1 #include <darwintest.h>
2
3 #include <errno.h>
4 #include <fcntl.h>
5 #include <signal.h>
6 #include <spawn.h>
7 #include <spawn_private.h>
8 #include <stdbool.h>
9 #include <stdint.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <string.h>
13 #include <sys/spawn_internal.h>
14 #include <sys/sysctl.h>
15 #include <sys/syslimits.h>
16 #include <sys/reason.h>
17 #include <sysexits.h>
18 #include <unistd.h>
19 #include <signal.h>
20 #include <libproc.h>
21
22 #include <mach-o/dyld.h>
23 #include <mach-o/dyld_priv.h>
24 #include <dlfcn.h>
25
26 #define SHARED_CACHE_HELPER "get_shared_cache_address"
27 #define DO_RUSAGE_CHECK "check_rusage_flag"
28 #define DO_DUMMY "dummy"
29 #define ADDRESS_OUTPUT_SIZE 12L
30
31 #ifndef _POSIX_SPAWN_RESLIDE
32 #define _POSIX_SPAWN_RESLIDE 0x0800
33 #endif
34
35 #ifndef OS_REASON_FLAG_SHAREDREGION_FAULT
36 #define OS_REASON_FLAG_SHAREDREGION_FAULT 0x400
37 #endif
38
39 T_GLOBAL_META(
40 T_META_RADAR_COMPONENT_NAME("xnu"),
41 T_META_RADAR_COMPONENT_VERSION("VM"),
42 T_META_OWNER("eperla"),
43 T_META_RUN_CONCURRENTLY(true));
44
45 #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
46 static void *
get_current_slide_address(bool reslide)47 get_current_slide_address(bool reslide)
48 {
49 pid_t pid;
50 int pipefd[2];
51 posix_spawnattr_t attr;
52 posix_spawn_file_actions_t action;
53 uintptr_t addr;
54
55 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_init(&attr), "posix_spawnattr_init");
56 /* spawn the helper requesting a reslide */
57 if (reslide) {
58 T_ASSERT_POSIX_SUCCESS(posix_spawnattr_setflags(&attr, _POSIX_SPAWN_RESLIDE), "posix_spawnattr_setflags");
59 }
60
61 T_ASSERT_POSIX_SUCCESS(pipe(pipefd), "pipe");
62 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_init(&action), "posix_spawn_fileactions_init");
63 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[0]), "posix_spawn_file_actions_addclose");
64 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_adddup2(&action, pipefd[1], 1), "posix_spawn_file_actions_addup2");
65 T_ASSERT_POSIX_ZERO(posix_spawn_file_actions_addclose(&action, pipefd[1]), "posix_spawn_file_actions_addclose");
66
67 char *argvs[3];
68 argvs[0] = SHARED_CACHE_HELPER;
69 argvs[1] = reslide ? DO_RUSAGE_CHECK : DO_DUMMY;
70 argvs[2] = NULL;
71 char *const envps[] = {NULL};
72
73 T_ASSERT_POSIX_ZERO(posix_spawn(&pid, SHARED_CACHE_HELPER, &action, &attr, argvs, envps), "helper posix_spawn");
74 T_ASSERT_POSIX_SUCCESS(close(pipefd[1]), "close child end of the pipe");
75
76 char buf[ADDRESS_OUTPUT_SIZE] = {0};
77
78 ssize_t read_bytes = 0;
79 do {
80 if (read_bytes == -1) {
81 T_LOG("reading off get_shared_cache_address got interrupted");
82 }
83 read_bytes = read(pipefd[0], buf, sizeof(buf));
84 } while (read_bytes == -1 && errno == EINTR);
85
86 T_ASSERT_EQ_LONG(ADDRESS_OUTPUT_SIZE, read_bytes, "read helper output");
87
88 int status = 0;
89 int waitpid_result = waitpid(pid, &status, 0);
90 T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
91 T_ASSERT_EQ(waitpid_result, pid, "waitpid should return child we spawned");
92 T_ASSERT_EQ(WIFEXITED(status), 1, "child should have exited normally");
93 T_ASSERT_EQ(WEXITSTATUS(status), EX_OK, "child should have exited with success");
94
95 addr = strtoul(buf, NULL, 16);
96 T_ASSERT_GE_LONG(addr, 0L, "convert address to uintptr_t");
97
98 return (void *)addr;
99 }
100
101 #define TEST_FAULT_BASE (0x00)
102 #define TEST_FAULT_TBI (0x01)
103 #define TEST_FAULT_WRITE (0x02)
104
105 /*
106 * build_faulting_shared_cache_address creates a pointer to an address that is
107 * within the shared_cache range but that is guaranteed to not be mapped.
