1*aca3beaaSApple OSS Distributions #include <darwintest.h>
2*aca3beaaSApple OSS Distributions
3*aca3beaaSApple OSS Distributions #include <errno.h>
4*aca3beaaSApple OSS Distributions #include <fcntl.h>
5*aca3beaaSApple OSS Distributions #include <signal.h>
6*aca3beaaSApple OSS Distributions #include <spawn.h>
7*aca3beaaSApple OSS Distributions #include <spawn_private.h>
8*aca3beaaSApple OSS Distributions #include <stdbool.h>
9*aca3beaaSApple OSS Distributions #include <stdint.h>
10*aca3beaaSApple OSS Distributions #include <stdio.h>
11*aca3beaaSApple OSS Distributions #include <stdlib.h>
12*aca3beaaSApple OSS Distributions #include <string.h>
13*aca3beaaSApple OSS Distributions #include <sys/spawn_internal.h>
14*aca3beaaSApple OSS Distributions #include <sys/sysctl.h>
15*aca3beaaSApple OSS Distributions #include <sys/syslimits.h>
16*aca3beaaSApple OSS Distributions #include <sys/reason.h>
17*aca3beaaSApple OSS Distributions #include <sysexits.h>
18*aca3beaaSApple OSS Distributions #include <unistd.h>
19*aca3beaaSApple OSS Distributions #include <signal.h>
20*aca3beaaSApple OSS Distributions #include <libproc.h>
21*aca3beaaSApple OSS Distributions
22*aca3beaaSApple OSS Distributions #include <mach-o/dyld.h>
23*aca3beaaSApple OSS Distributions #include <mach-o/dyld_priv.h>
24*aca3beaaSApple OSS Distributions #include <dlfcn.h>
25*aca3beaaSApple OSS Distributions
26*aca3beaaSApple OSS Distributions #define SHARED_CACHE_HELPER "get_shared_cache_address"
27*aca3beaaSApple OSS Distributions #define DO_RUSAGE_CHECK "check_rusage_flag"
28*aca3beaaSApple OSS Distributions #define DO_DUMMY "dummy"
29*aca3beaaSApple OSS Distributions #define ADDRESS_OUTPUT_SIZE 12L
30*aca3beaaSApple OSS Distributions
31*aca3beaaSApple OSS Distributions #ifndef _POSIX_SPAWN_RESLIDE
32*aca3beaaSApple OSS Distributions #define _POSIX_SPAWN_RESLIDE 0x0800
33*aca3beaaSApple OSS Distributions #endif
34*aca3beaaSApple OSS Distributions
35*aca3beaaSApple OSS Distributions #ifndef OS_REASON_FLAG_SHAREDREGION_FAULT
36*aca3beaaSApple OSS Distributions #define OS_REASON_FLAG_SHAREDREGION_FAULT 0x400
37*aca3beaaSApple OSS Distributions #endif
38*aca3beaaSApple OSS Distributions
39*aca3beaaSApple OSS Distributions T_GLOBAL_META(
40*aca3beaaSApple OSS Distributions T_META_RADAR_COMPONENT_NAME("xnu"),
41*aca3beaaSApple OSS Distributions T_META_RADAR_COMPONENT_VERSION("VM"),
42*aca3beaaSApple OSS Distributions T_META_OWNER("eperla"),
43*aca3beaaSApple OSS Distributions T_META_RUN_CONCURRENTLY(true));
44*aca3beaaSApple OSS Distributions
45*aca3beaaSApple OSS Distributions #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
46*aca3beaaSApple OSS Distributions static void *
get_current_slide_address(bool reslide)47*aca3beaaSApple OSS Distributions get_current_slide_address(bool reslide)
48*aca3beaaSApple OSS Distributions {
49*aca3beaaSApple OSS Distributions pid_t pid;
50*aca3beaaSApple OSS Distributions int pipefd[2];
51*aca3beaaSApple OSS Distributions posix_spawnattr_t attr;
52*aca3beaaSApple OSS Distributions posix_spawn_file_actions_t action;
53*aca3beaaSApple OSS Distributions uintptr_t addr;
54*aca3beaaSApple OSS Distributions
55*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(posix_spawnattr_init(&attr), "posix_spawnattr_init");
56*aca3beaaSApple OSS Distributions /* spawn the helper requesting a reslide */
