#include <sys/param.h>
#include <sys/mman.h>
#include <sys/sysctl.h>
#include <atf-c.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#define MAP_AT_ZERO "security.bsd.map_at_zero"
#ifdef __LP64__
#define ALLOW_WX "kern.elf64.allow_wx"
#else
#define ALLOW_WX "kern.elf32.allow_wx"
#endif
ATF_TC_WITHOUT_HEAD(mmap__map_at_zero);
ATF_TC_BODY(mmap__map_at_zero, tc)
{
void *p;
size_t len;
unsigned int i;
int map_at_zero;
bool allow_wx;
int prot_flags;
size_t pgsz = getpagesize();
const struct {
void *addr;
int ok[2];
} map_at_zero_tests[] = {
{ (void *)0, { 0, 1 } },
{ (void *)1, { 0, 0 } },
{ (void *)(pgsz - 1), { 0, 0 } },
{ (void *)pgsz, { 1, 1 } },
{ (void *)-1, { 0, 0 } },
{ (void *)(-pgsz), { 0, 0 } },
{ (void *)(-1 - pgsz), { 0, 0 } },
{ (void *)(-1 - pgsz - 1), { 0, 0 } },
{ (void *)(0x1000 * pgsz), { 1, 1 } },
};
len = sizeof(map_at_zero);
if (sysctlbyname(MAP_AT_ZERO, &map_at_zero, &len, NULL, 0) == -1) {
atf_tc_skip("sysctl for %s failed: %s\n", MAP_AT_ZERO,
strerror(errno));
return;
}
len = sizeof(allow_wx);
if (sysctlbyname(ALLOW_WX, &allow_wx, &len, NULL, 0) == -1) {
if (errno == ENOENT) {
allow_wx = true;
} else {
atf_tc_skip("sysctl for %s failed: %s\n", ALLOW_WX,
strerror(errno));
return;
}
}
map_at_zero = !!map_at_zero;
for (i = 0; i < nitems(map_at_zero_tests); i++) {
prot_flags = PROT_READ | PROT_WRITE;
if (allow_wx)
prot_flags |= PROT_EXEC;
p = mmap((void *)map_at_zero_tests[i].addr, PAGE_SIZE,
prot_flags, MAP_ANON | MAP_FIXED, -1, 0);
if (p == MAP_FAILED) {
ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 0,
"mmap(%p, ...) failed", map_at_zero_tests[i].addr);
} else {
ATF_CHECK_MSG(map_at_zero_tests[i].ok[map_at_zero] == 1,
"mmap(%p, ...) succeeded: p=%p\n",
map_at_zero_tests[i].addr, p);
}
}
}
static void
checked_mmap(int prot, int flags, int fd, int error, const char *msg)
{
void *p;
int pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
p = mmap(NULL, pagesize, prot, flags, fd, 0);
if (p == MAP_FAILED) {
if (error == 0)
ATF_CHECK_MSG(0, "%s failed with errno %d", msg,
errno);
else
ATF_CHECK_EQ_MSG(error, errno,
"%s failed with wrong errno %d (expected %d)", msg,
errno, error);
} else {
ATF_CHECK_MSG(error == 0, "%s succeeded", msg);
munmap(p, pagesize);
}
}
ATF_TC_WITHOUT_HEAD(mmap__bad_arguments);
ATF_TC_BODY(mmap__bad_arguments, tc)
{
int devstatfd, pagesize, shmfd, zerofd;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
ATF_REQUIRE((devstatfd = open("/dev/devstat", O_RDONLY)) >= 0);
ATF_REQUIRE((shmfd = shm_open(SHM_ANON, O_RDWR, 0644)) >= 0);
ATF_REQUIRE(ftruncate(shmfd, pagesize) == 0);
ATF_REQUIRE((zerofd = open("/dev/zero", O_RDONLY)) >= 0);
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON, -1, 0,
"simple MAP_ANON");
checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, shmfd, 0,
"simple shm fd shared");
checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, shmfd, 0,
"simple shm fd private");
checked_mmap(PROT_READ, MAP_SHARED, zerofd, 0,
"simple /dev/zero shared");
checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE, zerofd, 0,
"simple /dev/zero private");
checked_mmap(PROT_READ, MAP_SHARED, devstatfd, 0,
"simple /dev/devstat shared");
checked_mmap(PROT_READ | PROT_WRITE | 0x100000, MAP_ANON, -1, EINVAL,
"MAP_ANON with extra PROT flags");
checked_mmap(0xffff, MAP_SHARED, shmfd, EINVAL,
"shm fd with garbage PROT");
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_RESERVED0080, -1,
EINVAL, "Undefined flag");
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE |
MAP_SHARED, -1, EINVAL, "MAP_ANON with both SHARED and PRIVATE");
checked_mmap(PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_SHARED, shmfd,
EINVAL, "shm fd with both SHARED and PRIVATE");
checked_mmap(PROT_READ | PROT_WRITE, 0, shmfd, EINVAL,
"shm fd without sharing flag");
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0,
"shared MAP_ANON");