108 */
109 static char *
build_faulting_shared_cache_address(uint8_t flags)110 build_faulting_shared_cache_address(uint8_t flags)
111 {
112 uintptr_t fault_address;
113
114 // Grab currently mapped shared cache location and size
115 size_t shared_cache_len = 0;
116 const void *shared_cache_location = _dyld_get_shared_cache_range(&shared_cache_len);
117 if (shared_cache_location == NULL || shared_cache_len == 0) {
118 return NULL;
119 }
120
121 // Locate a mach_header in the shared cache
122 Dl_info info;
123 if (dladdr((const void *)fork, &info) == 0) {
124 return NULL;
125 }
126
127 const struct mach_header *mh = info.dli_fbase;
128 uintptr_t slide = (uintptr_t)_dyld_get_image_slide(mh);
129
130 if (flags & TEST_FAULT_WRITE) {
131 fault_address = (uintptr_t)shared_cache_location;
132 } else if (slide == 0) {
133 fault_address = (uintptr_t)shared_cache_location + shared_cache_len + PAGE_SIZE;
134 } else {
135 fault_address = (uintptr_t)shared_cache_location - PAGE_SIZE;
136 }
137
138 if (flags & TEST_FAULT_TBI) {
139 fault_address |= 0x2000000000000000;
140 }
141
142 return (char *)fault_address;
143 }
144
145 #define INDUCE_CRASH_READ (0x01)
146 #define INDUCE_CRASH_WRITE (0x02)
147
148 static void
induce_crash(volatile char * ptr,uint8_t how_to_crash)149 induce_crash(volatile char *ptr, uint8_t how_to_crash)
150 {
151 pid_t child = fork();
152 T_ASSERT_POSIX_SUCCESS(child, "fork");
153
154 if (child == 0) {
155 if (how_to_crash == INDUCE_CRASH_READ) {
156 ptr[1];
157 } else if (how_to_crash == INDUCE_CRASH_WRITE) {
158 ptr[1] = 'a';
159 } else {
160 exit(1);
161 }
162 } else {
163 sleep(1);
164 struct proc_exitreasonbasicinfo exit_reason = {0};
165 T_ASSERT_POSIX_SUCCESS(proc_pidinfo(child, PROC_PIDEXITREASONBASICINFO, 1, &exit_reason, sizeof(exit_reason)), "basic exit reason");
166
167 int status = 0;
168 int waitpid_result;
169 do {
170 waitpid_result = waitpid(child, &status, 0);
171 } while (waitpid_result < 0 && errno == EINTR);
172 T_QUIET; T_ASSERT_POSIX_SUCCESS(waitpid_result, "waitpid");
173 T_ASSERT_EQ(waitpid_result, child, "waitpid should return forked child");
174 T_ASSERT_EQ(exit_reason.beri_namespace, OS_REASON_SIGNAL, "child should have exited with a signal");
175
176 if (ptr) {
177 if (how_to_crash == INDUCE_CRASH_READ) {
178 T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGSEGV, "child should have received SIGSEGV");
179 }
180
181 if (how_to_crash == INDUCE_CRASH_WRITE) {
182 T_ASSERT_EQ_ULLONG(exit_reason.beri_code, (unsigned long long)SIGBUS, "child should have received SIGBUS");
183 }
184
185 T_ASSERT_NE((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should detect shared cache fault");
186 } else {
187 T_ASSERT_EQ((int)(exit_reason.beri_flags & OS_REASON_FLAG_SHAREDREGION_FAULT), 0, "should not detect shared cache fault");
188 }
189 }
190 }
191
192 static int saved_status;
193 static void
cleanup_sysctl(void)194 cleanup_sysctl(void)
195 {
196 int ret;
197
198 if (saved_status == 0) {
199 ret = sysctlbyname("vm.vm_shared_region_reslide_aslr", NULL, NULL, &saved_status, sizeof(saved_status));
200 T_QUIET; T_EXPECT_POSIX_SUCCESS(ret, "set shared region resliding back off");
201 }
202 }
203 #endif /* arm64e && (TARGET_OS_IOS || TARGET_OS_OSX) */
204
205 T_DECL(reslide_sharedcache, "crash induced reslide of the shared cache",
206 T_META_CHECK_LEAKS(false), T_META_IGNORECRASHES(".*shared_cache_reslide_test.*"),
207 T_META_ASROOT(true))
208 {
209 #if (__arm64e__) && (TARGET_OS_IOS || TARGET_OS_OSX)
210 void *system_address;
211 void *reslide_address;
212 void *confirm_address;
213 char *ptr;
214 int on = 1;
215 size_t size = sizeof(saved_status);
216
