diff options
author | Evgeniy Stepanov <eugeni.stepanov@gmail.com> | 2016-01-26 20:53:09 +0000 |
---|---|---|
committer | Evgeniy Stepanov <eugeni.stepanov@gmail.com> | 2016-01-26 20:53:09 +0000 |
commit | ddcde53598ffd5f50f36ade3b8ef135893a818af (patch) | |
tree | ccdc0d151d11ec365d8be3d9ce2d4a605fbcce99 /test/cfi/cross-dso | |
parent | ba3cad62c7bd5e839b8f8df765337e4ec113edd4 (diff) |
[cfi] Support for dlopen and dlclose.
Add dlopen/dlclose interceptors to update CFI shadow for loaded/unloaded libraries.
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@258857 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'test/cfi/cross-dso')
-rw-r--r-- | test/cfi/cross-dso/dlopen.cpp | 146 | ||||
-rw-r--r-- | test/cfi/cross-dso/shadow_is_read_only.cpp | 82 |
2 files changed, 228 insertions, 0 deletions
diff --git a/test/cfi/cross-dso/dlopen.cpp b/test/cfi/cross-dso/dlopen.cpp new file mode 100644 index 000000000..028ab2d30 --- /dev/null +++ b/test/cfi/cross-dso/dlopen.cpp @@ -0,0 +1,146 @@ +// RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so +// RUN: %clangxx_cfi_dso %s -o %t1 +// RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so +// RUN: %clangxx_cfi_dso -DB32 %s -o %t2 +// RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so +// RUN: %clangxx_cfi_dso -DB64 %s -o %t3 +// RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so +// RUN: %clangxx_cfi_dso -DBM %s -o %t4 +// RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so +// RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5 +// RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s + +// Test that calls to uninstrumented library are unchecked. +// RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so +// RUN: %clangxx_cfi_dso -DBM %s -o %t6 +// RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s + +// Call-after-dlclose is checked on the caller side. +// RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// Tests calls into dlopen-ed library. +// REQUIRES: cxxabi + +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <sys/mman.h> + +struct A { + virtual void f(); +}; + +#ifdef SHARED_LIB + +#include "../utils.h" +struct B { + virtual void f(); +}; +void B::f() {} + +extern "C" void *create_B() { + create_derivers<B>(); + return (void *)(new B()); +} + +extern "C" void do_nothing() __attribute__((aligned(4096))) {} + +#else + +void A::f() {} + +static const int kCodeAlign = 4096; +static const int kCodeSize = 4096; +static char saved_code[kCodeSize]; +static char *real_start; + +static void save_code(char *p) { + real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1)); + memcpy(saved_code, real_start, kCodeSize); +} + +static void restore_code() { + char *code = (char *)mmap(real_start, kCodeSize, PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); + assert(code == real_start); + memcpy(code, saved_code, kCodeSize); +} + +int main(int argc, char *argv[]) { + const bool test_cast = argc > 1 && strcmp(argv[1], "cast") == 0; + const bool test_dlclose = argc > 1 && strcmp(argv[1], "dlclose") == 0; + + char name[100]; + snprintf(name, sizeof(name), "%s-so.so", argv[0]); + void *handle = dlopen(name, RTLD_NOW); + assert(handle); + void *(*create_B)() = (void *(*)())dlsym(handle, "create_B"); + assert(create_B); + + void *p = create_B(); + A *a; + + // CFI: =0= + // CFI-CAST: =0= + // NCFI: =0= + fprintf(stderr, "=0=\n"); + + if (test_cast) { + // Test cast. BOOM. + a = (A*)p; + } else { + // Invisible to CFI. Test virtual call later. + memcpy(&a, &p, sizeof(a)); + } + + // CFI: =1= + // CFI-CAST-NOT: =1= + // NCFI: =1= + fprintf(stderr, "=1=\n"); + + if (test_dlclose) { + // Imitate an attacker sneaking in an executable page where a dlclose()d + // library was loaded. This needs to pass w/o CFI, so for the testing + // purpose, we just copy the bytes of a "void f() {}" function back and + // forth. + void (*do_nothing)() = (void (*)())dlsym(handle, "do_nothing"); + assert(do_nothing); + save_code((char *)do_nothing); + + int res = dlclose(handle); + assert(res == 0); + + restore_code(); + + do_nothing(); // UB here + } else { + a->f(); // UB here + } + + // CFI-NOT: =2= + // CFI-CAST-NOT: =2= + // NCFI: =2= + fprintf(stderr, "=2=\n"); +} +#endif diff --git a/test/cfi/cross-dso/shadow_is_read_only.cpp b/test/cfi/cross-dso/shadow_is_read_only.cpp new file mode 100644 index 000000000..7b3a5ba19 --- /dev/null +++ b/test/cfi/cross-dso/shadow_is_read_only.cpp @@ -0,0 +1,82 @@ +// RUN: %clangxx_cfi_dso -std=c++11 -g -DSHARED_LIB %s -fPIC -shared -o %t-cfi-so.so +// RUN: %clangxx -std=c++11 -g -DSHARED_LIB %s -fPIC -shared -o %t-nocfi-so.so +// RUN: %clangxx_cfi_dso -std=c++11 -g %s -o %t + +// RUN: %expect_crash %t start 2>&1 | FileCheck %s +// RUN: %expect_crash %t mmap 2>&1 | FileCheck %s +// RUN: %expect_crash %t dlopen %t-cfi-so.so 2>&1 | FileCheck %s +// RUN: %expect_crash %t dlclose %t-cfi-so.so 2>&1 | FileCheck %s +// RUN: %expect_crash %t dlopen %t-nocfi-so.so 2>&1 | FileCheck %s +// RUN: %expect_crash %t dlclose %t-nocfi-so.so 2>&1 | FileCheck %s + +// Tests that shadow is read-only most of the time. +// REQUIRES: cxxabi + +#include <assert.h> +#include <dlfcn.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <sys/mman.h> + +struct A { + virtual void f(); +}; + +#ifdef SHARED_LIB + +void A::f() {} + +extern "C" A *create_A() { return new A(); } + +#else + +constexpr unsigned kShadowGranularity = 12; +uintptr_t GetShadow(); + +void write_shadow(void *ptr) { + uintptr_t base = GetShadow(); + uint16_t *s = + (uint16_t *)(base + (((uintptr_t)ptr >> kShadowGranularity) << 1)); + fprintf(stderr, "going to crash\n"); + // CHECK: going to crash + *s = 42; + fprintf(stderr, "did not crash\n"); + // CHECK-NOT: did not crash + exit(1); +} + +int main(int argc, char *argv[]) { + assert(argc > 1); + const bool test_mmap = strcmp(argv[1], "mmap") == 0; + const bool test_start = strcmp(argv[1], "start") == 0; + const bool test_dlopen = strcmp(argv[1], "dlopen") == 0; + const bool test_dlclose = strcmp(argv[1], "dlclose") == 0; + const char *lib = argc > 2 ? argv[2] : nullptr; + + if (test_start) + write_shadow((void *)&main); + + if (test_mmap) { + void *p = mmap(nullptr, 1 << 20, PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); + assert(p != MAP_FAILED); + write_shadow((char *)p + 100); + } else { + void *handle = dlopen(lib, RTLD_NOW); + assert(handle); + void *create_A = dlsym(handle, "create_A"); + assert(create_A); + + if (test_dlopen) + write_shadow(create_A); + + int res = dlclose(handle); + assert(res == 0); + + if (test_dlclose) + write_shadow(create_A); + } +} +#endif |