1*19c3b8c2SApple OSS Distributions #include <mach/mach.h>
2*19c3b8c2SApple OSS Distributions #include <stdlib.h>
3*19c3b8c2SApple OSS Distributions #include <pthread.h>
4*19c3b8c2SApple OSS Distributions #include <unistd.h>
5*19c3b8c2SApple OSS Distributions #include <stdio.h>
6*19c3b8c2SApple OSS Distributions #include <assert.h>
7*19c3b8c2SApple OSS Distributions #include <mach/task.h>
8*19c3b8c2SApple OSS Distributions #include <mach/mk_timer.h>
9*19c3b8c2SApple OSS Distributions
10*19c3b8c2SApple OSS Distributions /*
11*19c3b8c2SApple OSS Distributions * DO NOT run this test file by itself.
12*19c3b8c2SApple OSS Distributions * This test is meant to be invoked by control_port_options darwintest.
13*19c3b8c2SApple OSS Distributions *
14*19c3b8c2SApple OSS Distributions * If hard enforcement for pinned control port is on, pinned tests are
15*19c3b8c2SApple OSS Distributions * expected to generate fatal EXC_GUARD.
16*19c3b8c2SApple OSS Distributions *
17*19c3b8c2SApple OSS Distributions * If hard enforcement for immovable control port is on, immovable tests are
18*19c3b8c2SApple OSS Distributions * expected to generate fatal EXC_GUARD.
19*19c3b8c2SApple OSS Distributions *
20*19c3b8c2SApple OSS Distributions * The type of exception raised (if any) is checked on control_port_options side.
21*19c3b8c2SApple OSS Distributions */
22*19c3b8c2SApple OSS Distributions #define MAX_TEST_NUM 21
23*19c3b8c2SApple OSS Distributions
24*19c3b8c2SApple OSS Distributions #ifndef MACH64_SEND_ANY
25*19c3b8c2SApple OSS Distributions #define MACH64_SEND_ANY 0x0000000800000000ull
26*19c3b8c2SApple OSS Distributions #define MACH64_SEND_MQ_CALL 0x0000000400000000ull
27*19c3b8c2SApple OSS Distributions #endif
28*19c3b8c2SApple OSS Distributions
29*19c3b8c2SApple OSS Distributions static int
attempt_send_immovable_port(mach_port_name_t port,mach_msg_type_name_t disp)30*19c3b8c2SApple OSS Distributions attempt_send_immovable_port(mach_port_name_t port, mach_msg_type_name_t disp)
31*19c3b8c2SApple OSS Distributions {
32*19c3b8c2SApple OSS Distributions mach_port_t server;
33*19c3b8c2SApple OSS Distributions kern_return_t kr;
34*19c3b8c2SApple OSS Distributions kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &server);
35*19c3b8c2SApple OSS Distributions assert(kr == 0);
36*19c3b8c2SApple OSS Distributions
37*19c3b8c2SApple OSS Distributions kr = mach_port_insert_right(mach_task_self(), server, server, MACH_MSG_TYPE_MAKE_SEND);
38*19c3b8c2SApple OSS Distributions assert(kr == 0);
39*19c3b8c2SApple OSS Distributions
40*19c3b8c2SApple OSS Distributions struct {
41*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
42*19c3b8c2SApple OSS Distributions mach_msg_body_t body;
43*19c3b8c2SApple OSS Distributions mach_msg_port_descriptor_t desc;
44*19c3b8c2SApple OSS Distributions } msg;
45*19c3b8c2SApple OSS Distributions
46*19c3b8c2SApple OSS Distributions msg.header.msgh_remote_port = server;
47*19c3b8c2SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
48*19c3b8c2SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;
49*19c3b8c2SApple OSS Distributions msg.header.msgh_size = sizeof msg;
50*19c3b8c2SApple OSS Distributions
51*19c3b8c2SApple OSS Distributions msg.body.msgh_descriptor_count = 1;
52*19c3b8c2SApple OSS Distributions
