = strtoul(buf, NULL, 16);
92*a325d9c4SApple OSS Distributions 	T_ASSERT_GE_LONG(addr, 0L, "convert address to uintptr_t");
93*a325d9c4SApple OSS Distributions 
94*a325d9c4SApple OSS Distributions 	return (void *)addr;
95*a325d9c4SApple OSS Distributions }
96*a325d9c4SApple OSS Distributions 
97*a325d9c4SApple OSS Distributions /*
98*a325d9c4SApple OSS Distributions  * build_faulting_shared_cache_address creates a pointer to an address that is
99*a325d9c4SApple OSS Distributions  * within the shared_cache range but that is guaranteed to not be mapped.
100*a325d9c4SApple OSS Distributions  */
101*a325d9c4SApple OSS Distributions static char *
build_faulting_shared_cache_address(bool tbi)102*a325d9c4SApple OSS Distributions build_faulting_shared_cache_address(bool tbi)
103*a325d9c4SApple OSS Distributions {
104*a325d9c4SApple OSS Distributions 	uintptr_t fault_address;
105*a325d9c4SApple OSS Distributions 
106*a325d9c4SApple OSS Distributions 	// Grab currently mapped shared cache location and size
107*a325d9c4SApple OSS Distributions 	size_t shared_cache_len = 0;
108*a325d9c4SApple OSS Distributions 	const void *shared_cache_location = _dyld_get_shared_cache_range(&shared_cache_len);
109*a325d9c4SApple OSS Distributions 	if (shared_cache_location == NULL || shared_cache_len == 0) {
110*a325d9c4SApple OSS Distributions 		return NULL;
111*a325d9c4SApple OSS Distributions 	}
112*a325d9c4SApple OSS Distributions 
113*a325d9c4SApple OSS Distributions 	// Locate a mach_header in the shared cache
114*a325d9c4SApple OSS Distributions 	Dl_info info;
115*a325d9c4SApple OSS Distributions 	if (dladdr((const void *)fork, &info) == 0) {
116*a325d9c4SApple OSS Distributions 		return NULL;
117*a325d9c4SApple OSS Distributions 	}
118*a325d9c4SApple OSS Distributions 
119*a325d9c4SApple OSS Distributions 	const struct mach_header *mh = info.dli_fbase;
120*a325d9c4SApple OSS Distributions 	uintptr_t slide = (uintptr_t)_dyld_get_image_slide(mh);
121*a325d9c4SApple OSS Distributions 
122*a325d9c4SApple OSS Distributions 	if (slide == 0) {
123*a325d9c4SApple OSS Distributions 		fault_address = (uintptr_t)shared_cache_location + shared_cache_len + PAGE_SIZE;
124*a325d9c4SApple OSS Distributions 	} else {
125*a325d9c4SApple OSS Distributions 		fault_address = (uintptr_t)shared_cache_location - PAGE_SIZE;
126*a325d9c4SApple OSS Distributions 	}
127*a325d9c4SApple OSS Distributions 
128*a325d9c4SApple OSS Distributions 	if (tbi) {
129*a325d9c4SApple OSS Distributions 		fault_address |= 0x2000000000000000;
130*a325d9c4SApple OSS Distributions 	}
131*a325d9c4SApple OSS Distributions 
132*a325d9c4SApple OSS Distributions 	return (char *)fault_address;
133*a325d9c4SApple OSS Distributions }
134*a325d9c4SApple OSS Distributions 
135*a325d9c4SApple OSS Distributions static void
induce_crash(volatile char * ptr)136*a325d9c4SApple OSS Distributions induce_crash(volatile char *ptr)
137*a325d9c4SApple OSS Distributions {
138*a325d9c4SApple OSS Distributions 	pid_t child = fork();
139*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(child, "fork");
140*a325d9c4SApple OSS Distributions 
141*a325d9c4SApple OSS Distributions 	if (child == 0) {
142*a325d9c4SApple OSS Distributions 		ptr[1];
143*a325d9c4SApple OSS Distributions 	} else {
144*a325d9c4SApple OSS Distributions 		sleep(1);
145*a325d9c4SApple OSS Distributions 		struct proc_exitreasonbasicinfo exit_reason = {0};
146*a325d9c4SApple OSS Distributions 		T_ASSERT_POSIX_SUCCESS(proc_pidinfo(child, PROC_PIDEXITREASONBASICINFO, 1, &exit_reason, sizeof(exit_reason)), "basic exit reason");
147*a325d9c4SApple OSS Distributions 
