The Tor Browser: mfbt/tests/TestPoisonArea.cpp@925c144e1f1f (annotated)

mfbt/tests/TestPoisonArea.cpp@925c144e1f1f (annotated)

mfbt/tests/TestPoisonArea.cpp

Fri, 16 Jan 2015 18:13:44 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Fri, 16 Jan 2015 18:13:44 +0100
branch: TOR_BUG_9701
changeset 14: 925c144e1f1f
permissions: -rw-r--r--

Integrate suggestion from review to improve consistency with existing code.

 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim:set ts=2 sw=2 sts=2 et cindent: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 /* Code in this file needs to be kept in sync with code in nsPresArena.cpp.
  *
  * We want to use a fixed address for frame poisoning so that it is readily
  * identifiable in crash dumps.  Whether such an address is available
  * without any special setup depends on the system configuration.
  *
  * All current 64-bit CPUs (with the possible exception of PowerPC64)
  * reserve the vast majority of the virtual address space for future
  * hardware extensions; valid addresses must be below some break point
  * between 2**48 and 2**54, depending on exactly which chip you have.  Some
  * chips (notably amd64) also allow the use of the *highest* 2**48 -- 2**54
  * addresses.  Thus, if user space pointers are 64 bits wide, we can just
  * use an address outside this range, and no more is required.  To
  * accommodate the chips that allow very high addresses to be valid, the
  * value chosen is close to 2**63 (that is, in the middle of the space).
  *
  * In most cases, a purely 32-bit operating system must reserve some
  * fraction of the address space for its own use.  Contemporary 32-bit OSes
  * tend to take the high gigabyte or so (0xC000_0000 on up).  If we can
  * prove that high addresses are reserved to the kernel, we can use an
  * address in that region.  Unfortunately, not all 32-bit OSes do this;
  * OSX 10.4 might not, and it is unclear what mobile OSes are like
  * (some 32-bit CPUs make it very easy for the kernel to exist in its own
  * private address space).
  *
  * Furthermore, when a 32-bit user space process is running on a 64-bit
  * kernel, the operating system has no need to reserve any of the space that
  * the process can see, and generally does not do so.  This is the scenario
  * of greatest concern, since it covers all contemporary OSX iterations
  * (10.5+) as well as Windows Vista and 7 on newer amd64 hardware.  Linux on
  * amd64 is generally run as a pure 64-bit environment, but its 32-bit
  * compatibility mode also has this property.
  *
  * Thus, when user space pointers are 32 bits wide, we need to validate
  * our chosen address, and possibly *make* it a good poison address by
  * allocating a page around it and marking it inaccessible.  The algorithm
  * for this is:
  *
  *  1. Attempt to make the page surrounding the poison address a reserved,
  *     inaccessible memory region using OS primitives.  On Windows, this is
  *     done with VirtualAlloc(MEM_RESERVE); on Unix, mmap(PROT_NONE).
  *
  *  2. If mmap/VirtualAlloc failed, there are two possible reasons: either
  *     the region is reserved to the kernel and no further action is
  *     required, or there is already usable memory in this area and we have
  *     to pick a different address.  The tricky part is knowing which case
  *     we have, without attempting to access the region.  On Windows, we
  *     rely on GetSystemInfo()'s reported upper and lower bounds of the
  *     application memory area.  On Unix, there is nothing devoted to the
  *     purpose, but seeing if madvise() fails is close enough (it *might*
  *     disrupt someone else's use of the memory region, but not by as much
  *     as anything else available).
  *
  * Be aware of these gotchas:
  *
  * 1. We cannot use mmap() with MAP_FIXED.  MAP_FIXED is defined to
  *    _replace_ any existing mapping in the region, if necessary to satisfy
  *    the request.  Obviously, as we are blindly attempting to acquire a
  *    page at a constant address, we must not do this, lest we overwrite
  *    someone else's allocation.
