From 71895e0fe75900d8b8767304d5d9c611f9c69e5b Mon Sep 17 00:00:00 2001 From: Evgeniy Stepanov Date: Thu, 20 Apr 2017 21:44:35 +0000 Subject: [cfi] Move one test under cross-dso/icall. The test is using indirect calls. git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@300900 91177308-0d34-0410-b5e6-96231b3b80d8 --- test/cfi/cross-dso/dlopen.cpp | 147 ------------------------------------ test/cfi/cross-dso/icall/dlopen.cpp | 147 ++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 147 deletions(-) delete mode 100644 test/cfi/cross-dso/dlopen.cpp create mode 100644 test/cfi/cross-dso/icall/dlopen.cpp (limited to 'test/cfi') diff --git a/test/cfi/cross-dso/dlopen.cpp b/test/cfi/cross-dso/dlopen.cpp deleted file mode 100644 index ee4dae2b5..000000000 --- a/test/cfi/cross-dso/dlopen.cpp +++ /dev/null @@ -1,147 +0,0 @@ -// RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so -// RUN: %clangxx_cfi_dso %s -o %t1 -// RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s -// RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s -// RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s - -// RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so -// RUN: %clangxx_cfi_dso -DB32 %s -o %t2 -// RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s -// RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s -// RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s - -// RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so -// RUN: %clangxx_cfi_dso -DB64 %s -o %t3 -// RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s -// RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s -// RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s - -// RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so -// RUN: %clangxx_cfi_dso -DBM %s -o %t4 -// RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s -// RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s -// RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s - -// RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so -// RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5 -// RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s -// RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s -// RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s - -// Test that calls to uninstrumented library are unchecked. -// RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so -// RUN: %clangxx_cfi_dso -DBM %s -o %t6 -// RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s -// RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s - -// Call-after-dlclose is checked on the caller side. -// RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s - -// Tests calls into dlopen-ed library. -// REQUIRES: cxxabi - -#include -#include -#include -#include -#include -#include - -#include - -struct A { - virtual void f(); -}; - -#ifdef SHARED_LIB - -#include "../utils.h" -struct B { - virtual void f(); -}; -void B::f() {} - -extern "C" void *create_B() { - create_derivers(); - return (void *)(new B()); -} - -extern "C" __attribute__((aligned(4096))) void do_nothing() {} - -#else - -void A::f() {} - -static const int kCodeAlign = 4096; -static const int kCodeSize = 4096; -static char saved_code[kCodeSize]; -static char *real_start; - -static void save_code(char *p) { - real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1)); - memcpy(saved_code, real_start, kCodeSize); -} - -static void restore_code() { - char *code = (char *)mmap(real_start, kCodeSize, PROT_WRITE | PROT_EXEC, - MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); - assert(code == real_start); - memcpy(code, saved_code, kCodeSize); -} - -int main(int argc, char *argv[]) { - const bool test_cast = argc > 1 && strcmp(argv[1], "cast") == 0; - const bool test_dlclose = argc > 1 && strcmp(argv[1], "dlclose") == 0; - - std::string name = std::string(argv[0]) + "-so.so"; - void *handle = dlopen(name.c_str(), RTLD_NOW); - assert(handle); - void *(*create_B)() = (void *(*)())dlsym(handle, "create_B"); - assert(create_B); - - void *p = create_B(); - A *a; - - // CFI: =0= - // CFI-CAST: =0= - // NCFI: =0= - fprintf(stderr, "=0=\n"); - - if (test_cast) { - // Test cast. BOOM. - a = (A*)p; - } else { - // Invisible to CFI. Test virtual call later. - memcpy(&a, &p, sizeof(a)); - } - - // CFI: =1= - // CFI-CAST-NOT: =1= - // NCFI: =1= - fprintf(stderr, "=1=\n"); - - if (test_dlclose) { - // Imitate an attacker sneaking in an executable page where a dlclose()d - // library was loaded. This needs to pass w/o CFI, so for the testing - // purpose, we just copy the bytes of a "void f() {}" function back and - // forth. - void (*do_nothing)() = (void (*)())dlsym(handle, "do_nothing"); - assert(do_nothing); - save_code((char *)do_nothing); - - int res = dlclose(handle); - assert(res == 0); - - restore_code(); - - do_nothing(); // UB here - } else { - a->f(); // UB here - } - - // CFI-NOT: =2= - // CFI-CAST-NOT: =2= - // NCFI: =2= - fprintf(stderr, "=2=\n"); -} -#endif diff --git a/test/cfi/cross-dso/icall/dlopen.cpp b/test/cfi/cross-dso/icall/dlopen.cpp new file mode 100644 index 000000000..d238a7ace --- /dev/null +++ b/test/cfi/cross-dso/icall/dlopen.cpp @@ -0,0 +1,147 @@ +// RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so +// RUN: %clangxx_cfi_dso %s -o %t1 +// RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so +// RUN: %clangxx_cfi_dso -DB32 %s -o %t2 +// RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so +// RUN: %clangxx_cfi_dso -DB64 %s -o %t3 +// RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so +// RUN: %clangxx_cfi_dso -DBM %s -o %t4 +// RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s +// RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s +// RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so +// RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5 +// RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s + +// Test that calls to uninstrumented library are unchecked. +// RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so +// RUN: %clangxx_cfi_dso -DBM %s -o %t6 +// RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s +// RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s + +// Call-after-dlclose is checked on the caller side. +// RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s + +// Tests calls into dlopen-ed library. +// REQUIRES: cxxabi + +#include +#include +#include +#include +#include +#include + +#include + +struct A { + virtual void f(); +}; + +#ifdef SHARED_LIB + +#include "../../utils.h" +struct B { + virtual void f(); +}; +void B::f() {} + +extern "C" void *create_B() { + create_derivers(); + return (void *)(new B()); +} + +extern "C" __attribute__((aligned(4096))) void do_nothing() {} + +#else + +void A::f() {} + +static const int kCodeAlign = 4096; +static const int kCodeSize = 4096; +static char saved_code[kCodeSize]; +static char *real_start; + +static void save_code(char *p) { + real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1)); + memcpy(saved_code, real_start, kCodeSize); +} + +static void restore_code() { + char *code = (char *)mmap(real_start, kCodeSize, PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0); + assert(code == real_start); + memcpy(code, saved_code, kCodeSize); +} + +int main(int argc, char *argv[]) { + const bool test_cast = argc > 1 && strcmp(argv[1], "cast") == 0; + const bool test_dlclose = argc > 1 && strcmp(argv[1], "dlclose") == 0; + + std::string name = std::string(argv[0]) + "-so.so"; + void *handle = dlopen(name.c_str(), RTLD_NOW); + assert(handle); + void *(*create_B)() = (void *(*)())dlsym(handle, "create_B"); + assert(create_B); + + void *p = create_B(); + A *a; + + // CFI: =0= + // CFI-CAST: =0= + // NCFI: =0= + fprintf(stderr, "=0=\n"); + + if (test_cast) { + // Test cast. BOOM. + a = (A*)p; + } else { + // Invisible to CFI. Test virtual call later. + memcpy(&a, &p, sizeof(a)); + } + + // CFI: =1= + // CFI-CAST-NOT: =1= + // NCFI: =1= + fprintf(stderr, "=1=\n"); + + if (test_dlclose) { + // Imitate an attacker sneaking in an executable page where a dlclose()d + // library was loaded. This needs to pass w/o CFI, so for the testing + // purpose, we just copy the bytes of a "void f() {}" function back and + // forth. + void (*do_nothing)() = (void (*)())dlsym(handle, "do_nothing"); + assert(do_nothing); + save_code((char *)do_nothing); + + int res = dlclose(handle); + assert(res == 0); + + restore_code(); + + do_nothing(); // UB here + } else { + a->f(); // UB here + } + + // CFI-NOT: =2= + // CFI-CAST-NOT: =2= + // NCFI: =2= + fprintf(stderr, "=2=\n"); +} +#endif -- cgit v1.2.3