53*19c3b8c2SApple OSS Distributions msg.desc.name = port;
54*19c3b8c2SApple OSS Distributions msg.desc.disposition = disp;
55*19c3b8c2SApple OSS Distributions msg.desc.type = MACH_MSG_PORT_DESCRIPTOR;
56*19c3b8c2SApple OSS Distributions
57*19c3b8c2SApple OSS Distributions return mach_msg_send(&msg.header);
58*19c3b8c2SApple OSS Distributions }
59*19c3b8c2SApple OSS Distributions
60*19c3b8c2SApple OSS Distributions static void
pinned_test_main_thread_mod_ref(void)61*19c3b8c2SApple OSS Distributions pinned_test_main_thread_mod_ref(void)
62*19c3b8c2SApple OSS Distributions {
63*19c3b8c2SApple OSS Distributions printf("[Crasher]: Mod refs main thread's self port to 0\n");
64*19c3b8c2SApple OSS Distributions mach_port_t thread_self = mach_thread_self();
65*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), thread_self, MACH_PORT_RIGHT_SEND, -2);
66*19c3b8c2SApple OSS Distributions
67*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_main_thread_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
68*19c3b8c2SApple OSS Distributions }
69*19c3b8c2SApple OSS Distributions
70*19c3b8c2SApple OSS Distributions static void*
pthread_run(void)71*19c3b8c2SApple OSS Distributions pthread_run(void)
72*19c3b8c2SApple OSS Distributions {
73*19c3b8c2SApple OSS Distributions printf("[Crasher]: Deallocate pthread_self\n");
74*19c3b8c2SApple OSS Distributions mach_port_t th_self = pthread_mach_thread_np(pthread_self());
75*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), th_self);
76*19c3b8c2SApple OSS Distributions
77*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_pthread_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
78*19c3b8c2SApple OSS Distributions return NULL;
79*19c3b8c2SApple OSS Distributions }
80*19c3b8c2SApple OSS Distributions
81*19c3b8c2SApple OSS Distributions static void
pinned_test_pthread_dealloc(void)82*19c3b8c2SApple OSS Distributions pinned_test_pthread_dealloc(void)
83*19c3b8c2SApple OSS Distributions {
84*19c3b8c2SApple OSS Distributions printf("[Crasher]: Create a pthread and deallocate its self port\n");
85*19c3b8c2SApple OSS Distributions pthread_t thread;
86*19c3b8c2SApple OSS Distributions int ret = pthread_create(&thread, NULL, pthread_run, NULL);
87*19c3b8c2SApple OSS Distributions assert(ret == 0);
88*19c3b8c2SApple OSS Distributions ret = pthread_join(thread, NULL);
89*19c3b8c2SApple OSS Distributions assert(ret == 0);
90*19c3b8c2SApple OSS Distributions }
91*19c3b8c2SApple OSS Distributions
92*19c3b8c2SApple OSS Distributions static void
pinned_test_task_self_dealloc(void)93*19c3b8c2SApple OSS Distributions pinned_test_task_self_dealloc(void)
94*19c3b8c2SApple OSS Distributions {
95*19c3b8c2SApple OSS Distributions printf("[Crasher]: Deallocate mach_task_self twice\n");
96*19c3b8c2SApple OSS Distributions mach_port_t task_self = mach_task_self();
97*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_deallocate(task_self, task_self);
98*19c3b8c2SApple OSS Distributions assert(kr == 0);
99*19c3b8c2SApple OSS Distributions kr = mach_port_deallocate(task_self, task_self);
100*19c3b8c2SApple OSS Distributions
101*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_task_self_dealloc] mach_port_deallocate returned %s \n.", mach_error_string(kr));
102*19c3b8c2SApple OSS Distributions }
103*19c3b8c2SApple OSS Distributions
