| 0 |      1 | // Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies).
 | 
|  |      2 | // All rights reserved.
 | 
|  |      3 | // This component and the accompanying materials are made available
 | 
|  |      4 | // under the terms of the License "Eclipse Public License v1.0"
 | 
|  |      5 | // which accompanies this distribution, and is available
 | 
|  |      6 | // at the URL "http://www.eclipse.org/legal/epl-v10.html".
 | 
|  |      7 | //
 | 
|  |      8 | // Initial Contributors:
 | 
|  |      9 | // Nokia Corporation - initial contribution.
 | 
|  |     10 | //
 | 
|  |     11 | // Contributors:
 | 
|  |     12 | //
 | 
|  |     13 | // Description:
 | 
|  |     14 | // e32test\secure\t_ipcsafety.cpp
 | 
|  |     15 | // Overview:
 | 
|  |     16 | // Test if it's possible for a thread in a server process to access the IPC alias
 | 
|  |     17 | // region outside the control of the kernel.
 | 
|  |     18 | // API Information:
 | 
|  |     19 | // RMessage2
 | 
|  |     20 | // Details:
 | 
|  |     21 | // - Create a server which will take a long time IPCing any client request.
 | 
|  |     22 | // - Create a high priority thread which will attempt to write to a given
 | 
|  |     23 | // location in the IPC region, with an exception handler to retry if it fails.
 | 
|  |     24 | // - Create a client process which connects to the server and offers a
 | 
|  |     25 | // stack-based descriptor for IPC, as well as the address of another stack
 | 
|  |     26 | // variable that should not be able to be accessed.
 | 
|  |     27 | // - The bad writer will attempt to jump in and overwrite the variable,
 | 
|  |     28 | // causing the client to return a detectable error.
 | 
|  |     29 | // - Verify that this does not happen.
 | 
|  |     30 | // Platforms/Drives/Compatibility:
 | 
|  |     31 | // ARM with multiple memory model only.
 | 
|  |     32 | // Assumptions/Requirement/Pre-requisites:
 | 
|  |     33 | // Failures and causes:
 | 
|  |     34 | // Base Port information:
 | 
|  |     35 | // 
 | 
|  |     36 | //
 | 
|  |     37 | 
 | 
|  |     38 | #define __E32TEST_EXTENSION__
 | 
|  |     39 | #include <e32test.h>
 | 
|  |     40 | #include <e32debug.h>
 | 
|  |     41 | #include <e32base.h>
 | 
|  |     42 | #include <e32base_private.h>
 | 
|  |     43 | #include "mmudetect.h"
 | 
|  |     44 | 
 | 
|  |     45 | LOCAL_D RTest test(_L("T_IPCSAFETY"));
 | 
|  |     46 | 
 | 
|  |     47 | void GoodExitWithError();
 | 
|  |     48 | 
 | 
|  |     49 | TInt* DataToSplat;
 | 
|  |     50 | RSemaphore BadSemaphore;
 | 
|  |     51 | 
 | 
|  |     52 | // Server stuff
 | 
|  |     53 | 
 | 
|  |     54 | _LIT(KBadServerName,"BadServer");
 | 
|  |     55 | 
 | 
|  |     56 | class CBadSession : public CSession2
 | 
|  |     57 | 	{
 | 
|  |     58 | 	virtual void ServiceL(const RMessage2& aMessage);
 | 
|  |     59 | 	};
 | 
|  |     60 | 
 | 
|  |     61 | class CBadServer : public CServer2
 | 
|  |     62 | 	{
 | 
|  |     63 | public:
 | 
|  |     64 | 	CBadServer(CActive::TPriority aPriority) : CServer2(aPriority)
 | 
|  |     65 | 		{}
 | 
|  |     66 | 	virtual CBadSession* NewSessionL(const TVersion& aVersion, const RMessage2& aMessage) const
 | 
|  |     67 | 		{
 | 
|  |     68 | 		return new (ELeave) CBadSession();
 | 
|  |     69 | 		}
 | 
|  |     70 | 	};
 | 
|  |     71 | 
 | 
|  |     72 | void CBadSession::ServiceL(const RMessage2& aMessage)
 | 
|  |     73 | 	{
 | 
|  |     74 | 	TBuf16<1024> buf;
 | 
|  |     75 | 	DataToSplat = (TInt*)aMessage.Ptr1();
 | 
