* Copyright (c) 2002,2003 Michael Shalayeff

/* $OpenBSD: noexec.c,v 1.8 2003/09/25 23:35:06 mickey Exp $ */

/*
* Copyright (c) 2002,2003 Michael Shalayeff
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR OR HIS RELATIVES BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF MIND, USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/

#include <sys/param.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <signal.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>
#include <errno.h>
#include <err.h>

volatile sig_atomic_t fail;
int page_size;
char label[64] = "non-exec ";

#define PAD 64*1024
#define MAXPAGESIZE 8192
#define TESTSZ 256 /* assuming the testfly() will fit */
u_int64_t data[(PAD + TESTSZ + PAD + MAXPAGESIZE) / 8] = { 0 };
u_int64_t bss[(PAD + TESTSZ + PAD + MAXPAGESIZE) / 8];

static void fdcache(void *, size_t);
static void testfly(void);
static void sigsegv(int, siginfo_t *, void *);
static int noexec(void *, size_t);
static int noexec_mprotect(void *, size_t);
static int noexec_mmap(void *, size_t);
static void usage(void);

static void
fdcache(void *p, size_t size)
{
#ifdef __hppa__
__asm __volatile( /* XXX this hardcodes the TESTSZ */
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)\n\t"
"fdc,m %1(%0)"
: "+r" (p) : "r" (32));
#endif
#ifdef __powerpc__
__syncicache(p, size);
#endif
}

static void
sigsegv(int sig, siginfo_t *sip, void *scp)
{
_exit(fail);
}

static int
noexec(void *p, size_t size)
{
fail = 0;
printf("%s: execute\n", label);
fflush(stdout);
((void (*)(void))p)();

return (1);
}

static int
noexec_mprotect(void *p, size_t size)
{

/* here we must fail on segv since we said it gets executable */
fail = 1;
if (mprotect(p, size, PROT_READ|PROT_EXEC) < 0)
err(1, "mprotect 1");
printf("%s: execute\n", label);
fflush(stdout);
((void (*)(void))p)();

/* here we are successful on segv and fail if it still executes */
fail = 0;
if (mprotect(p, size, PROT_READ) < 0)
err(1, "mprotect 2");
printf("%s: catch a signal\n", label);
fflush(stdout);
((void (*)(void))p)();

return (1);
}

static void *
getaddr(void *a)
{
void *ret;

if ((void *)&ret < a)
ret = (void *)((u_long)&ret - 4 * page_size);
else
ret = (void *)((u_long)&ret + 4 * page_size);

return (void *)((u_long)ret & ~(page_size - 1));
}

static int
noexec_mmap(void *p, size_t size)
{
memcpy(p + page_size * 1, p, page_size);
memcpy(p + page_size * 2, p, page_size);
fdcache(p + page_size * 1, TESTSZ);
fdcache(p + page_size * 2, TESTSZ);

/* here we must fail on segv since we said it gets executable */
fail = 1;

printf("%s: execute #1\n", label);
fflush(stdout);
((void (*)(void))p)();

/* unmap the first page to see that the higher page is still exec */
if (munmap(p, page_size) < 0)
err(1, "munmap");

p += page_size;
printf("%s: execute #2\n", label);
fflush(stdout);
((void (*)(void))p)();

/* unmap the last page to see that the lower page is still exec */
if (munmap(p + page_size, page_size) < 0)
err(1, "munmap");

printf("%s: execute #3\n", label);
fflush(stdout);
((void (*)(void))p)();

return (0);
}

static void
usage(void)
{
fprintf(stderr, "Usage: %s [-s <size>] -[TDBHS] [-p] [-m]\n",
getprogname());
exit(2);
}

int
main(int argc, char *argv[])
{
u_int64_t stack[TESTSZ/8]; /* assuming the testfly() will fit */
struct sigaction sa;
int (*func)(void *, size_t);
size_t size;
char *ep;
void *p, *ptr;
int ch;

if ((page_size = sysconf(_SC_PAGESIZE)) < 0)
err(1, "sysconf");

p = NULL;
func = noexec;
size = TESTSZ;
while ((ch = getopt(argc, argv, "TDBHSmps")) != -1) {
if (p == NULL) {
switch (ch) {
case 'T':
p = testfly;
(void) strlcat(label, "text", sizeof(label));
continue;
case 'D':
p = &data[(PAD + page_size) / 8];
p = (void *)((long)p & ~(page_size - 1));
(void) strlcat(label, "data", sizeof(label));
continue;
case 'B':
p = &bss[(PAD + page_size) / 8];
p = (void *)((long)p & ~(page_size - 1));
(void) strlcat(label, "bss", sizeof(label));
continue;
case 'H':
p = malloc(size + 2 * page_size);
if (p == NULL)
err(2, "malloc");
p += page_size;
p = (void *)((long)p & ~(page_size - 1));
(void) strlcat(label, "heap", sizeof(label));
continue;
case 'S':
p = getaddr(&stack);
(void) strlcat(label, "stack", sizeof(label));
continue;
case 's': /* only valid for heap and size */
size = strtoul(optarg, &ep, 0);
if (size > ULONG_MAX)
errno = ERANGE;
if (errno)
err(1, "invalid size: %s", optarg);
if (*ep)
errx(1, "invalid size: %s", optarg);
continue;
}
}
switch (ch) {
case 'm':
if (p) {
if ((ptr = mmap(p, size + 2 * page_size,
PROT_READ|PROT_WRITE,
MAP_ANON|MAP_FIXED, -1, 0)) == MAP_FAILED)
err(1, "mmap");
(void) strlcat(label, "-mmap", sizeof(label));
} else {
if ((ptr = mmap(p, size + 2 * page_size,
PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_ANON, -1, 0)) == MAP_FAILED)
err(1, "mmap");
func = noexec_mmap;
(void) strlcat(label, "mmap", sizeof(label));
}
p = ptr;
break;
case 'p':
func = noexec_mprotect;
(void) strlcat(label, "-mprotect", sizeof(label));
break;
default:
usage();
}
}
argc -= optind;
argv += optind;

if (argc > 0)
usage();

if (p == NULL)
exit(2);

sa.sa_sigaction = &sigsegv;
sa.sa_flags = SA_SIGINFO;
sigemptyset(&sa.sa_mask);
sigaction(SIGSEGV, &sa, NULL);

if (p != &testfly) {
memcpy(p, testfly, TESTSZ);
fdcache(p, size);
}

exit((*func)(p, size));
}

__asm (".space 8192");

void
testfly(void)
{
}

__asm (".space 8192");