104*19c3b8c2SApple OSS Distributions static void
pinned_test_task_self_mod_ref(void)105*19c3b8c2SApple OSS Distributions pinned_test_task_self_mod_ref(void)
106*19c3b8c2SApple OSS Distributions {
107*19c3b8c2SApple OSS Distributions printf("[Crasher]: Mod refs mach_task_self() to 0\n");
108*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_mod_refs(mach_task_self(), mach_task_self(), MACH_PORT_RIGHT_SEND, -2);
109*19c3b8c2SApple OSS Distributions
110*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_task_self_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
111*19c3b8c2SApple OSS Distributions }
112*19c3b8c2SApple OSS Distributions
113*19c3b8c2SApple OSS Distributions static void
pinned_test_task_threads_mod_ref(void)114*19c3b8c2SApple OSS Distributions pinned_test_task_threads_mod_ref(void)
115*19c3b8c2SApple OSS Distributions {
116*19c3b8c2SApple OSS Distributions printf("[Crasher]: task_threads should return pinned thread ports. Mod refs them to 0\n");
117*19c3b8c2SApple OSS Distributions thread_array_t th_list;
118*19c3b8c2SApple OSS Distributions mach_msg_type_number_t th_cnt;
119*19c3b8c2SApple OSS Distributions kern_return_t kr;
120*19c3b8c2SApple OSS Distributions mach_port_t th_kp = mach_thread_self();
121*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_kp);
122*19c3b8c2SApple OSS Distributions
123*19c3b8c2SApple OSS Distributions kr = task_threads(mach_task_self(), &th_list, &th_cnt);
124*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_list[0]);
125*19c3b8c2SApple OSS Distributions
126*19c3b8c2SApple OSS Distributions kr = mach_port_mod_refs(mach_task_self(), th_list[0], MACH_PORT_RIGHT_SEND, -1);
127*19c3b8c2SApple OSS Distributions
128*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_task_threads_mod_ref] mach_port_mod_refs returned %s \n.", mach_error_string(kr));
129*19c3b8c2SApple OSS Distributions }
130*19c3b8c2SApple OSS Distributions
131*19c3b8c2SApple OSS Distributions static void
pinned_test_mach_port_destroy(void)132*19c3b8c2SApple OSS Distributions pinned_test_mach_port_destroy(void)
133*19c3b8c2SApple OSS Distributions {
134*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_destroy(mach_task_self(), mach_task_self());
135*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_mach_port_destroy] mach_port_destroy returned %s \n.", mach_error_string(kr));
136*19c3b8c2SApple OSS Distributions }
137*19c3b8c2SApple OSS Distributions
138*19c3b8c2SApple OSS Distributions static void
pinned_test_move_send_as_remote_port(void)139*19c3b8c2SApple OSS Distributions pinned_test_move_send_as_remote_port(void)
140*19c3b8c2SApple OSS Distributions {
141*19c3b8c2SApple OSS Distributions struct {
142*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
143*19c3b8c2SApple OSS Distributions } msg;
144*19c3b8c2SApple OSS Distributions
145*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_port_deallocate(mach_task_self(), mach_task_self());
146*19c3b8c2SApple OSS Distributions assert(kr == 0);
147*19c3b8c2SApple OSS Distributions
148*19c3b8c2SApple OSS Distributions /*
149*19c3b8c2SApple OSS Distributions * We allow move send on remote kobject port but this should trip on pinning on last ref.
150*19c3b8c2SApple OSS Distributions * See: IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND.