|  |     76 | 	BadSemaphore.Signal();
 | 
|  |     77 | 	// Read the buffer lots of times to widen the time window
 | 
|  |     78 | 	for (TInt i=0; i<1024; i++)
 | 
|  |     79 | 		aMessage.Read(0, buf, 0);
 | 
|  |     80 | 	CActiveScheduler::Stop();
 | 
|  |     81 | 	aMessage.Complete(KErrNone);
 | 
|  |     82 | 	}
 | 
|  |     83 | 
 | 
|  |     84 | TInt BadServerThread(TAny*)
 | 
|  |     85 | 	{
 | 
|  |     86 | 	CTrapCleanup* cleanup=CTrapCleanup::New();
 | 
|  |     87 | 	if (!cleanup)
 | 
|  |     88 | 		return KErrNoMemory;
 | 
|  |     89 | 	CActiveScheduler* scheduler = new CActiveScheduler();
 | 
|  |     90 | 	if (!scheduler)
 | 
|  |     91 | 		return KErrNoMemory;
 | 
|  |     92 | 	CActiveScheduler::Install(scheduler);
 | 
|  |     93 | 	CBadServer* server = new CBadServer(CActive::EPriorityStandard);
 | 
|  |     94 | 	if (!server)
 | 
|  |     95 | 		return KErrNoMemory;
 | 
|  |     96 | 	TInt r = server->Start(KBadServerName);
 | 
|  |     97 | 	if (r != KErrNone)
 | 
|  |     98 | 		return r;
 | 
|  |     99 | 	RThread::Rendezvous(KErrNone);
 | 
|  |    100 | 	CActiveScheduler::Start();
 | 
|  |    101 | 	delete server;
 | 
|  |    102 | 	delete scheduler;
 | 
|  |    103 | 	delete cleanup;
 | 
|  |    104 | 	return KErrNone;
 | 
|  |    105 | 	}
 | 
|  |    106 | 
 | 
|  |    107 | class RBadSession : public RSessionBase
 | 
|  |    108 | 	{
 | 
|  |    109 | public:
 | 
|  |    110 | 	TInt Connect()
 | 
|  |    111 | 		{
 | 
|  |    112 | 		return CreateSession(KBadServerName, TVersion(0,0,0));
 | 
|  |    113 | 		}
 | 
|  |    114 | 	void AccessMe(TDesC* aBuf, TInt* aValue);
 | 
|  |    115 | 	};
 | 
|  |    116 | 
 | 
|  |    117 | void RBadSession::AccessMe(TDesC* aBuf, TInt* aValue)
 | 
|  |    118 | 	{
 | 
|  |    119 | 	SendReceive(0, TIpcArgs(aBuf, aValue));
 | 
|  |    120 | 	};
 | 
|  |    121 | 
 | 
|  |    122 | // Bad writer thread
 | 
|  |    123 | 
 | 
|  |    124 | TInt * const KAliasRegion = (TInt*)0x00200000;
 | 
|  |    125 | const TUint KAliasMask = 0x000fffff;
 | 
|  |    126 | 
 | 
|  |    127 | void BadExceptionHandler(TExcType, TInt, TInt, TInt, TUint aStackArgument)
 | 
|  |    128 | 	{
 | 
|  |    129 | 	// just retry the instruction after a delay
 | 
|  |    130 | 	User::AfterHighRes(0);
 | 
|  |    131 | 	return;
 | 
|  |    132 | 	}
 | 
|  |    133 | 
 | 
|  |    134 | TInt BadWriterThread(TAny*)
 | 
|  |    135 | 	{
 | 
|  |    136 | 	// set the exception handler so that we don't die when touching the ipc region
 | 
|  |    137 | 	// as it won't be mapped until an unpredictable time
 | 
|  |    138 | 	User::SetExceptionHandler((TExceptionHandler)BadExceptionHandler, KExceptionFault);
 | 
|  |    139 | 	// wait for the server to tell us where to overwrite
 | 
|  |    140 | 	BadSemaphore.Wait();
 | 
|  |    141 | 
 | 
|  |    142 | 	TInt* target = (TInt*)(((TUint)DataToSplat&KAliasMask)|(TUint)KAliasRegion);
 | 
|  |    143 | 	*target = KErrGeneral;
 | 
|  |    144 | 
 | 
|  |    145 | 	return KErrNone;
 | 
|  |    146 | 	}
 | 
|  |    147 | 
 | 
|  |    148 | // The server process
 | 
|  |    149 | 
 | 
|  |    150 | TInt BadServerProcess()
 | 
|  |    151 | 	{
 | 
|  |    152 | 	test.Title();
 | 
|  |    153 | 	test.Start(_L("Test bad server overwriting good client memory"));
 | 
|  |    154 | 
 | 
|  |    155 | 	BadSemaphore.CreateLocal(0);
 | 
|  |    156 | 
 | 
|  |    157 | 	test.Next(_L("Setup bad server"));
 | 
|  |    158 | 	RThread serverThread;
 | 
|  |    159 | 	TRequestStatus serverStatus, serverRendezvous;
 | 