  *
  * 2. For the same reason, we cannot blindly use mprotect() if mmap() fails.
  *
  * 3. madvise() may fail when applied to a 'magic' memory region provided as
  *    a kernel/user interface.  Fortunately, the only such case I know about
  *    is the "vsyscall" area (not to be confused with the "vdso" area) for
  *    *64*-bit processes on Linux - and we don't even run this code for
  *    64-bit processes.
  *
  * 4. VirtualQuery() does not produce any useful information if
  *    applied to kernel memory - in fact, it doesn't write its output
  *    at all.  Thus, it is not used here.
  */
 #include "mozilla/IntegerPrintfMacros.h"
 #include "mozilla/NullPtr.h"
 // MAP_ANON(YMOUS) is not in any standard.  Add defines as necessary.
 #define _GNU_SOURCE 1
 #define _DARWIN_C_SOURCE 1
 #include <stddef.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifdef _WIN32
 #include <windows.h>
 #else
 #include <sys/types.h>
 #include <fcntl.h>
 #include <signal.h>
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <sys/mman.h>
 #ifndef MAP_ANON
 #ifdef MAP_ANONYMOUS
 #define MAP_ANON MAP_ANONYMOUS
 #else
 #error "Don't know how to get anonymous memory"
 #endif
 #endif
 #endif
 #define SIZxPTR ((int)(sizeof(uintptr_t)*2))
 /* This program assumes that a whole number of return instructions fit into
  * 32 bits, and that 32-bit alignment is sufficient for a branch destination.
  * For architectures where this is not true, fiddling with RETURN_INSTR_TYPE
  * can be enough.
  */
 #if defined __i386__ || defined __x86_64__ ||   \
   defined __i386 || defined __x86_64 ||         \
   defined _M_IX86 || defined _M_AMD64
 #define RETURN_INSTR 0xC3C3C3C3  /* ret; ret; ret; ret */
 #elif defined __arm__ || defined _M_ARM
 #define RETURN_INSTR 0xE12FFF1E /* bx lr */
 // PPC has its own style of CPU-id #defines.  There is no Windows for
 // PPC as far as I know, so no _M_ variant.
 #elif defined _ARCH_PPC || defined _ARCH_PWR || defined _ARCH_PWR2
 #define RETURN_INSTR 0x4E800020 /* blr */
 #elif defined __sparc || defined __sparcv9
 #define RETURN_INSTR 0x81c3e008 /* retl */
 #elif defined __alpha
 #define RETURN_INSTR 0x6bfa8001 /* ret */
 #elif defined __hppa
 #define RETURN_INSTR 0xe840c002 /* bv,n r0(rp) */
 #elif defined __mips
 #define RETURN_INSTR 0x03e00008 /* jr ra */
 #ifdef __MIPSEL
 /* On mipsel, jr ra needs to be followed by a nop.
 x03e00008 as a 64 bits integer just does that */
 #define RETURN_INSTR_TYPE uint64_t
 #endif
 #elif defined __s390__
 #define RETURN_INSTR 0x07fe0000 /* br %r14 */
 #elif defined __aarch64__
 #define RETURN_INSTR 0xd65f03c0 /* ret */
 #elif defined __ia64
 struct ia64_instr { uint32_t i[4]; };
 static const ia64_instr _return_instr =
   {{ 0x00000011, 0x00000001, 0x80000200, 0x00840008 }}; /* br.ret.sptk.many b0 */
 #define RETURN_INSTR _return_instr
 #define RETURN_INSTR_TYPE ia64_instr
 #else
 #error "Need return instruction for this architecture"
 #endif
 #ifndef RETURN_INSTR_TYPE
 #define RETURN_INSTR_TYPE uint32_t
 #endif
 // Miscellaneous Windows/Unix portability gumph
 #ifdef _WIN32
 // Uses of this function deliberately leak the string.
