Home | History | Annotate | Download | only in cross-dso 
      1 // RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so
      2 // RUN: %clangxx_cfi_dso %s -o %t1
      3 // RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s
      4 // RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
      5 // RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
      6 
      7 // RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so
      8 // RUN: %clangxx_cfi_dso -DB32 %s -o %t2
      9 // RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s
     10 // RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
     11 // RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
     12 
     13 // RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so
     14 // RUN: %clangxx_cfi_dso -DB64 %s -o %t3
     15 // RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s
     16 // RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
     17 // RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
     18 
     19 // RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so
     20 // RUN: %clangxx_cfi_dso -DBM %s -o %t4
     21 // RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s
     22 // RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s
     23 // RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
     24 
     25 // RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so
     26 // RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5
     27 // RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s
     28 // RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s
     29 // RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s
     30 
     31 // Test that calls to uninstrumented library are unchecked.
     32 // RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so
     33 // RUN: %clangxx_cfi_dso -DBM %s -o %t6
     34 // RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s
     35 // RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s
     36 
     37 // Call-after-dlclose is checked on the caller side.
     38 // RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s
     39 
     40 // Tests calls into dlopen-ed library.
     41 // REQUIRES: cxxabi
     42 
     43 #include <assert.h>
     44 #include <dlfcn.h>
     45 #include <stdio.h>
     46 #include <stdint.h>
     47 #include <string.h>
     48 #include <sys/mman.h>
     49 
     50 #include <string>
     51 
     52 struct A {
     53   virtual void f();
     54 };
     55 
     56 #ifdef SHARED_LIB
     57 
     58 #include "../utils.h"
     59 struct B {
     60   virtual void f();
     61 };
     62 void B::f() {}
     63 
     64 extern "C" void *create_B() {
     65   create_derivers<B>();
     66   return (void *)(new B());
     67 }
     68 
     69 extern "C" __attribute__((aligned(4096))) void do_nothing() {}
     70 
     71 #else
     72 
     73 void A::f() {}
     74 
     75 static const int kCodeAlign = 4096;
     76 static const int kCodeSize = 4096;
     77 static char saved_code[kCodeSize];
     78 static char *real_start;
     79 
     80 static void save_code(char *p) {
     81   real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1));
     82   memcpy(saved_code, real_start, kCodeSize);
     83 }
     84 
     85 static void restore_code() {
     86   char *code = (char *)mmap(real_start, kCodeSize, PROT_WRITE | PROT_EXEC,
     87                             MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);
     88   assert(code == real_start);
     89   memcpy(code, saved_code, kCodeSize);
     90 }
     91 
     92 int main(int argc, char *argv[]) {
     93   const bool test_cast = argc > 1 && strcmp(argv[1], "cast") == 0;
     94   const bool test_dlclose = argc > 1 && strcmp(argv[1], "dlclose") == 0;
     95 
     96   std::string name = std::string(argv[0]) + "-so.so";
     97   void *handle = dlopen(name.c_str(), RTLD_NOW);
     98   assert(handle);
     99   void *(*create_B)() = (void *(*)())dlsym(handle, "create_B");
    100   assert(create_B);
    101 
    102   void *p = create_B();
    103   A *a;
    104 
    105   // CFI: =0=
    106   // CFI-CAST: =0=
    107   // NCFI: =0=
    108   fprintf(stderr, "=0=\n");
    109 
    110   if (test_cast) {
    111     // Test cast. BOOM.
    112     a = (A*)p;
    113   } else {
    114     // Invisible to CFI. Test virtual call later.
    115     memcpy(&a, &p, sizeof(a));
    116   }
    117 
    118   // CFI: =1=
    119   // CFI-CAST-NOT: =1=
    120   // NCFI: =1=
    121   fprintf(stderr, "=1=\n");
    122 
    123   if (test_dlclose) {
    124     // Imitate an attacker sneaking in an executable page where a dlclose()d
    125     // library was loaded. This needs to pass w/o CFI, so for the testing
    126     // purpose, we just copy the bytes of a "void f() {}" function back and
    127     // forth.
    128     void (*do_nothing)() = (void (*)())dlsym(handle, "do_nothing");
    129     assert(do_nothing);
    130     save_code((char *)do_nothing);
    131 
    132     int res = dlclose(handle);
    133     assert(res == 0);
    134 
    135     restore_code();
    136 
    137     do_nothing(); // UB here
    138   } else {
    139     a->f(); // UB here
    140   }
    141 
    142   // CFI-NOT: =2=
    143   // CFI-CAST-NOT: =2=
    144   // NCFI: =2=
    145   fprintf(stderr, "=2=\n");
    146 }
    147 #endif
    148