/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim:set ts=2 sw=2 sts=2 et cindent: */ /* ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS IS" basis, * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License * for the specific language governing rights and limitations under the * License. * * The Original Code is frame poisoning tests. * * The Initial Developer of the Original Code is the Mozilla Foundation. * Portions created by the Initial Developer are Copyright (C) 2009 * the Initial Developer. All Rights Reserved. * * Contributor(s): * Zachary Weinberg * * Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), * in which case the provisions of the GPL or the LGPL are applicable instead * of those above. If you wish to allow use of your version of this file only * under the terms of either the GPL or the LGPL, and not to allow others to * use your version of this file under the terms of the MPL, indicate your * decision by deleting the provisions above and replace them with the notice * and other provisions required by the GPL or the LGPL. If you do not delete * the provisions above, a recipient may use your version of this file under * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ /* Code in this file needs to be kept in sync with code in nsPresArena.cpp. * * We want to use a fixed address for frame poisoning so that it is readily * identifiable in crash dumps. Whether such an address is available * without any special setup depends on the system configuration. * * All current 64-bit CPUs (with the possible exception of PowerPC64) * reserve the vast majority of the virtual address space for future * hardware extensions; valid addresses must be below some break point * between 2**48 and 2**54, depending on exactly which chip you have. Some * chips (notably amd64) also allow the use of the *highest* 2**48 -- 2**54 * addresses. Thus, if user space pointers are 64 bits wide, we can just * use an address outside this range, and no more is required. To * accommodate the chips that allow very high addresses to be valid, the * value chosen is close to 2**63 (that is, in the middle of the space). * * In most cases, a purely 32-bit operating system must reserve some * fraction of the address space for its own use. Contemporary 32-bit OSes * tend to take the high gigabyte or so (0xC000_0000 on up). If we can * prove that high addresses are reserved to the kernel, we can use an * address in that region. Unfortunately, not all 32-bit OSes do this; * OSX 10.4 might not, and it is unclear what mobile OSes are like * (some 32-bit CPUs make it very easy for the kernel to exist in its own * private address space). * * Furthermore, when a 32-bit user space process is running on a 64-bit * kernel, the operating system has no need to reserve any of the space that * the process can see, and generally does not do so. This is the scenario * of greatest concern, since it covers all contemporary OSX iterations * (10.5+) as well as Windows Vista and 7 on newer amd64 hardware. Linux on * amd64 is generally run as a pure 64-bit environment, but its 32-bit * compatibility mode also has this property. * * Thus, when user space pointers are 32 bits wide, we need to validate * our chosen address, and possibly *make* it a good poison address by * allocating a page around it and marking it inaccessible. The algorithm * for this is: * * 1. Attempt to make the page surrounding the poison address a reserved, * inaccessible memory region using OS primitives. On Windows, this is * done with VirtualAlloc(MEM_RESERVE); on Unix, mmap(PROT_NONE). * * 2. If mmap/VirtualAlloc failed, there are two possible reasons: either * the region is reserved to the kernel and no further action is * required, or there is already usable memory in this area and we have * to pick a