 static LPSTR
 StrW32Error(DWORD errcode)
 {
   LPSTR errmsg;
   FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER |
                  FORMAT_MESSAGE_FROM_SYSTEM |
                  FORMAT_MESSAGE_IGNORE_INSERTS,
                  nullptr, errcode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
                  (LPSTR)&errmsg, 0, nullptr);
   // FormatMessage puts an unwanted newline at the end of the string
   size_t n = strlen(errmsg)-1;
   while (errmsg[n] == '\r' || errmsg[n] == '\n') n--;
   errmsg[n+1] = '\0';
   return errmsg;
 }
 #define LastErrMsg() (StrW32Error(GetLastError()))
 // Because we use VirtualAlloc in MEM_RESERVE mode, the "page size" we want
 // is the allocation granularity.
 static SYSTEM_INFO _sinfo;
 #undef PAGESIZE
 #define PAGESIZE (_sinfo.dwAllocationGranularity)
 static void *
 ReserveRegion(uintptr_t request, bool accessible)
 {
   return VirtualAlloc((void *)request, PAGESIZE,
                       accessible ? MEM_RESERVE|MEM_COMMIT : MEM_RESERVE,
                       accessible ? PAGE_EXECUTE_READWRITE : PAGE_NOACCESS);
 }
 static void
 ReleaseRegion(void *page)
 {
   VirtualFree(page, PAGESIZE, MEM_RELEASE);
 }
 static bool
 ProbeRegion(uintptr_t page)
 {
   if (page >= (uintptr_t)_sinfo.lpMaximumApplicationAddress &&
       page + PAGESIZE >= (uintptr_t)_sinfo.lpMaximumApplicationAddress) {
     return true;
   } else {
     return false;
   }
 }
 static bool
 MakeRegionExecutable(void *)
 {
   return false;
 }
 #undef MAP_FAILED
 #define MAP_FAILED 0
 #else // Unix
 #define LastErrMsg() (strerror(errno))
 static unsigned long _pagesize;
 #define PAGESIZE _pagesize
 static void *
 ReserveRegion(uintptr_t request, bool accessible)
 {
   return mmap(reinterpret_cast<void*>(request), PAGESIZE,
               accessible ? PROT_READ|PROT_WRITE : PROT_NONE,
               MAP_PRIVATE|MAP_ANON, -1, 0);
 }
 static void
 ReleaseRegion(void *page)
 {
   munmap(page, PAGESIZE);
 }
 static bool
 ProbeRegion(uintptr_t page)
 {
   if (madvise(reinterpret_cast<void*>(page), PAGESIZE, MADV_NORMAL)) {
     return true;
   } else {
     return false;
   }
 }
 static int
 MakeRegionExecutable(void *page)
 {
   return mprotect((caddr_t)page, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC);
 }
 #endif
 static uintptr_t
 ReservePoisonArea()
 {
   if (sizeof(uintptr_t) == 8) {
     // Use the hardware-inaccessible region.
     // We have to avoid 64-bit constants and shifts by 32 bits, since this
     // code is compiled in 32-bit mode, although it is never executed there.
     uintptr_t result = (((uintptr_t(0x7FFFFFFFu) << 31) << 1 |
                          uintptr_t(0xF0DEAFFFu)) &
                         ~uintptr_t(PAGESIZE-1));
     printf("INFO | poison area assumed at 0x%.*" PRIxPTR "\n", SIZxPTR, result);
     return result;
   } else {
     // First see if we can allocate the preferred poison address from the OS.
     uintptr_t candidate = (0xF0DEAFFF & ~(PAGESIZE-1));
     void *result = ReserveRegion(candidate, false);
     if (result == (void *)candidate) {
       // success - inaccessible page allocated
       printf("INFO | poison area allocated at 0x%.*" PRIxPTR
              " (preferred addr)\n", SIZxPTR, (uintptr_t)result);
       return candidate;
     }
     // That didn't work, so see if the preferred address is within a range
     // of permanently inacessible memory.