|  |    160 | 	test_KErrNone(serverThread.Create(_L("BadServer"), BadServerThread, KDefaultStackSize, NULL, NULL));
 | 
|  |    161 | 	serverThread.Logon(serverStatus);
 | 
|  |    162 | 	serverThread.Rendezvous(serverRendezvous);
 | 
|  |    163 | 	serverThread.Resume();
 | 
|  |    164 | 	User::WaitForRequest(serverRendezvous);
 | 
|  |    165 | 
 | 
|  |    166 | 	test.Next(_L("Start bad writer thread"));
 | 
|  |    167 | 	RThread writerThread;
 | 
|  |    168 | 	TRequestStatus writerStatus;
 | 
|  |    169 | 	test_KErrNone(writerThread.Create(_L("BadWriter"), BadWriterThread, KDefaultStackSize, NULL, NULL));
 | 
|  |    170 | 	writerThread.Logon(writerStatus);
 | 
|  |    171 | 	writerThread.SetPriority(EPriorityMore);
 | 
|  |    172 | 	writerThread.Resume();
 | 
|  |    173 | 
 | 
|  |    174 | 	test.Next(_L("Run the good client"));
 | 
|  |    175 | 	RProcess goodProcess;
 | 
|  |    176 | 	TRequestStatus goodStatus;
 | 
|  |    177 | 	test_KErrNone(goodProcess.Create(_L("T_IPCSAFETY"), _L("client")));
 | 
|  |    178 | 	goodProcess.Logon(goodStatus);
 | 
|  |    179 | 	goodProcess.Resume();
 | 
|  |    180 | 
 | 
|  |    181 | 	test.Next(_L("Wait for server to die"));
 | 
|  |    182 | 	User::WaitForRequest(serverStatus);
 | 
|  |    183 | 	test_Equal(EExitKill, serverThread.ExitType());
 | 
|  |    184 | 	test_KErrNone(serverThread.ExitReason());
 | 
|  |    185 | 
 | 
|  |    186 | 	test.Next(_L("Check if client had memory overwritten"));
 | 
|  |    187 | 	User::WaitForRequest(goodStatus);
 | 
|  |    188 | 	test_Equal(EExitKill, goodProcess.ExitType());
 | 
|  |    189 | 	test_KErrNone(goodProcess.ExitReason());
 | 
|  |    190 | 
 | 
|  |    191 | 	test.Next(_L("Kill off writer thread"));
 | 
|  |    192 | 	writerThread.Kill(KErrNone);
 | 
|  |    193 | 	User::WaitForRequest(writerStatus);
 | 
|  |    194 | 	test_Equal(EExitKill, writerThread.ExitType());
 | 
|  |    195 | 	test_KErrNone(writerThread.ExitReason());
 | 
|  |    196 | 
 | 
|  |    197 | 	test.End();
 | 
|  |    198 | 	return KErrNone;
 | 
|  |    199 | 	}
 | 
|  |    200 | 
 | 
|  |    201 | // The client process
 | 
|  |    202 | 
 | 
|  |    203 | TInt GoodClientProcess()
 | 
|  |    204 | 	{
 | 
|  |    205 | 	RBadSession bad;
 | 
|  |    206 | 	TBuf16<1024> buf;
 | 
|  |    207 | 	TInt r = KErrNone;
 | 
|  |    208 | 	buf.SetLength(1024);
 | 
|  |    209 | 	// just keep trying to connect if the server isn't talkative yet
 | 
|  |    210 | 	while (bad.Connect() != KErrNone)
 | 
|  |    211 | 		User::After(1);
 | 
|  |    212 | 	bad.AccessMe(&buf, &r);
 | 
|  |    213 | 	// Returns r, which logically should be KErrNone as servers aren't
 | 
|  |    214 | 	// supposed to be able to modify
 | 
|  |    215 | 	return r;
 | 
|  |    216 | 	}
 | 
|  |    217 | 
 | 
|  |    218 | // Main
 | 
|  |    219 | 
 | 
|  |    220 | GLDEF_C TInt E32Main()
 | 
|  |    221 |     {
 | 
|  |    222 | 	TBuf16<512> cmd;
 | 
|  |    223 | 	User::CommandLine(cmd);
 | 
|  |    224 | 
 | 
|  |    225 | 	// this test hardcodes various multiple memory model parameters
 | 
|  |    226 | 	// and the moving model's aliasing technique is not susceptible to
 | 
|  |    227 | 	// the problem in the first place
 | 
|  |    228 | 	TUint32 memmodel = MemModelAttributes();
 | 
|  |    229 | 	if ((memmodel & EMemModelTypeMask) != EMemModelTypeMultiple)
 | 
|  |    230 | 		return KErrNone;
 | 
|  |    231 | 
 | 
|  |    232 | 	if(cmd.Length())
 | 
|  |    233 | 		return GoodClientProcess();
 | 
|  |    234 | 	else
 | 
|  |    235 | 		return BadServerProcess();
 | 
|  |    236 |     }
 | 
|  |    237 | 
 |