148*a325d9c4SApple OSS Distributions 		int status = 0;
149*a325d9c4SApple OSS Distributions 		int waitpid_result;
150*a325d9c4SApple OSS Distributions 		do {
151*a325d9c4SApple OSS Distributions 			waitpid_result = waitpid(child, &status, 0);
152*a325d9c4SApple OSS Distributions 		} while (waitpid_result < 0 && errno == EINTR);
153*a325d9c4SApple OSS Distributions 		T_QUIET; T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
154*a325d9c4SApple OSS Distributions 		T_ASSERT_EQ(waitpid_result, child, "waitpid should return forked child");
155*a325d9c4SApple OSS Distributions 		T_ASSERT_EQ(exit_reason.beri_namespace, OS_REASON_SIGNAL, "child should have exited with a signal");
156*a325d9c4SApple OSS Distributions 
157*a325d9c4SApple OSS Distributions 		if (ptr) {
158*a325d9c4SApple OSS Distributions 			T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGSEGV, "child should have received SIGSEGV");
159*a325d9c4SApple OSS Distributions 			T_ASSERT_NE((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should detect shared cache fault");
160*a325d9c4SApple OSS Distributions 		} else {
161*a325d9c4SApple OSS Distributions 			T_ASSERT_EQ((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should not detect shared cache fault");
162*a325d9c4SApple OSS Distributions 		}
163*a325d9c4SApple OSS Distributions 	}
164*a325d9c4SApple OSS Distributions }
165*a325d9c4SApple OSS Distributions 
166*a325d9c4SApple OSS Distributions static int saved_status;
167*a325d9c4SApple OSS Distributions static void
cleanup_sysctl(void)168*a325d9c4SApple OSS Distributions cleanup_sysctl(void)
169*a325d9c4SApple OSS Distributions {
170*a325d9c4SApple OSS Distributions 	int ret;
171*a325d9c4SApple OSS Distributions 
172*a325d9c4SApple OSS Distributions 	if (saved_status == 0) {
173*a325d9c4SApple OSS Distributions 		ret = sysctlbyname("vm.vm_shared_region_reslide_aslr", NULL, NULL, &saved_status, sizeof(saved_status));
174*a325d9c4SApple OSS Distributions 		T_QUIET; T_EXPECT_POSIX_SUCCESS(ret, "set shared region resliding back off");
175*a325d9c4SApple OSS Distributions 	}
176*a325d9c4SApple OSS Distributions }
177*a325d9c4SApple OSS Distributions #endif  /* arm64e && (TARGET_OS_IOS || TARGET_OS_OSX) */
178*a325d9c4SApple OSS Distributions 
179*a325d9c4SApple OSS Distributions T_DECL(reslide_sharedcache, "crash induced reslide of the shared cache",
180*a325d9c4SApple OSS Distributions     T_META_CHECK_LEAKS(false), T_META_IGNORECRASHES(".*shared_cache_reslide_test.*"),
181*a325d9c4SApple OSS Distributions     T_META_ASROOT(true))
182*a325d9c4SApple OSS Distributions {
183*a325d9c4SApple OSS Distributions #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
184*a325d9c4SApple OSS Distributions 	void *system_address;
185*a325d9c4SApple OSS Distributions 	void *reslide_address;
186*a325d9c4SApple OSS Distributions 	void *confirm_address;
187*a325d9c4SApple OSS Distributions 	char *ptr;
188*a325d9c4SApple OSS Distributions 	int  on = 1;
189*a325d9c4SApple OSS Distributions 	size_t size;
190*a325d9c4SApple OSS Distributions 
191*a325d9c4SApple OSS Distributions 	/* Force resliding on */
192*a325d9c4SApple OSS Distributions 	T_ASSERT_POSIX_SUCCESS(sysctlbyname("vm.vm_shared_region_reslide_aslr", &saved_status, &size, &on, sizeof(on)), "force enable reslide");
193*a325d9c4SApple OSS Distributions 	T_ATEND(cleanup_sysctl);
194*a325d9c4SApple OSS Distributions 
195*a325d9c4SApple OSS Distributions 	system_address = get_current_slide_address(false);
196*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(false);