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0,
"private MAP_ANON");
checked_mmap(PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, 0, EINVAL,
"MAP_ANON with fd != -1");
checked_mmap(PROT_READ | PROT_WRITE, MAP_SHARED, zerofd, EACCES,
"MAP_SHARED of read-only /dev/zero");
checked_mmap(PROT_READ, MAP_PRIVATE, devstatfd, EINVAL,
"MAP_PRIVATE of /dev/devstat");
close(devstatfd);
close(shmfd);
close(zerofd);
}
ATF_TC_WITHOUT_HEAD(mmap__dev_zero_private);
ATF_TC_BODY(mmap__dev_zero_private, tc)
{
char *p1, *p2, *p3;
int fd, i, pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
ATF_REQUIRE((fd = open("/dev/zero", O_RDONLY)) >= 0);
p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
ATF_REQUIRE(p1 != MAP_FAILED);
p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
ATF_REQUIRE(p2 != MAP_FAILED);
for (i = 0; i < pagesize; i++)
ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
p1[0] = 1;
ATF_REQUIRE(p2[0] == 0);
p2[0] = 2;
ATF_REQUIRE(p1[0] == 1);
p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
ATF_REQUIRE(p3 != MAP_FAILED);
ATF_REQUIRE(p3[0] == 0);
munmap(p1, pagesize);
munmap(p2, pagesize);
munmap(p3, pagesize);
close(fd);
}
ATF_TC_WITHOUT_HEAD(mmap__dev_zero_shared);
ATF_TC_BODY(mmap__dev_zero_shared, tc)
{
char *p1, *p2, *p3;
int fd, i, pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
ATF_REQUIRE((fd = open("/dev/zero", O_RDWR)) >= 0);
p1 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
ATF_REQUIRE(p1 != MAP_FAILED);
p2 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
ATF_REQUIRE(p2 != MAP_FAILED);
for (i = 0; i < pagesize; i++)
ATF_REQUIRE_EQ_MSG(0, p1[i], "byte at p1[%d] is %x", i, p1[i]);
ATF_REQUIRE(memcmp(p1, p2, pagesize) == 0);
p1[0] = 1;
ATF_REQUIRE(p2[0] == 0);
p2[0] = 2;
ATF_REQUIRE(p1[0] == 1);
p3 = mmap(NULL, pagesize, PROT_READ | PROT_WRITE, MAP_SHARED, fd,
0);
ATF_REQUIRE(p3 != MAP_FAILED);
ATF_REQUIRE(p3[0] == 0);
munmap(p1, pagesize);
munmap(p2, pagesize);
munmap(p3, pagesize);
close(fd);
}
ATF_TC_WITHOUT_HEAD(mmap__write_only);
ATF_TC_BODY(mmap__write_only, tc)
{
void *p;
int pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
p = mmap(NULL, pagesize, PROT_WRITE, MAP_ANON, -1, 0);
ATF_REQUIRE(p != MAP_FAILED);
*(volatile uint32_t *)p = 0x12345678;
munmap(p, pagesize);
}
ATF_TC_WITHOUT_HEAD(mmap__maxprot_basic);
ATF_TC_BODY(mmap__maxprot_basic, tc)
{
void *p;
int error, pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
MAP_ANON, -1, 0);
ATF_REQUIRE(p != MAP_FAILED);
error = mprotect(p, pagesize, PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
ATF_REQUIRE(munmap(p, pagesize) == 0);
}
ATF_TC_WITHOUT_HEAD(mmap__maxprot_shm);
ATF_TC_BODY(mmap__maxprot_shm, tc)
{
void *p;
int error, fd, pagesize;
ATF_REQUIRE((pagesize = getpagesize()) > 0);
fd = shm_open(SHM_ANON, O_RDWR, 0644);
ATF_REQUIRE(fd >= 0);
error = ftruncate(fd, pagesize);
ATF_REQUIRE(error == 0);
p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
MAP_PRIVATE, fd, 0);
ATF_REQUIRE(p != MAP_FAILED);
error = mprotect(p, pagesize, PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
ATF_REQUIRE(munmap(p, pagesize) == 0);
p = mmap(NULL, pagesize, PROT_READ | PROT_MAX(PROT_READ),
MAP_SHARED, fd, 0);
ATF_REQUIRE(p != MAP_FAILED);
error = mprotect(p, pagesize, PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_WRITE);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
error = mprotect(p, pagesize, PROT_READ | PROT_EXEC);
ATF_REQUIRE_ERRNO(EACCES, error == -1);
ATF_REQUIRE(munmap(p, pagesize) == 0);
ATF_REQUIRE(close(fd) == 0);
}
ATF_TP_ADD_TCS(tp)
{
ATF_TP_ADD_TC(tp, mmap__map_at_zero);
ATF_TP_ADD_TC(tp, mmap__bad_arguments);
ATF_TP_ADD_TC(tp, mmap__dev_zero_private);
ATF_TP_ADD_TC(tp, mmap__dev_zero_shared);
ATF_TP_ADD_TC(tp, mmap__write_only);
ATF_TP_ADD_TC(tp, mmap__maxprot_basic);
ATF_TP_ADD_TC(tp, mmap__maxprot_shm);
return (atf_no_error());
}