217 /* Force resliding on */
218 T_ASSERT_POSIX_SUCCESS(sysctlbyname("vm.vm_shared_region_reslide_aslr", &saved_status, &size, &on, sizeof(on)), "force enable reslide");
219 T_ATEND(cleanup_sysctl);
220
221 system_address = get_current_slide_address(false);
222 confirm_address = get_current_slide_address(false);
223 T_ASSERT_EQ_PTR(system_address, confirm_address, "system and current addresses should not diverge %p %p", system_address, confirm_address);
224
225 reslide_address = get_current_slide_address(true);
226 confirm_address = get_current_slide_address(true);
227 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide addresses should diverge %p %p", system_address, reslide_address);
228 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide (no crash) shouldn't diverge %p %p", reslide_address, confirm_address);
229
230 /* Crash into the shared cache area */
231 ptr = build_faulting_shared_cache_address(TEST_FAULT_BASE);
232 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
233 induce_crash(ptr, INDUCE_CRASH_READ);
234 reslide_address = get_current_slide_address(true);
235 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash) %p %p", system_address, reslide_address);
236 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash) %p %p", confirm_address, reslide_address);
237
238 confirm_address = get_current_slide_address(true);
239 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide shouldn't diverge (no crash) %p %p", reslide_address, confirm_address);
240
241 /* Crash somewhere else */
242 ptr = NULL;
243 induce_crash(ptr, INDUCE_CRASH_READ);
244 confirm_address = get_current_slide_address(true);
245 T_ASSERT_EQ_PTR(reslide_address, confirm_address, "reslide and another reslide after a non-tracked crash shouldn't diverge %p %p", reslide_address, confirm_address);
246
247 /* Ensure we still get the system address */
248 confirm_address = get_current_slide_address(false);
249 T_ASSERT_EQ_PTR(system_address, confirm_address, "system address and new process without resliding shouldn't diverge %p %p", system_address, confirm_address);
250
251 /* Ensure we detect a crash into the shared area with a TBI tagged address */
252 ptr = build_faulting_shared_cache_address(TEST_FAULT_TBI);
253 T_ASSERT_NOTNULL(ptr, "faulting on %p in the shared region", (void *)ptr);
254 confirm_address = get_current_slide_address(true);
255 induce_crash(ptr, INDUCE_CRASH_READ);
256 reslide_address = get_current_slide_address(true);
257 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, TBI test) %p %p", system_address, reslide_address);
258 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, TBI test) %p %p", confirm_address, reslide_address);
259
260 /* Ensure we detect a crash into the shared area with a WRITE access */
261 ptr = build_faulting_shared_cache_address(TEST_FAULT_WRITE);
262 T_ASSERT_NOTNULL(ptr, "faulting on write on %p in the shared region", (void *)ptr);
263 confirm_address = get_current_slide_address(true);
264 induce_crash(ptr, INDUCE_CRASH_WRITE);
265 reslide_address = get_current_slide_address(true);
266 T_ASSERT_NE_PTR(system_address, reslide_address, "system and reslide should diverge (after crash, WRITE test) %p %p", system_address, reslide_address);
267 T_ASSERT_NE_PTR(confirm_address, reslide_address, "reslide and another reslide should diverge (after crash, WRITE_TEST) %p %p", confirm_address, reslide_address);
268
269 #else /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
270 T_SKIP("shared cache reslide is currently only supported on arm64e iPhones and Apple Silicon Macs");
271 #endif /* __arm64e__ && (TARGET_OS_IOS || TARGET_OS_OSX) */
272 }
273