57*aca3beaaSApple OSS Distributions if (reslide) {
58*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(posix_spawnattr_setflags(&attr, _POSIX_SPAWN_RESLIDE), "posix_spawnattr_setflags");
59*aca3beaaSApple OSS Distributions }
60*aca3beaaSApple OSS Distributions
61*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(pipe(pipefd), "pipe");
62*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_init(&action), "posix_spawn_fileactions_init");
63*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[0]), "posix_spawn_file_actions_addclose");
64*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_adddup2(&action, pipefd[1], 1), "posix_spawn_file_actions_addup2");
65*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[1]), "posix_spawn_file_actions_addclose");
66*aca3beaaSApple OSS Distributions
67*aca3beaaSApple OSS Distributions char *argvs[3];
68*aca3beaaSApple OSS Distributions argvs[0] = SHARED_CACHE_HELPER;
69*aca3beaaSApple OSS Distributions argvs[1] = reslide ? DO_RUSAGE_CHECK : DO_DUMMY;
70*aca3beaaSApple OSS Distributions argvs[2] = NULL;
71*aca3beaaSApple OSS Distributions char *const envps[] = {NULL};
72*aca3beaaSApple OSS Distributions
73*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_ZERO(posix_spawn(&pid, SHARED_CACHE_HELPER, &action, &attr, argvs, envps), "helper posix_spawn");
74*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(close(pipefd[1]), "close child end of the pipe");
75*aca3beaaSApple OSS Distributions
76*aca3beaaSApple OSS Distributions char buf[ADDRESS_OUTPUT_SIZE] = {0};
77*aca3beaaSApple OSS Distributions
78*aca3beaaSApple OSS Distributions ssize_t read_bytes = 0;
79*aca3beaaSApple OSS Distributions do {
80*aca3beaaSApple OSS Distributions if (read_bytes == -1) {
81*aca3beaaSApple OSS Distributions T_LOG("reading off get_shared_cache_address got interrupted");
82*aca3beaaSApple OSS Distributions }
83*aca3beaaSApple OSS Distributions read_bytes = read(pipefd[0], buf, sizeof(buf));
84*aca3beaaSApple OSS Distributions } while (read_bytes == -1 && errno == EINTR);
85*aca3beaaSApple OSS Distributions
86*aca3beaaSApple OSS Distributions T_ASSERT_EQ_LONG(ADDRESS_OUTPUT_SIZE, read_bytes, "read helper output");
87*aca3beaaSApple OSS Distributions
88*aca3beaaSApple OSS Distributions int status = 0;
89*aca3beaaSApple OSS Distributions int waitpid_result = waitpid(pid, &status, 0);
90*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
91*aca3beaaSApple OSS Distributions T_ASSERT_EQ(waitpid_result, pid, "waitpid should return child we spawned");
92*aca3beaaSApple OSS Distributions T_ASSERT_EQ(WIFEXITED(status), 1, "child should have exited normally");
93*aca3beaaSApple OSS Distributions T_ASSERT_EQ(WEXITSTATUS(status), EX_OK, "child should have exited with success");
94*aca3beaaSApple OSS Distributions
95*aca3beaaSApple OSS Distributions addr = strtoul(buf, NULL, 16);
96*aca3beaaSApple OSS Distributions T_ASSERT_GE_LONG(addr, 0L, "convert address to uintptr_t");
97*aca3beaaSApple OSS Distributions
98*aca3beaaSApple OSS Distributions return (void *)addr;
99*aca3beaaSApple OSS Distributions }
100*aca3beaaSApple OSS Distributions
101*aca3beaaSApple OSS Distributions /*
102*aca3beaaSApple OSS Distributions * build_faulting_shared_cache_address creates a pointer to an address that is
103*aca3beaaSApple OSS Distributions * within the shared_cache range but that is guaranteed to not be mapped.
