|
1 // Copyright (c) 2007-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of the License "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // e32test\secure\t_ipcsafety.cpp |
|
15 // Overview: |
|
16 // Test if it's possible for a thread in a server process to access the IPC alias |
|
17 // region outside the control of the kernel. |
|
18 // API Information: |
|
19 // RMessage2 |
|
20 // Details: |
|
21 // - Create a server which will take a long time IPCing any client request. |
|
22 // - Create a high priority thread which will attempt to write to a given |
|
23 // location in the IPC region, with an exception handler to retry if it fails. |
|
24 // - Create a client process which connects to the server and offers a |
|
25 // stack-based descriptor for IPC, as well as the address of another stack |
|
26 // variable that should not be able to be accessed. |
|
27 // - The bad writer will attempt to jump in and overwrite the variable, |
|
28 // causing the client to return a detectable error. |
|
29 // - Verify that this does not happen. |
|
30 // Platforms/Drives/Compatibility: |
|
31 // ARM with multiple memory model only. |
|
32 // Assumptions/Requirement/Pre-requisites: |
|
33 // Failures and causes: |
|
34 // Base Port information: |
|
35 // |
|
36 // |
|
37 |
|
38 #define __E32TEST_EXTENSION__ |
|
39 #include <e32test.h> |
|
40 #include <e32debug.h> |
|
41 #include <e32base.h> |
|
42 #include <e32base_private.h> |
|
43 #include "mmudetect.h" |
|
44 |
|
45 LOCAL_D RTest test(_L("T_IPCSAFETY")); |
|
46 |
|
47 void GoodExitWithError(); |
|
48 |
|
49 TInt* DataToSplat; |
|
50 RSemaphore BadSemaphore; |
|
51 |
|
52 // Server stuff |
|
53 |
|
54 _LIT(KBadServerName,"BadServer"); |
|
55 |
|
56 class CBadSession : public CSession2 |
|
57 { |
|
58 virtual void ServiceL(const RMessage2& aMessage); |
|
59 }; |
|
60 |
|
61 class CBadServer : public CServer2 |
|
62 { |
|
63 public: |
|
64 CBadServer(CActive::TPriority aPriority) : CServer2(aPriority) |
|
65 {} |
|
66 virtual CBadSession* NewSessionL(const TVersion& aVersion, const RMessage2& aMessage) const |
|
67 { |
|
68 return new (ELeave) CBadSession(); |
|
69 } |
|
70 }; |
|
71 |
|
72 void CBadSession::ServiceL(const RMessage2& aMessage) |
|
73 { |
|
74 TBuf16<1024> buf; |
|
75 DataToSplat = (TInt*)aMessage.Ptr1(); |
|
76 BadSemaphore.Signal(); |
|
77 // Read the buffer lots of times to widen the time window |
|
78 for (TInt i=0; i<1024; i++) |
|
79 aMessage.Read(0, buf, 0); |
|
80 CActiveScheduler::Stop(); |
|
81 aMessage.Complete(KErrNone); |
|
82 } |
|
83 |
|
84 TInt BadServerThread(TAny*) |
|
85 { |
|
86 CTrapCleanup* cleanup=CTrapCleanup::New(); |
|
87 if (!cleanup) |
|
88 return KErrNoMemory; |
|
89 CActiveScheduler* scheduler = new CActiveScheduler(); |
|
90 if (!scheduler) |
|
91 return KErrNoMemory; |
|
92 CActiveScheduler::Install(scheduler); |
|
93 CBadServer* server = new CBadServer(CActive::EPriorityStandard); |
|
94 if (!server) |
|
95 return KErrNoMemory; |
|
96 TInt r = server->Start(KBadServerName); |
|
97 if (r != KErrNone) |
|
98 return r; |
|
99 RThread::Rendezvous(KErrNone); |
|
100 CActiveScheduler::Start(); |
|
101 delete server; |
|
102 delete scheduler; |
|
103 delete cleanup; |
|
104 return KErrNone; |
|
105 } |
|
106 |
|
107 class RBadSession : public RSessionBase |
|
108 { |
|
109 public: |
|
110 TInt Connect() |
|
111 { |
|
112 return CreateSession(KBadServerName, TVersion(0,0,0)); |
|
113 } |
|
114 void AccessMe(TDesC* aBuf, TInt* aValue); |
|
115 }; |
|
116 |
|
117 void RBadSession::AccessMe(TDesC* aBuf, TInt* aValue) |
|
118 { |
|
119 SendReceive(0, TIpcArgs(aBuf, aValue)); |
|
120 }; |
|
121 |
|
122 // Bad writer thread |
|
123 |
|
124 TInt * const KAliasRegion = (TInt*)0x00200000; |
|
125 const TUint KAliasMask = 0x000fffff; |
|
126 |
|