151*19c3b8c2SApple OSS Distributions */
152*19c3b8c2SApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
153*19c3b8c2SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
154*19c3b8c2SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, 0);
155*19c3b8c2SApple OSS Distributions msg.header.msgh_id = 2000;
156*19c3b8c2SApple OSS Distributions msg.header.msgh_size = sizeof msg;
157*19c3b8c2SApple OSS Distributions
158*19c3b8c2SApple OSS Distributions kr = mach_msg_send(&msg.header);
159*19c3b8c2SApple OSS Distributions
160*19c3b8c2SApple OSS Distributions printf("[Crasher pinned_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
161*19c3b8c2SApple OSS Distributions }
162*19c3b8c2SApple OSS Distributions
163*19c3b8c2SApple OSS Distributions static void
immovable_test_move_send_as_remote_port(void)164*19c3b8c2SApple OSS Distributions immovable_test_move_send_as_remote_port(void)
165*19c3b8c2SApple OSS Distributions {
166*19c3b8c2SApple OSS Distributions struct {
167*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
168*19c3b8c2SApple OSS Distributions } msg;
169*19c3b8c2SApple OSS Distributions
170*19c3b8c2SApple OSS Distributions /* Local port cannot be immovable. See: ipc_right_copyin_check_reply() */
171*19c3b8c2SApple OSS Distributions msg.header.msgh_remote_port = mach_task_self();
172*19c3b8c2SApple OSS Distributions msg.header.msgh_local_port = mach_task_self();
173*19c3b8c2SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND, MACH_MSG_TYPE_MOVE_SEND);
174*19c3b8c2SApple OSS Distributions msg.header.msgh_id = 2000;
175*19c3b8c2SApple OSS Distributions msg.header.msgh_size = sizeof msg;
176*19c3b8c2SApple OSS Distributions
177*19c3b8c2SApple OSS Distributions kern_return_t kr = mach_msg_send(&msg.header);
178*19c3b8c2SApple OSS Distributions
179*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_move_send_as_remote_port] mach_msg_send returned %s \n.", mach_error_string(kr));
180*19c3b8c2SApple OSS Distributions }
181*19c3b8c2SApple OSS Distributions
182*19c3b8c2SApple OSS Distributions static void
immovable_test_move_send_task_self(void)183*19c3b8c2SApple OSS Distributions immovable_test_move_send_task_self(void)
184*19c3b8c2SApple OSS Distributions {
185*19c3b8c2SApple OSS Distributions kern_return_t kr;
186*19c3b8c2SApple OSS Distributions printf("[Crasher]: Move send mach_task_self_\n");
187*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_MOVE_SEND);
188*19c3b8c2SApple OSS Distributions
189*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_move_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
190*19c3b8c2SApple OSS Distributions }
191*19c3b8c2SApple OSS Distributions
192*19c3b8c2SApple OSS Distributions static void
immovable_test_copy_send_task_self(void)193*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_self(void)
194*19c3b8c2SApple OSS Distributions {
195*19c3b8c2SApple OSS Distributions kern_return_t kr;
196*19c3b8c2SApple OSS Distributions printf("[Crasher]: Copy send mach_task_self_\n");
197*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(mach_task_self(), MACH_MSG_TYPE_COPY_SEND);
198*19c3b8c2SApple OSS Distributions
199*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
200*19c3b8c2SApple OSS Distributions }
201*19c3b8c2SApple OSS Distributions
202*19c3b8c2SApple OSS Distributions static void
immovable_test_move_send_thread_self(void)203*19c3b8c2SApple OSS Distributions immovable_test_move_send_thread_self(void)
204*19c3b8c2SApple OSS Distributions {
205*19c3b8c2SApple OSS Distributions kern_return_t kr;
206*19c3b8c2SApple OSS Distributions printf("[Crasher]: Move send main thread's self port\n");
207*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(mach_thread_self(), MACH_MSG_TYPE_MOVE_SEND);
208*19c3b8c2SApple OSS Distributions
209*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
210*19c3b8c2SApple OSS Distributions }
211*19c3b8c2SApple OSS Distributions
212*19c3b8c2SApple OSS Distributions static void