104*aca3beaaSApple OSS Distributions */
105*aca3beaaSApple OSS Distributions static char *
build_faulting_shared_cache_address(bool tbi)106*aca3beaaSApple OSS Distributions build_faulting_shared_cache_address(bool tbi)
107*aca3beaaSApple OSS Distributions {
108*aca3beaaSApple OSS Distributions uintptr_t fault_address;
109*aca3beaaSApple OSS Distributions
110*aca3beaaSApple OSS Distributions // Grab currently mapped shared cache location and size
111*aca3beaaSApple OSS Distributions size_t shared_cache_len = 0;
112*aca3beaaSApple OSS Distributions const void *shared_cache_location = _dyld_get_shared_cache_range(&shared_cache_len);
113*aca3beaaSApple OSS Distributions if (shared_cache_location == NULL || shared_cache_len == 0) {
114*aca3beaaSApple OSS Distributions return NULL;
115*aca3beaaSApple OSS Distributions }
116*aca3beaaSApple OSS Distributions
117*aca3beaaSApple OSS Distributions // Locate a mach_header in the shared cache
118*aca3beaaSApple OSS Distributions Dl_info info;
119*aca3beaaSApple OSS Distributions if (dladdr((const void *)fork, &info) == 0) {
120*aca3beaaSApple OSS Distributions return NULL;
121*aca3beaaSApple OSS Distributions }
122*aca3beaaSApple OSS Distributions
123*aca3beaaSApple OSS Distributions const struct mach_header *mh = info.dli_fbase;
124*aca3beaaSApple OSS Distributions uintptr_t slide = (uintptr_t)_dyld_get_image_slide(mh);
125*aca3beaaSApple OSS Distributions
126*aca3beaaSApple OSS Distributions if (slide == 0) {
127*aca3beaaSApple OSS Distributions fault_address = (uintptr_t)shared_cache_location + shared_cache_len + PAGE_SIZE;
128*aca3beaaSApple OSS Distributions } else {
129*aca3beaaSApple OSS Distributions fault_address = (uintptr_t)shared_cache_location - PAGE_SIZE;
130*aca3beaaSApple OSS Distributions }
131*aca3beaaSApple OSS Distributions
132*aca3beaaSApple OSS Distributions if (tbi) {
133*aca3beaaSApple OSS Distributions fault_address |= 0x2000000000000000;
134*aca3beaaSApple OSS Distributions }
135*aca3beaaSApple OSS Distributions
136*aca3beaaSApple OSS Distributions return (char *)fault_address;
137*aca3beaaSApple OSS Distributions }
138*aca3beaaSApple OSS Distributions
139*aca3beaaSApple OSS Distributions static void
induce_crash(volatile char * ptr)140*aca3beaaSApple OSS Distributions induce_crash(volatile char *ptr)
141*aca3beaaSApple OSS Distributions {
142*aca3beaaSApple OSS Distributions pid_t child = fork();
143*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(child, "fork");
144*aca3beaaSApple OSS Distributions
145*aca3beaaSApple OSS Distributions if (child == 0) {
146*aca3beaaSApple OSS Distributions ptr[1];
147*aca3beaaSApple OSS Distributions } else {
148*aca3beaaSApple OSS Distributions sleep(1);
149*aca3beaaSApple OSS Distributions struct proc_exitreasonbasicinfo exit_reason = {0};
150*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(proc_pidinfo(child, PROC_PIDEXITREASONBASICINFO, 1, &exit_reason, sizeof(exit_reason)), "basic exit reason");
151*aca3beaaSApple OSS Distributions
152*aca3beaaSApple OSS Distributions int status = 0;
153*aca3beaaSApple OSS Distributions int waitpid_result;
154*aca3beaaSApple OSS Distributions do {
155*aca3beaaSApple OSS Distributions waitpid_result = waitpid(child, &status, 0);
156*aca3beaaSApple OSS Distributions } while (waitpid_result < 0 && errno == EINTR);
157*aca3beaaSApple OSS Distributions T_QUIET; T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
158*aca3beaaSApple OSS Distributions T_ASSERT_EQ(waitpid_result, child, "waitpid should return forked child");
159*aca3beaaSApple OSS Distributions T_ASSERT_EQ(exit_reason.beri_namespace, OS_REASON_SIGNAL, "child should have exited with a signal");
160*aca3beaaSApple OSS Distributions
161*aca3beaaSApple OSS Distributions if (ptr) {
162*aca3beaaSApple OSS Distributions T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGSEGV, "child should have received SIGSEGV");
163*aca3beaaSApple OSS Distributions T_ASSERT_NE((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should detect shared cache fault");
164*aca3beaaSApple OSS Distributions } else {
165*aca3beaaSApple OSS Distributions T_ASSERT_EQ((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should not detect shared cache fault");
166*aca3beaaSApple OSS Distributions }
167*aca3beaaSApple OSS Distributions }
168*aca3beaaSApple OSS Distributions }
169*aca3beaaSApple OSS Distributions
170*aca3beaaSApple OSS Distributions static int saved_status;
171*aca3beaaSApple OSS Distributions static void
cleanup_sysctl(void)172*aca3beaaSApple OSS Distributions cleanup_sysctl(void)
173*aca3beaaSApple OSS Distributions {
174*aca3beaaSApple OSS Distributions int ret;
175*aca3beaaSApple OSS Distributions
176*aca3beaaSApple OSS Distributions if (saved_status == 0) {
177*aca3beaaSApple OSS Distributions ret = sysctlbyname("vm.vm_shared_region_reslide_aslr", NULL, NULL, &saved_status, sizeof(saved_status));
178*aca3beaaSApple OSS Distributions T_QUIET; T_EXPECT_POSIX_SUCCESS(ret, "set shared region resliding back off");
179*aca3beaaSApple OSS Distributions }
180*aca3beaaSApple OSS Distributions }