127 void BadExceptionHandler(TExcType, TInt, TInt, TInt, TUint aStackArgument) |
|
128 { |
|
129 // just retry the instruction after a delay |
|
130 User::AfterHighRes(0); |
|
131 return; |
|
132 } |
|
133 |
|
134 TInt BadWriterThread(TAny*) |
|
135 { |
|
136 // set the exception handler so that we don't die when touching the ipc region |
|
137 // as it won't be mapped until an unpredictable time |
|
138 User::SetExceptionHandler((TExceptionHandler)BadExceptionHandler, KExceptionFault); |
|
139 // wait for the server to tell us where to overwrite |
|
140 BadSemaphore.Wait(); |
|
141 |
|
142 TInt* target = (TInt*)(((TUint)DataToSplat&KAliasMask)|(TUint)KAliasRegion); |
|
143 *target = KErrGeneral; |
|
144 |
|
145 return KErrNone; |
|
146 } |
|
147 |
|
148 // The server process |
|
149 |
|
150 TInt BadServerProcess() |
|
151 { |
|
152 test.Title(); |
|
153 test.Start(_L("Test bad server overwriting good client memory")); |
|
154 |
|
155 BadSemaphore.CreateLocal(0); |
|
156 |
|
157 test.Next(_L("Setup bad server")); |
|
158 RThread serverThread; |
|
159 TRequestStatus serverStatus, serverRendezvous; |
|
160 test_KErrNone(serverThread.Create(_L("BadServer"), BadServerThread, KDefaultStackSize, NULL, NULL)); |
|
161 serverThread.Logon(serverStatus); |
|
162 serverThread.Rendezvous(serverRendezvous); |
|
163 serverThread.Resume(); |
|
164 User::WaitForRequest(serverRendezvous); |
|
165 |
|
166 test.Next(_L("Start bad writer thread")); |
|
167 RThread writerThread; |
|
168 TRequestStatus writerStatus; |
|
169 test_KErrNone(writerThread.Create(_L("BadWriter"), BadWriterThread, KDefaultStackSize, NULL, NULL)); |
|
170 writerThread.Logon(writerStatus); |
|
171 writerThread.SetPriority(EPriorityMore); |
|
172 writerThread.Resume(); |
|
173 |
|
174 test.Next(_L("Run the good client")); |
|
175 RProcess goodProcess; |
|
176 TRequestStatus goodStatus; |
|
177 test_KErrNone(goodProcess.Create(_L("T_IPCSAFETY"), _L("client"))); |
|
178 goodProcess.Logon(goodStatus); |
|
179 goodProcess.Resume(); |
|
180 |
|
181 test.Next(_L("Wait for server to die")); |
|
182 User::WaitForRequest(serverStatus); |
|
183 test_Equal(EExitKill, serverThread.ExitType()); |
|
184 test_KErrNone(serverThread.ExitReason()); |
|
185 |
|
186 test.Next(_L("Check if client had memory overwritten")); |
|
187 User::WaitForRequest(goodStatus); |
|
188 test_Equal(EExitKill, goodProcess.ExitType()); |
|
189 test_KErrNone(goodProcess.ExitReason()); |
|
190 |
|
191 test.Next(_L("Kill off writer thread")); |
|
192 writerThread.Kill(KErrNone); |
|
193 User::WaitForRequest(writerStatus); |
|
194 test_Equal(EExitKill, writerThread.ExitType()); |
|
195 test_KErrNone(writerThread.ExitReason()); |
|
196 |
|
197 test.End(); |
|
198 return KErrNone; |
|
199 } |
|
200 |
|
201 // The client process |
|
202 |
|
203 TInt GoodClientProcess() |
|
204 { |
|
205 RBadSession bad; |
|
206 TBuf16<1024> buf; |
|
207 TInt r = KErrNone; |
|
208 buf.SetLength(1024); |
|
209 // just keep trying to connect if the server isn't talkative yet |
|
210 while (bad.Connect() != KErrNone) |
|
211 User::After(1); |
|
212 bad.AccessMe(&buf, &r); |
|
213 // Returns r, which logically should be KErrNone as servers aren't |
|
214 // supposed to be able to modify |
|
215 return r; |
|
216 } |
|
217 |
|
218 // Main |
|
219 |
|
220 GLDEF_C TInt E32Main() |
|
221 { |
|
222 TBuf16<512> cmd; |
|
223 User::CommandLine(cmd); |
|
224 |
|
225 // this test hardcodes various multiple memory model parameters |
|
226 // and the moving model's aliasing technique is not susceptible to |
|
227 // the problem in the first place |
|
228 TUint32 memmodel = MemModelAttributes(); |
|
229 if ((memmodel & EMemModelTypeMask) != EMemModelTypeMultiple) |
|
230 return KErrNone; |
|
231 |
|
232 if(cmd.Length()) |
|
233 return GoodClientProcess(); |
|
234 else |
|
235 return BadServerProcess(); |
|
236 } |
|
237 |