1 | // RUN: %clangxx_cfi_dso -DSHARED_LIB %s -fPIC -shared -o %t1-so.so |
2 | // RUN: %clangxx_cfi_dso %s -o %t1 |
3 | // RUN: %expect_crash %t1 2>&1 | FileCheck --check-prefix=CFI %s |
4 | // RUN: %expect_crash %t1 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s |
5 | // RUN: %expect_crash %t1 dlclose 2>&1 | FileCheck --check-prefix=CFI %s |
6 | |
7 | // RUN: %clangxx_cfi_dso -DB32 -DSHARED_LIB %s -fPIC -shared -o %t2-so.so |
8 | // RUN: %clangxx_cfi_dso -DB32 %s -o %t2 |
9 | // RUN: %expect_crash %t2 2>&1 | FileCheck --check-prefix=CFI %s |
10 | // RUN: %expect_crash %t2 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s |
11 | // RUN: %expect_crash %t2 dlclose 2>&1 | FileCheck --check-prefix=CFI %s |
12 | |
13 | // RUN: %clangxx_cfi_dso -DB64 -DSHARED_LIB %s -fPIC -shared -o %t3-so.so |
14 | // RUN: %clangxx_cfi_dso -DB64 %s -o %t3 |
15 | // RUN: %expect_crash %t3 2>&1 | FileCheck --check-prefix=CFI %s |
16 | // RUN: %expect_crash %t3 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s |
17 | // RUN: %expect_crash %t3 dlclose 2>&1 | FileCheck --check-prefix=CFI %s |
18 | |
19 | // RUN: %clangxx_cfi_dso -DBM -DSHARED_LIB %s -fPIC -shared -o %t4-so.so |
20 | // RUN: %clangxx_cfi_dso -DBM %s -o %t4 |
21 | // RUN: %expect_crash %t4 2>&1 | FileCheck --check-prefix=CFI %s |
22 | // RUN: %expect_crash %t4 cast 2>&1 | FileCheck --check-prefix=CFI-CAST %s |
23 | // RUN: %expect_crash %t4 dlclose 2>&1 | FileCheck --check-prefix=CFI %s |
24 | |
25 | // RUN: %clangxx -g -DBM -DSHARED_LIB -DNOCFI %s -fPIC -shared -o %t5-so.so |
26 | // RUN: %clangxx -g -DBM -DNOCFI %s -ldl -o %t5 |
27 | // RUN: %t5 2>&1 | FileCheck --check-prefix=NCFI %s |
28 | // RUN: %t5 cast 2>&1 | FileCheck --check-prefix=NCFI %s |
29 | // RUN: %t5 dlclose 2>&1 | FileCheck --check-prefix=NCFI %s |
30 | |
31 | // Test that calls to uninstrumented library are unchecked. |
32 | // RUN: %clangxx -DBM -DSHARED_LIB %s -fPIC -shared -o %t6-so.so |
33 | // RUN: %clangxx_cfi_dso -DBM %s -o %t6 |
34 | // RUN: %t6 2>&1 | FileCheck --check-prefix=NCFI %s |
35 | // RUN: %t6 cast 2>&1 | FileCheck --check-prefix=NCFI %s |
36 | |
37 | // Call-after-dlclose is checked on the caller side. |
38 | // RUN: %expect_crash %t6 dlclose 2>&1 | FileCheck --check-prefix=CFI %s |
39 | |
40 | // Tests calls into dlopen-ed library. |
41 | // REQUIRES: cxxabi |
42 | |
43 | #include <assert.h> |
44 | #include <dlfcn.h> |
45 | #include <stdio.h> |
46 | #include <stdint.h> |
47 | #include <string.h> |
48 | #include <sys/mman.h> |
49 | |
50 | #include <string> |
51 | |
52 | struct A { |
53 | virtual void f(); |
54 | }; |
55 | |
56 | // The page size of LoongArch is 16KiB, aligned to the memory page size. |
57 | #ifdef __loongarch__ |
58 | # define PAGESIZE 16384 |
59 | #else |
60 | # define PAGESIZE 4096 |
61 | #endif |
62 | |
63 | #ifdef SHARED_LIB |
64 | |
65 | #include "../../utils.h" |