different address. The tricky part is knowing which case * we have, without attempting to access the region. On Windows, we * rely on GetSystemInfo()'s reported upper and lower bounds of the * application memory area. On Unix, there is nothing devoted to the * purpose, but seeing if madvise() fails is close enough (it *might* * disrupt someone else's use of the memory region, but not by as much * as anything else available). * * Be aware of these gotchas: * * 1. We cannot use mmap() with MAP_FIXED. MAP_FIXED is defined to * _replace_ any existing mapping in the region, if necessary to satisfy * the request. Obviously, as we are blindly attempting to acquire a * page at a constant address, we must not do this, lest we overwrite * someone else's allocation. * * 2. For the same reason, we cannot blindly use mprotect() if mmap() fails. * * 3. madvise() may fail when applied to a 'magic' memory region provided as * a kernel/user interface. Fortunately, the only such case I know about * is the "vsyscall" area (not to be confused with the "vdso" area) for * *64*-bit processes on Linux - and we don't even run this code for * 64-bit processes. * * 4. VirtualQuery() does not produce any useful information if * applied to kernel memory - in fact, it doesn't write its output * at all. Thus, it is not used here. */ // MAP_ANON(YMOUS) is not in any standard, and the C99 PRI* macros are // not in C++98. Add defines as necessary. #define __STDC_FORMAT_MACROS #define _GNU_SOURCE 1 #define _DARWIN_C_SOURCE 1 #include #ifndef _WIN32 #include #else #define PRIxPTR "Ix" typedef unsigned int uint32_t; // MSVC defines uintptr_t in which is brought in implicitly #endif #include #include #include #include #ifdef _WIN32 #include #else #include #include #include #include #include #include #include #ifndef MAP_ANON #ifdef MAP_ANONYMOUS #define MAP_ANON MAP_ANONYMOUS #else #error "Don't know how to get anonymous memory" #endif #endif #endif #define SIZxPTR ((int)(sizeof(uintptr_t)*2)) /* This program assumes that a whole number of return instructions fit into * 32 bits, and that 32-bit alignment is sufficient for a branch destination. */ #if defined __i386__ || defined __x86_64__ || \ defined __i386 || defined __x86_64 || \ defined _M_IX86 || defined _M_AMD64 #define RETURN_INSTR 0xC3C3C3C3 /* ret; ret; ret; ret */ #elif defined __arm__ || defined _M_ARM #define RETURN_INSTR 0xE12FFF1E /* bx lr */ // PPC has its own style of CPU-id #defines. There is no Windows for // PPC as far as I know, so no _M_ variant. #elif defined _ARCH_PPC || defined _ARCH_PWR || defined _ARCH_PWR2 #define RETURN_INSTR 0x4E800020 /* blr */ #elif defined __sparc || defined __sparcv9 #define RETURN_INSTR 0x81c3e008 /* retl */ #else #error "Need return instruction for this architecture" #endif // Miscellaneous Windows/Unix portability gumph #ifdef _WIN32 // Uses of this function deliberately leak the string. static LPSTR StrW32Error(DWORD errcode) { LPSTR errmsg; #ifndef WINCE FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, errcode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR) &errmsg, 0, NULL); // FormatMessage puts an unwanted newline at the end of the string size_t n = strlen(errmsg)-1; while (errmsg[n] == '\r' || errmsg[n] == '\n') n--; errmsg[n+1] = '\0'; #else // CE doesn't have FormatMessageA so we just stringify the error code. // Use LocalAlloc for consistency with the regular Windows code path. // "code \0" is 6 bytes, and a 32-bit number might need 10 more. errmsg = (LPSTR)LocalAlloc(LMEM_FIXED, 16); _snprintf(errmsg, 16, "code %u", errcode); #endif return errmsg; } #define LastErrMsg() (StrW32Error(GetLastError())) // Because we use VirtualAlloc in MEM_RESERVE mode, the "page size" we want // is the allocation granularity. static SYSTEM_INFO _sinfo; #undef PAGESIZE #define PAGESIZE (_sinfo.dwAllocationGranularity) static void * ReserveRegion(uintptr_t request, bool accessible) { return VirtualAlloc((void *)request, PAGESIZE, accessible ? MEM_RESERVE|MEM_COMMIT : MEM_RESERVE, accessible ? PAGE_EXECUTE_READWRITE : PAGE_NOACCESS); } static void ReleaseRegion(void *page) { VirtualFree(page, PAGESIZE, MEM_RELEASE); } static bool ProbeRegion(uintptr_t page) { if (page >= (uintptr_t)_sinfo.lpMaximumApplicationAddress && page + PAGESIZE >= (uintptr_t)_sinfo.lpMaximumApplicationAddress) { return true; } else { return false; } } static bool MakeRegionExecutable(void *) { return false; } #undef MAP_FAILED #define MAP_FAILED 0 #else #define LastErrMsg() (strerror(errno)) static unsigned long _pagesize; #define PAGESIZE _pagesize static void * ReserveRegion(uintptr_t request, bool accessible) { return mmap((caddr_t)request, PAGESIZE, accessible ? PROT_READ|PROT_WRITE : PROT_NONE, MAP_PRIVATE|MAP_ANON, -1, 0); } static void ReleaseRegion(void *page) { munmap((caddr_t)page, PAGESIZE); } static bool ProbeRegion(uintptr_t page) { if (madvise((caddr_t)page, PAGESIZE, MADV_NORMAL)) { return true; } else { return false; } } static int MakeRegionExecutable(void *page) { return mprotect((caddr_t)page, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC); } #endif static uintptr_t ReservePoisonArea() { if (sizeof(uintptr_t) == 8) { // Use the hardware-inaccessible region. // We have to avoid 64-bit constants and shifts by 32 bits, since this // code is compiled in 32-bit mode, although it is never executed there. uintptr_t result = (((uintptr_t(0x7FFFFFFFu) << 31) << 1 | uintptr_t(0xF0DEAFFFu)) & ~uintptr_t(PAGESIZE-1)); printf("INFO | poison area assumed at 0x%.*"PRIxPTR"\n", SIZxPTR, result); return result; } else { // First see if we can allocate the preferred poison address from the OS. uintptr_t candidate = (0xF0DEAFFF & ~(PAGESIZE-1)); void *result = ReserveRegion(candidate, false); if (result == (void *)candidate) { // success - inaccessible page allocated printf("INFO | poison area allocated at 0x%.*"PRIxPTR " (preferred addr)\n", SIZxPTR, (uintptr_t)result); return candidate; } // That didn't work, so see if the preferred address is within a range // of permanently inacessible memory. if (ProbeRegion(candidate)) { // success - selected page cannot be usable memory if (result != MAP_FAILED) ReleaseRegion(result); printf("INFO | poison area assumed at 0x%.*"PRIxPTR " (preferred addr)\n", SIZxPTR, candidate); return candidate; } // The preferred address is already in use. Did the OS give us a // consolation prize? if (result != MAP_FAILED) { printf("INFO | poison area allocated at 0x%.*"PRIxPTR " (consolation prize)\n", SIZxPTR, (uintptr_t)result); return (uintptr_t)result; } // It didn't, so try to allocate again, without any constraint on // the address. result = ReserveRegion(0, false); if (result != MAP_FAILED) { printf("INFO | poison area allocated at 0x%.*"PRIxPTR " (fallback)\n", SIZxPTR, (uintptr_t)result); return (uintptr_t)result; } printf("ERROR | no usable poison area found\n"); return 0; } } /* The "positive control" area confirms that we can allocate a page with the * proper characteristics. */ static uintptr_t ReservePositiveControl() { void *result = ReserveRegion(0, false); if (result == MAP_FAILED) { printf("ERROR | allocating positive control | %s\n", LastErrMsg()); return 0; } printf("INFO | positive control allocated at 0x%.