immovable_test_copy_send_thread_self(void)213*19c3b8c2SApple OSS Distributions immovable_test_copy_send_thread_self(void)
214*19c3b8c2SApple OSS Distributions {
215*19c3b8c2SApple OSS Distributions kern_return_t kr;
216*19c3b8c2SApple OSS Distributions mach_port_t port;
217*19c3b8c2SApple OSS Distributions printf("[Crasher]: Copy send main thread's self port\n");
218*19c3b8c2SApple OSS Distributions port = mach_thread_self();
219*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
220*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_self] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
221*19c3b8c2SApple OSS Distributions
222*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
223*19c3b8c2SApple OSS Distributions }
224*19c3b8c2SApple OSS Distributions
225*19c3b8c2SApple OSS Distributions static void
immovable_test_copy_send_task_read(void)226*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_read(void)
227*19c3b8c2SApple OSS Distributions {
228*19c3b8c2SApple OSS Distributions kern_return_t kr;
229*19c3b8c2SApple OSS Distributions mach_port_t port;
230*19c3b8c2SApple OSS Distributions printf("[Crasher]: Copy send task read port\n");
231*19c3b8c2SApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_READ_PORT, &port);
232*19c3b8c2SApple OSS Distributions assert(kr == 0);
233*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
234*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
235*19c3b8c2SApple OSS Distributions
236*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
237*19c3b8c2SApple OSS Distributions }
238*19c3b8c2SApple OSS Distributions
239*19c3b8c2SApple OSS Distributions static void
immovable_test_copy_send_task_inspect(void)240*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_inspect(void)
241*19c3b8c2SApple OSS Distributions {
242*19c3b8c2SApple OSS Distributions kern_return_t kr;
243*19c3b8c2SApple OSS Distributions mach_port_t port;
244*19c3b8c2SApple OSS Distributions printf("[Crasher]: Move send task inspect port\n");
245*19c3b8c2SApple OSS Distributions kr = task_get_special_port(mach_task_self(), TASK_INSPECT_PORT, &port);
246*19c3b8c2SApple OSS Distributions assert(kr == 0);
247*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
248*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_copy_send_task_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
249*19c3b8c2SApple OSS Distributions }
250*19c3b8c2SApple OSS Distributions
251*19c3b8c2SApple OSS Distributions static void
immovable_test_move_send_thread_inspect(void)252*19c3b8c2SApple OSS Distributions immovable_test_move_send_thread_inspect(void)
253*19c3b8c2SApple OSS Distributions {
254*19c3b8c2SApple OSS Distributions kern_return_t kr;
255*19c3b8c2SApple OSS Distributions mach_port_t port;
256*19c3b8c2SApple OSS Distributions mach_port_t th_port = mach_thread_self();
257*19c3b8c2SApple OSS Distributions
258*19c3b8c2SApple OSS Distributions printf("[Crasher]: Move send thread inspect port\n");
259*19c3b8c2SApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_INSPECT_PORT, &port);
260*19c3b8c2SApple OSS Distributions assert(kr == 0);
261*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND);
262*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_move_send_thread_inspect] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
263*19c3b8c2SApple OSS Distributions
264*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
265*19c3b8c2SApple OSS Distributions }
266*19c3b8c2SApple OSS Distributions
267*19c3b8c2SApple OSS Distributions static void
immovable_test_move_send_raw_thread(void)268*19c3b8c2SApple OSS Distributions immovable_test_move_send_raw_thread(void)
269*19c3b8c2SApple OSS Distributions {
270*19c3b8c2SApple OSS Distributions kern_return_t kr;
271*19c3b8c2SApple OSS Distributions mach_port_t port;
272*19c3b8c2SApple OSS Distributions
273*19c3b8c2SApple OSS Distributions kr = thread_create(mach_task_self(), &port);