     if (ProbeRegion(candidate)) {
       // success - selected page cannot be usable memory
       if (result != MAP_FAILED)
         ReleaseRegion(result);
       printf("INFO | poison area assumed at 0x%.*" PRIxPTR
              " (preferred addr)\n", SIZxPTR, candidate);
       return candidate;
     }
     // The preferred address is already in use.  Did the OS give us a
     // consolation prize?
     if (result != MAP_FAILED) {
       printf("INFO | poison area allocated at 0x%.*" PRIxPTR
              " (consolation prize)\n", SIZxPTR, (uintptr_t)result);
       return (uintptr_t)result;
     }
     // It didn't, so try to allocate again, without any constraint on
     // the address.
     result = ReserveRegion(0, false);
     if (result != MAP_FAILED) {
       printf("INFO | poison area allocated at 0x%.*" PRIxPTR
              " (fallback)\n", SIZxPTR, (uintptr_t)result);
       return (uintptr_t)result;
     }
     printf("ERROR | no usable poison area found\n");
     return 0;
   }
 }
 /* The "positive control" area confirms that we can allocate a page with the
  * proper characteristics.
  */
 static uintptr_t
 ReservePositiveControl()
 {
   void *result = ReserveRegion(0, false);
   if (result == MAP_FAILED) {
     printf("ERROR | allocating positive control | %s\n", LastErrMsg());
     return 0;
   }
   printf("INFO | positive control allocated at 0x%.*" PRIxPTR "\n",
          SIZxPTR, (uintptr_t)result);
   return (uintptr_t)result;
 }
 /* The "negative control" area confirms that our probe logic does detect a
  * page that is readable, writable, or executable.
  */
 static uintptr_t
 ReserveNegativeControl()
 {
   void *result = ReserveRegion(0, true);
   if (result == MAP_FAILED) {
     printf("ERROR | allocating negative control | %s\n", LastErrMsg());
     return 0;
   }
   // Fill the page with return instructions.
   RETURN_INSTR_TYPE *p = (RETURN_INSTR_TYPE *)result;
   RETURN_INSTR_TYPE *limit = (RETURN_INSTR_TYPE *)(((char *)result) + PAGESIZE);
   while (p < limit)
     *p++ = RETURN_INSTR;
   // Now mark it executable as well as readable and writable.
   // (mmap(PROT_EXEC) may fail when applied to anonymous memory.)
   if (MakeRegionExecutable(result)) {
     printf("ERROR | making negative control executable | %s\n", LastErrMsg());
     return 0;
   }
   printf("INFO | negative control allocated at 0x%.*" PRIxPTR "\n",
          SIZxPTR, (uintptr_t)result);
   return (uintptr_t)result;
 }
 static void
 JumpTo(uintptr_t opaddr)
 {
 #ifdef __ia64
   struct func_call {
     uintptr_t func;
     uintptr_t gp;
   } call = { opaddr, };
   ((void (*)())&call)();
 #else
   ((void (*)())opaddr)();
 #endif
 }
 #ifdef _WIN32
 static BOOL
 IsBadExecPtr(uintptr_t ptr)
 {
   BOOL ret = false;
 #ifdef _MSC_VER
   __try {
     JumpTo(ptr);
   } __except (EXCEPTION_EXECUTE_HANDLER) {
     ret = true;
   }
 #else
   printf("INFO | exec test not supported on MinGW build\n");
   // We do our best
   ret = IsBadReadPtr((const void*)ptr, 1);
 #endif
   return ret;
 }
 #endif
 /* Test each page.  */
 static bool
 TestPage(const char *pagelabel, uintptr_t pageaddr, int should_succeed)
 {
   const char *oplabel;
   uintptr_t opaddr;
   bool failed = false;
   for (unsigned int test = 0; test < 3; test++) {
     switch (test) {
       // The execute test must be done before the write test, because the
       // write test will clobber memory at the target address.