66 | struct B { |
67 | virtual void f(); |
68 | }; |
69 | void B::f() {} |
70 | |
71 | extern "C" void *create_B() { |
72 | create_derivers<B>(); |
73 | return (void *)(new B()); |
74 | } |
75 | |
76 | extern "C" __attribute__((aligned(PAGESIZE))) void do_nothing() {} |
77 | |
78 | #else |
79 | |
80 | void A::f() {} |
81 | |
82 | static const int kCodeAlign = PAGESIZE; |
83 | static const int kCodeSize = 4096; |
84 | static char saved_code[kCodeSize]; |
85 | static char *real_start; |
86 | |
87 | static void save_code(char *p) { |
88 | real_start = (char *)(((uintptr_t)p) & ~(kCodeAlign - 1)); |
89 | memcpy(dest: saved_code, src: real_start, n: kCodeSize); |
90 | } |
91 | |
92 | static void restore_code() { |
93 | char *code = |
94 | (char *)mmap(addr: real_start, len: kCodeSize, PROT_READ | PROT_WRITE | PROT_EXEC, |
95 | MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, fd: 0, offset: 0); |
96 | assert(code == real_start); |
97 | memcpy(dest: code, src: saved_code, n: kCodeSize); |
98 | __builtin___clear_cache(code, code + kCodeSize); |
99 | } |
100 | |
101 | int main(int argc, char *argv[]) { |
102 | const bool test_cast = argc > 1 && strcmp(s1: argv[1], s2: "cast" ) == 0; |
103 | const bool test_dlclose = argc > 1 && strcmp(s1: argv[1], s2: "dlclose" ) == 0; |
104 | |
105 | std::string name = std::string(argv[0]) + "-so.so" ; |
106 | void *handle = dlopen(file: name.c_str(), RTLD_NOW); |
107 | assert(handle); |
108 | void *(*create_B)() = (void *(*)())dlsym(handle: handle, name: "create_B" ); |
109 | assert(create_B); |
110 | |
111 | void *p = create_B(); |
112 | A *a; |
113 | |
114 | // CFI: =0= |
115 | // CFI-CAST: =0= |
116 | // NCFI: =0= |
117 | fprintf(stderr, format: "=0=\n" ); |
118 | |
119 | if (test_cast) { |
120 | // Test cast. BOOM. |
121 | a = (A*)p; |
122 | } else { |
123 | // Invisible to CFI. Test virtual call later. |
124 | memcpy(dest: &a, src: &p, n: sizeof(a)); |
125 | } |
126 | |
127 | // CFI: =1= |
128 | // CFI-CAST-NOT: =1= |
129 | // NCFI: =1= |
130 | fprintf(stderr, format: "=1=\n" ); |
131 | |
132 | if (test_dlclose) { |
133 | // Imitate an attacker sneaking in an executable page where a dlclose()d |
134 | // library was loaded. This needs to pass w/o CFI, so for the testing |
135 | // purpose, we just copy the bytes of a "void f() {}" function back and |
136 | // forth. |
137 | void (*do_nothing)() = (void (*)())dlsym(handle: handle, name: "do_nothing" ); |
138 | assert(do_nothing); |
139 | save_code(p: (char *)do_nothing); |
140 | |
141 | int res = dlclose(handle: handle); |
142 | assert(res == 0); |
143 | |
144 | restore_code(); |
145 | |
146 | do_nothing(); // UB here |
147 | } else { |
148 | a->f(); // UB here |
149 | } |
150 | |
151 | // CFI-NOT: =2= |
152 | // CFI-CAST-NOT: =2= |
153 | // NCFI: =2= |
154 | fprintf(stderr, format: "=2=\n" ); |
155 | } |
156 | #endif |
157 | |