274*19c3b8c2SApple OSS Distributions assert(kr == 0);
275*19c3b8c2SApple OSS Distributions kr = mach_port_deallocate(mach_task_self(), port); /* not pinned, should not crash */
276*19c3b8c2SApple OSS Distributions
277*19c3b8c2SApple OSS Distributions kr = thread_create(mach_task_self(), &port);
278*19c3b8c2SApple OSS Distributions assert(kr == 0);
279*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_MOVE_SEND); /* immovable, should crash here */
280*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_move_send_raw_thread] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
281*19c3b8c2SApple OSS Distributions
282*19c3b8c2SApple OSS Distributions kr = thread_terminate(port);
283*19c3b8c2SApple OSS Distributions assert(kr == 0);
284*19c3b8c2SApple OSS Distributions }
285*19c3b8c2SApple OSS Distributions
286*19c3b8c2SApple OSS Distributions static void
immovable_test_copy_send_thread_read(void)287*19c3b8c2SApple OSS Distributions immovable_test_copy_send_thread_read(void)
288*19c3b8c2SApple OSS Distributions {
289*19c3b8c2SApple OSS Distributions kern_return_t kr;
290*19c3b8c2SApple OSS Distributions mach_port_t port;
291*19c3b8c2SApple OSS Distributions mach_port_t th_port = mach_thread_self();
292*19c3b8c2SApple OSS Distributions
293*19c3b8c2SApple OSS Distributions printf("[Crasher]: Copy send thread read port\n");
294*19c3b8c2SApple OSS Distributions kr = thread_get_special_port(th_port, THREAD_READ_PORT, &port);
295*19c3b8c2SApple OSS Distributions assert(kr == 0);
296*19c3b8c2SApple OSS Distributions kr = attempt_send_immovable_port(port, MACH_MSG_TYPE_COPY_SEND);
297*19c3b8c2SApple OSS Distributions printf("[Crasher immovable_test_copy_send_thread_read] attempt_send_immovable_port returned %s \n.", mach_error_string(kr));
298*19c3b8c2SApple OSS Distributions
299*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), port);
300*19c3b8c2SApple OSS Distributions mach_port_deallocate(mach_task_self(), th_port);
301*19c3b8c2SApple OSS Distributions }
302*19c3b8c2SApple OSS Distributions
303*19c3b8c2SApple OSS Distributions static void
cfi_test_no_bit_set(void)304*19c3b8c2SApple OSS Distributions cfi_test_no_bit_set(void)
305*19c3b8c2SApple OSS Distributions {
306*19c3b8c2SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() without setting CFI bits\n");
307*19c3b8c2SApple OSS Distributions
308*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
309*19c3b8c2SApple OSS Distributions kern_return_t kr;
310*19c3b8c2SApple OSS Distributions
311*19c3b8c2SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
312*19c3b8c2SApple OSS Distributions header.msgh_remote_port = mach_task_self();
313*19c3b8c2SApple OSS Distributions header.msgh_id = 3409;
314*19c3b8c2SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
315*19c3b8c2SApple OSS Distributions header.msgh_size = sizeof(header);
316*19c3b8c2SApple OSS Distributions
317*19c3b8c2SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG, header, header.msgh_size, 0, MACH_PORT_NULL,
318*19c3b8c2SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
319*19c3b8c2SApple OSS Distributions /* crash */
320*19c3b8c2SApple OSS Distributions printf("[Crasher cfi_test_no_bit_set]: mach_msg2() returned %d\n", kr);
321*19c3b8c2SApple OSS Distributions }
322*19c3b8c2SApple OSS Distributions
323*19c3b8c2SApple OSS Distributions static void
cfi_test_two_bits_set(void)324*19c3b8c2SApple OSS Distributions cfi_test_two_bits_set(void)
325*19c3b8c2SApple OSS Distributions {
326*19c3b8c2SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting 2 CFI bits\n");
327*19c3b8c2SApple OSS Distributions
328*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
329*19c3b8c2SApple OSS Distributions kern_return_t kr;
330*19c3b8c2SApple OSS Distributions
331*19c3b8c2SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
332*19c3b8c2SApple OSS Distributions header.msgh_remote_port = mach_task_self();
333*19c3b8c2SApple OSS Distributions header.msgh_id = 3409;