197*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_PTR(system_address, confirm_address, "system and current addresses should not diverge %p %p", system_address, confirm_address);
198*a325d9c4SApple OSS Distributions 
199*a325d9c4SApple OSS Distributions 	reslide_address = get_current_slide_address(true);
200*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(true);
201*a325d9c4SApple OSS Distributions 	T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide addresses should diverge %p %p", system_address, reslide_address);
202*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide (no crash) shouldn't diverge %p %p", reslide_address, confirm_address);
203*a325d9c4SApple OSS Distributions 
204*a325d9c4SApple OSS Distributions 	/* Crash into the shared cache area */
205*a325d9c4SApple OSS Distributions 	ptr = build_faulting_shared_cache_address(false);
206*a325d9c4SApple OSS Distributions 	T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
207*a325d9c4SApple OSS Distributions 	induce_crash(ptr);
208*a325d9c4SApple OSS Distributions 	reslide_address = get_current_slide_address(true);
209*a325d9c4SApple OSS Distributions 	T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash) %p %p", system_address, reslide_address);
210*a325d9c4SApple OSS Distributions 	T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash) %p %p", confirm_address, reslide_address);
211*a325d9c4SApple OSS Distributions 
212*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(true);
213*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide shouldn't diverge (no crash) %p %p", reslide_address, confirm_address);
214*a325d9c4SApple OSS Distributions 
215*a325d9c4SApple OSS Distributions 	/* Crash somewhere else */
216*a325d9c4SApple OSS Distributions 	ptr = NULL;
217*a325d9c4SApple OSS Distributions 	induce_crash(ptr);
218*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(true);
219*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide after a non-tracked crash shouldn't diverge %p %p", reslide_address, confirm_address);
220*a325d9c4SApple OSS Distributions 
221*a325d9c4SApple OSS Distributions 	/* Ensure we still get the system address */
222*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(false);
223*a325d9c4SApple OSS Distributions 	T_ASSERT_EQ_PTR(system_address, confirm_address, "system address and new process without resliding shouldn't diverge %p %p", system_address, confirm_address);
224*a325d9c4SApple OSS Distributions 
225*a325d9c4SApple OSS Distributions 	/* Ensure we detect a crash into the shared area with a TBI tagged address */
226*a325d9c4SApple OSS Distributions 	ptr = build_faulting_shared_cache_address(true);
227*a325d9c4SApple OSS Distributions 	T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
228*a325d9c4SApple OSS Distributions 	confirm_address = get_current_slide_address(true);
229*a325d9c4SApple OSS Distributions 	induce_crash(ptr);
230*a325d9c4SApple OSS Distributions 	reslide_address = get_current_slide_address(true);
231*a325d9c4SApple OSS Distributions 	T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, TBI test) %p %p", system_address, reslide_address);
232*a325d9c4SApple OSS Distributions 	T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, TBI test) %p %p", confirm_address, reslide_address);
233*a325d9c4SApple OSS Distributions #else   /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
234*a325d9c4SApple OSS Distributions 	T_SKIP("shared cache reslide is currently only supported on arm64e iPhones and Apple Silicon Macs");
235*a325d9c4SApple OSS Distributions #endif /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
236*a325d9c4SApple OSS Distributions }
237