*"PRIxPTR"\n", SIZxPTR, (uintptr_t)result); return (uintptr_t)result; } /* The "negative control" area confirms that our probe logic does detect a * page that is readable, writable, or executable. */ static uintptr_t ReserveNegativeControl() { void *result = ReserveRegion(0, true); if (result == MAP_FAILED) { printf("ERROR | allocating negative control | %s\n", LastErrMsg()); return 0; } // Fill the page with return instructions. uint32_t *p = (uint32_t *)result; uint32_t *limit = (uint32_t *)(((char *)result) + PAGESIZE); while (p < limit) *p++ = RETURN_INSTR; // Now mark it executable as well as readable and writable. // (mmap(PROT_EXEC) may fail when applied to anonymous memory.) if (MakeRegionExecutable(result)) { printf("ERROR | making negative control executable | %s\n", LastErrMsg()); return 0; } printf("INFO | negative control allocated at 0x%.*"PRIxPTR"\n", SIZxPTR, (uintptr_t)result); return (uintptr_t)result; } #ifdef _WIN32 static BOOL IsBadExecPtr(uintptr_t ptr) { BOOL ret = false; #ifdef _MSC_VER __try { ((void (*)())ptr)(); } __except (EXCEPTION_EXECUTE_HANDLER) { ret = true; } #else printf("INFO | exec test not supported on MinGW build\n"); // We do our best ret = IsBadReadPtr((const void*)ptr, 1); #endif return ret; } #endif /* Test each page. */ static bool TestPage(const char *pagelabel, uintptr_t pageaddr, int should_succeed) { const char *oplabel; uintptr_t opaddr; bool failed = false; for (unsigned int test = 0; test < 3; test++) { switch (test) { // The execute test must be done before the write test, because the // write test will clobber memory at the target address. case 0: oplabel = "reading"; opaddr = pageaddr + PAGESIZE/2 - 1; break; case 1: oplabel = "executing"; opaddr = pageaddr + PAGESIZE/2; break; case 2: oplabel = "writing"; opaddr = pageaddr + PAGESIZE/2 - 1; break; default: abort(); } #ifdef _WIN32 BOOL badptr; switch (test) { case 0: badptr = IsBadReadPtr((const void*)opaddr, 1); break; case 1: badptr = IsBadExecPtr(opaddr); break; case 2: badptr = IsBadWritePtr((void*)opaddr, 1); break; default: abort(); } if (badptr) { if (should_succeed) { printf("TEST-UNEXPECTED-FAIL | %s %s\n", oplabel, pagelabel); failed = true; } else { printf("TEST-PASS | %s %s\n", oplabel, pagelabel); } } else { // if control reaches this point the probe succeeded if (should_succeed) { printf("TEST-PASS | %s %s\n", oplabel, pagelabel); } else { printf("TEST-UNEXPECTED-FAIL | %s %s\n", oplabel, pagelabel); failed = true; } } #else pid_t pid = fork(); if (pid == -1) { printf("ERROR | %s %s | fork=%s\n", oplabel, pagelabel, LastErrMsg()); exit(2); } else if (pid == 0) { volatile unsigned char scratch; switch (test) { case 0: scratch = *(volatile unsigned char *)opaddr; break; case 1: ((void (*)())opaddr)(); break; case 2: *(volatile unsigned char *)opaddr = 0; break; default: abort(); } _exit(0); } else { int status; if (waitpid(pid, &status, 0) != pid) { printf("ERROR | %s %s | wait=%s\n", oplabel, pagelabel, LastErrMsg()); exit(2); } if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { if (should_succeed) { printf("TEST-PASS | %s %s\n", oplabel, pagelabel); } else { printf("TEST-UNEXPECTED-FAIL | %s %s\n", oplabel, pagelabel); failed = true; } } else if (WIFEXITED(status)) { printf("ERROR | %s %s | unexpected exit code %d\n", oplabel, pagelabel, WEXITSTATUS(status)); exit(2); } else if (WIFSIGNALED(status)) { if (should_succeed) { printf("TEST-UNEXPECTED-FAIL | %s %s | %s\n", oplabel, pagelabel, strsignal(WTERMSIG(status))); failed = true; } else { printf("TEST-PASS | %s %s | %s\n", oplabel, pagelabel, strsignal(WTERMSIG(status))); } } else { printf("ERROR | %s %s | unexpected exit status %d\n", oplabel, pagelabel, status); exit(2); } } #endif } return failed; } int main() { #ifdef _WIN32 GetSystemInfo(&_sinfo); #else _pagesize = sysconf(_SC_PAGESIZE); #endif uintptr_t ncontrol = ReserveNegativeControl(); uintptr_t pcontrol = ReservePositiveControl(); uintptr_t poison = ReservePoisonArea(); if (!ncontrol || !pcontrol || !poison) return 2; bool failed = false; failed |= TestPage("negative control", ncontrol, 1); failed |= TestPage("positive control", pcontrol, 0); failed |= TestPage("poison area", poison, 0); return failed ? 1 : 0; }