334*19c3b8c2SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
335*19c3b8c2SApple OSS Distributions header.msgh_size = sizeof(header);
336*19c3b8c2SApple OSS Distributions
337*19c3b8c2SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_ANY | MACH64_SEND_KOBJECT_CALL,
338*19c3b8c2SApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
339*19c3b8c2SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
340*19c3b8c2SApple OSS Distributions /* crash */
341*19c3b8c2SApple OSS Distributions printf("[Crasher cfi_test_two_bits_set]: mach_msg2() returned %d\n", kr);
342*19c3b8c2SApple OSS Distributions }
343*19c3b8c2SApple OSS Distributions
344*19c3b8c2SApple OSS Distributions static void
cfi_test_msg_to_timer_port(void)345*19c3b8c2SApple OSS Distributions cfi_test_msg_to_timer_port(void)
346*19c3b8c2SApple OSS Distributions {
347*19c3b8c2SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() to timer port\n");
348*19c3b8c2SApple OSS Distributions
349*19c3b8c2SApple OSS Distributions mach_port_t timer = MACH_PORT_NULL;
350*19c3b8c2SApple OSS Distributions struct oversize_msg {
351*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
352*19c3b8c2SApple OSS Distributions char data[2048];
353*19c3b8c2SApple OSS Distributions } msg;
354*19c3b8c2SApple OSS Distributions
355*19c3b8c2SApple OSS Distributions kern_return_t kr;
356*19c3b8c2SApple OSS Distributions natural_t kotype;
357*19c3b8c2SApple OSS Distributions mach_vm_address_t addr;
358*19c3b8c2SApple OSS Distributions
359*19c3b8c2SApple OSS Distributions #define IKOT_TIMER 8
360*19c3b8c2SApple OSS Distributions timer = mk_timer_create();
361*19c3b8c2SApple OSS Distributions assert(timer != MACH_PORT_NULL);
362*19c3b8c2SApple OSS Distributions
363*19c3b8c2SApple OSS Distributions /* Make sure it's a kobject port */
364*19c3b8c2SApple OSS Distributions kr = mach_port_kobject(mach_task_self(), timer, &kotype, &addr);
365*19c3b8c2SApple OSS Distributions assert(kr == KERN_SUCCESS);
366*19c3b8c2SApple OSS Distributions assert(kotype == IKOT_TIMER);
367*19c3b8c2SApple OSS Distributions
368*19c3b8c2SApple OSS Distributions msg.header.msgh_local_port = MACH_PORT_NULL;
369*19c3b8c2SApple OSS Distributions msg.header.msgh_remote_port = timer;
370*19c3b8c2SApple OSS Distributions msg.header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_MAKE_SEND, 0, 0, 0);
371*19c3b8c2SApple OSS Distributions msg.header.msgh_size = sizeof(msg);
372*19c3b8c2SApple OSS Distributions
373*19c3b8c2SApple OSS Distributions /* Timer port must use MACH64_SEND_MQ_CALL */
374*19c3b8c2SApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
375*19c3b8c2SApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
376*19c3b8c2SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
377*19c3b8c2SApple OSS Distributions assert(kr == KERN_SUCCESS);
378*19c3b8c2SApple OSS Distributions printf("Message sent to timer port successfully\n");
379*19c3b8c2SApple OSS Distributions
380*19c3b8c2SApple OSS Distributions /* Using MACH64_SEND_KOBJECT_CALL should crash */
381*19c3b8c2SApple OSS Distributions kr = mach_msg2(&msg, MACH64_SEND_MSG | MACH64_SEND_KOBJECT_CALL,
382*19c3b8c2SApple OSS Distributions msg.header, msg.header.msgh_size, 0, MACH_PORT_NULL,
383*19c3b8c2SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
384*19c3b8c2SApple OSS Distributions /* crash */
385*19c3b8c2SApple OSS Distributions printf("[Crasher cfi_test_timer_port]: mach_msg2() returned %d\n", kr);
386*19c3b8c2SApple OSS Distributions }
387*19c3b8c2SApple OSS Distributions
388*19c3b8c2SApple OSS Distributions static void
cfi_test_wrong_bit_set(void)389*19c3b8c2SApple OSS Distributions cfi_test_wrong_bit_set(void)
390*19c3b8c2SApple OSS Distributions {
391*19c3b8c2SApple OSS Distributions printf("[Crasher]: Try sending mach_msg2() but setting wrong CFI bits\n");
392*19c3b8c2SApple OSS Distributions
393*19c3b8c2SApple OSS Distributions mach_msg_header_t header;