181*aca3beaaSApple OSS Distributions #endif /* arm64e && (TARGET_OS_IOS || TARGET_OS_OSX) */
182*aca3beaaSApple OSS Distributions
183*aca3beaaSApple OSS Distributions T_DECL(reslide_sharedcache, "crash induced reslide of the shared cache",
184*aca3beaaSApple OSS Distributions T_META_CHECK_LEAKS(false), T_META_IGNORECRASHES(".*shared_cache_reslide_test.*"),
185*aca3beaaSApple OSS Distributions T_META_ASROOT(true))
186*aca3beaaSApple OSS Distributions {
187*aca3beaaSApple OSS Distributions #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
188*aca3beaaSApple OSS Distributions void *system_address;
189*aca3beaaSApple OSS Distributions void *reslide_address;
190*aca3beaaSApple OSS Distributions void *confirm_address;
191*aca3beaaSApple OSS Distributions char *ptr;
192*aca3beaaSApple OSS Distributions int on = 1;
193*aca3beaaSApple OSS Distributions size_t size = sizeof(saved_status);
194*aca3beaaSApple OSS Distributions
195*aca3beaaSApple OSS Distributions /* Force resliding on */
196*aca3beaaSApple OSS Distributions T_ASSERT_POSIX_SUCCESS(sysctlbyname("vm.vm_shared_region_reslide_aslr", &saved_status, &size, &on, sizeof(on)), "force enable reslide");
197*aca3beaaSApple OSS Distributions T_ATEND(cleanup_sysctl);
198*aca3beaaSApple OSS Distributions
199*aca3beaaSApple OSS Distributions system_address = get_current_slide_address(false);
200*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(false);
201*aca3beaaSApple OSS Distributions T_ASSERT_EQ_PTR(system_address, confirm_address, "system and current addresses should not diverge %p %p", system_address, confirm_address);
202*aca3beaaSApple OSS Distributions
203*aca3beaaSApple OSS Distributions reslide_address = get_current_slide_address(true);
204*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(true);
205*aca3beaaSApple OSS Distributions T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide addresses should diverge %p %p", system_address, reslide_address);
206*aca3beaaSApple OSS Distributions T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide (no crash) shouldn't diverge %p %p", reslide_address, confirm_address);
207*aca3beaaSApple OSS Distributions
208*aca3beaaSApple OSS Distributions /* Crash into the shared cache area */
209*aca3beaaSApple OSS Distributions ptr = build_faulting_shared_cache_address(false);
210*aca3beaaSApple OSS Distributions T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
211*aca3beaaSApple OSS Distributions induce_crash(ptr);
212*aca3beaaSApple OSS Distributions reslide_address = get_current_slide_address(true);
213*aca3beaaSApple OSS Distributions T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash) %p %p", system_address, reslide_address);
214*aca3beaaSApple OSS Distributions T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash) %p %p", confirm_address, reslide_address);
215*aca3beaaSApple OSS Distributions
216*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(true);
217*aca3beaaSApple OSS Distributions T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide shouldn't diverge (no crash) %p %p", reslide_address, confirm_address);
218*aca3beaaSApple OSS Distributions
219*aca3beaaSApple OSS Distributions /* Crash somewhere else */
220*aca3beaaSApple OSS Distributions ptr = NULL;
221*aca3beaaSApple OSS Distributions induce_crash(ptr);
222*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(true);
223*aca3beaaSApple OSS Distributions T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide after a non-tracked crash shouldn't diverge %p %p", reslide_address, confirm_address);
224*aca3beaaSApple OSS Distributions
225*aca3beaaSApple OSS Distributions /* Ensure we still get the system address */
226*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(false);
227*aca3beaaSApple OSS Distributions T_ASSERT_EQ_PTR(system_address, confirm_address, "system address and new process without resliding shouldn't diverge %p %p", system_address, confirm_address);
228*aca3beaaSApple OSS Distributions
229*aca3beaaSApple OSS Distributions /* Ensure we detect a crash into the shared area with a TBI tagged address */
230*aca3beaaSApple OSS Distributions ptr = build_faulting_shared_cache_address(true);
231*aca3beaaSApple OSS Distributions T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
232*aca3beaaSApple OSS Distributions confirm_address = get_current_slide_address(true);
233*aca3beaaSApple OSS Distributions induce_crash(ptr);
234*aca3beaaSApple OSS Distributions reslide_address = get_current_slide_address(true);
235*aca3beaaSApple OSS Distributions T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, TBI test) %p %p", system_address, reslide_address);
236*aca3beaaSApple OSS Distributions T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, TBI test) %p %p", confirm_address, reslide_address);
237*aca3beaaSApple OSS Distributions #else /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
238*aca3beaaSApple OSS Distributions T_SKIP("shared cache reslide is currently only supported on arm64e iPhones and Apple Silicon Macs");
239*aca3beaaSApple OSS Distributions #endif /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
240*aca3beaaSApple OSS Distributions }
241