     case 0: oplabel = "reading"; opaddr = pageaddr + PAGESIZE/2 - 1; break;
     case 1: oplabel = "executing"; opaddr = pageaddr + PAGESIZE/2; break;
     case 2: oplabel = "writing"; opaddr = pageaddr + PAGESIZE/2 - 1; break;
     default: abort();
     }
 #ifdef _WIN32
     BOOL badptr;
     switch (test) {
     case 0: badptr = IsBadReadPtr((const void*)opaddr, 1); break;
     case 1: badptr = IsBadExecPtr(opaddr); break;
     case 2: badptr = IsBadWritePtr((void*)opaddr, 1); break;
     default: abort();
     }
     if (badptr) {
       if (should_succeed) {
         printf("TEST-UNEXPECTED-FAIL | %s %s\n", oplabel, pagelabel);
         failed = true;
       } else {
         printf("TEST-PASS | %s %s\n", oplabel, pagelabel);
       }
     } else {
       // if control reaches this point the probe succeeded
       if (should_succeed) {
         printf("TEST-PASS | %s %s\n", oplabel, pagelabel);
       } else {
         printf("TEST-UNEXPECTED-FAIL | %s %s\n", oplabel, pagelabel);
         failed = true;
       }
     }
 #else
     pid_t pid = fork();
     if (pid == -1) {
       printf("ERROR | %s %s | fork=%s\n", oplabel, pagelabel,
              LastErrMsg());
       exit(2);
     } else if (pid == 0) {
       volatile unsigned char scratch;
       switch (test) {
       case 0: scratch = *(volatile unsigned char *)opaddr; break;
       case 1: JumpTo(opaddr); break;
       case 2: *(volatile unsigned char *)opaddr = 0; break;
       default: abort();
       }
       (void)scratch;
       _exit(0);
     } else {
       int status;
       if (waitpid(pid, &status, 0) != pid) {
         printf("ERROR | %s %s | wait=%s\n", oplabel, pagelabel,
                LastErrMsg());
         exit(2);
       }
       if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
         if (should_succeed) {
           printf("TEST-PASS | %s %s\n", oplabel, pagelabel);
         } else {
           printf("TEST-UNEXPECTED-FAIL | %s %s | unexpected successful exit\n",
                  oplabel, pagelabel);
           failed = true;
         }
       } else if (WIFEXITED(status)) {
         printf("ERROR | %s %s | unexpected exit code %d\n",
                oplabel, pagelabel, WEXITSTATUS(status));
         exit(2);
       } else if (WIFSIGNALED(status)) {
         if (should_succeed) {
           printf("TEST-UNEXPECTED-FAIL | %s %s | unexpected signal %d\n",
                  oplabel, pagelabel, WTERMSIG(status));
           failed = true;
         } else {
           printf("TEST-PASS | %s %s | signal %d (as expected)\n",
                  oplabel, pagelabel, WTERMSIG(status));
         }
       } else {
         printf("ERROR | %s %s | unexpected exit status %d\n",
                oplabel, pagelabel, status);
         exit(2);
       }
     }
 #endif
   }
   return failed;
 }
 int
 main()
 {
 #ifdef _WIN32
   GetSystemInfo(&_sinfo);
 #else
   _pagesize = sysconf(_SC_PAGESIZE);
 #endif
   uintptr_t ncontrol = ReserveNegativeControl();
   uintptr_t pcontrol = ReservePositiveControl();
   uintptr_t poison = ReservePoisonArea();
   if (!ncontrol || !pcontrol || !poison)
     return 2;
   bool failed = false;
   failed |= TestPage("negative control", ncontrol, 1);
   failed |= TestPage("positive control", pcontrol, 0);
   failed |= TestPage("poison area", poison, 0);
   return failed ? 1 : 0;
 }

The Tor Browser / annotate

mfbt/tests/TestPoisonArea.cpp@925c144e1f1f (annotated)

mfbt/tests/TestPoisonArea.cpp