394*19c3b8c2SApple OSS Distributions kern_return_t kr;
395*19c3b8c2SApple OSS Distributions
396*19c3b8c2SApple OSS Distributions header.msgh_local_port = MACH_PORT_NULL;
397*19c3b8c2SApple OSS Distributions header.msgh_remote_port = mach_task_self();
398*19c3b8c2SApple OSS Distributions header.msgh_id = 3409;
399*19c3b8c2SApple OSS Distributions header.msgh_bits = MACH_MSGH_BITS_SET(MACH_MSG_TYPE_COPY_SEND, 0, 0, 0);
400*19c3b8c2SApple OSS Distributions header.msgh_size = sizeof(header);
401*19c3b8c2SApple OSS Distributions
402*19c3b8c2SApple OSS Distributions /* Using MACH64_SEND_MQ_CALL but destination is a kobject port */
403*19c3b8c2SApple OSS Distributions kr = mach_msg2(&header, MACH64_SEND_MSG | MACH64_SEND_MQ_CALL,
404*19c3b8c2SApple OSS Distributions header, header.msgh_size, 0, MACH_PORT_NULL,
405*19c3b8c2SApple OSS Distributions 0, MACH_MSG_PRIORITY_UNSPECIFIED);
406*19c3b8c2SApple OSS Distributions /* crash */
407*19c3b8c2SApple OSS Distributions printf("[Crasher cfi_test_wrong_bit_set]: mach_msg2() returned %d\n", kr);
408*19c3b8c2SApple OSS Distributions }
409*19c3b8c2SApple OSS Distributions
410*19c3b8c2SApple OSS Distributions int
main(int argc,char * argv[])411*19c3b8c2SApple OSS Distributions main(int argc, char *argv[])
412*19c3b8c2SApple OSS Distributions {
413*19c3b8c2SApple OSS Distributions void (*tests[MAX_TEST_NUM])(void) = {
414*19c3b8c2SApple OSS Distributions pinned_test_main_thread_mod_ref,
415*19c3b8c2SApple OSS Distributions pinned_test_pthread_dealloc,
416*19c3b8c2SApple OSS Distributions pinned_test_task_self_dealloc,
417*19c3b8c2SApple OSS Distributions pinned_test_task_self_mod_ref,
418*19c3b8c2SApple OSS Distributions pinned_test_task_threads_mod_ref,
419*19c3b8c2SApple OSS Distributions pinned_test_mach_port_destroy,
420*19c3b8c2SApple OSS Distributions pinned_test_move_send_as_remote_port,
421*19c3b8c2SApple OSS Distributions
422*19c3b8c2SApple OSS Distributions immovable_test_move_send_task_self,
423*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_self,
424*19c3b8c2SApple OSS Distributions immovable_test_move_send_thread_self,
425*19c3b8c2SApple OSS Distributions immovable_test_copy_send_thread_self,
426*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_read,
427*19c3b8c2SApple OSS Distributions immovable_test_copy_send_task_inspect,
428*19c3b8c2SApple OSS Distributions immovable_test_move_send_thread_inspect,
429*19c3b8c2SApple OSS Distributions immovable_test_copy_send_thread_read,
430*19c3b8c2SApple OSS Distributions immovable_test_move_send_as_remote_port,
431*19c3b8c2SApple OSS Distributions immovable_test_move_send_raw_thread,
432*19c3b8c2SApple OSS Distributions
433*19c3b8c2SApple OSS Distributions cfi_test_no_bit_set,
434*19c3b8c2SApple OSS Distributions cfi_test_two_bits_set,
435*19c3b8c2SApple OSS Distributions cfi_test_wrong_bit_set,
436*19c3b8c2SApple OSS Distributions cfi_test_msg_to_timer_port,
437*19c3b8c2SApple OSS Distributions };
438*19c3b8c2SApple OSS Distributions printf("[Crasher]: My Pid: %d\n", getpid());
439*19c3b8c2SApple OSS Distributions
440*19c3b8c2SApple OSS Distributions if (argc < 2) {
441*19c3b8c2SApple OSS Distributions printf("[Crasher]: Specify a test to run.");
442*19c3b8c2SApple OSS Distributions exit(-1);
443*19c3b8c2SApple OSS Distributions }
444*19c3b8c2SApple OSS Distributions
445*19c3b8c2SApple OSS Distributions int test_num = atoi(argv[1]);
446*19c3b8c2SApple OSS Distributions
447*19c3b8c2SApple OSS Distributions if (test_num >= 0 && test_num < MAX_TEST_NUM) {
448*19c3b8c2SApple OSS Distributions (*tests[test_num])();
449*19c3b8c2SApple OSS Distributions } else {
450*19c3b8c2SApple OSS Distributions printf("[Crasher]: Invalid test num. Exiting...\n");
451*19c3b8c2SApple OSS Distributions exit(-1);
452*19c3b8c2SApple OSS Distributions }
453*19c3b8c2SApple OSS Distributions
454*19c3b8c2SApple OSS Distributions exit(0);
455*19c3b8c2SApple OSS Distributions }
456