1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * This is for all the tests related to logic bugs (e.g. bad dereferences, 4 * bad alignment, bad loops, bad locking, bad scheduling, deep stacks, and 5 * lockups) along with other things that don't fit well into existing LKDTM 6 * test source files. 7 */ 8 #include "lkdtm.h" 9 #include <linux/cpu.h> 10 #include <linux/efi.h> 11 #include <linux/list.h> 12 #include <linux/hrtimer.h> 13 #include <linux/sched.h> 14 #include <linux/sched/signal.h> 15 #include <linux/sched/task_stack.h> 16 #include <linux/slab.h> 17 #include <linux/stop_machine.h> 18 #include <linux/uaccess.h> 19 20 #if IS_ENABLED(CONFIG_X86_32) && !IS_ENABLED(CONFIG_UML) 21 #include <asm/desc.h> 22 #endif 23 24 struct lkdtm_list { 25 struct list_head node; 26 }; 27 28 /* 29 * Make sure our attempts to over run the kernel stack doesn't trigger 30 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we 31 * recurse past the end of THREAD_SIZE by default. 32 */ 33 #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0) 34 #define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2) 35 #else 36 #define REC_STACK_SIZE (THREAD_SIZE / 8UL) 37 #endif 38 #define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2) 39 40 static int recur_count = REC_NUM_DEFAULT; 41 42 static DEFINE_SPINLOCK(lock_me_up); 43 44 /* 45 * Make sure compiler does not optimize this function or stack frame away: 46 * - function marked noinline 47 * - stack variables are marked volatile 48 * - stack variables are written (memset()) and read (buf[..] passed as arg) 49 * - function may have external effects (memzero_explicit()) 50 * - no tail recursion possible 51 */ 52 static int noinline recursive_loop(int remaining) 53 { 54 volatile char buf[REC_STACK_SIZE]; 55 volatile int ret; 56 57 memset((void *)buf, remaining & 0xFF, sizeof(buf)); 58 if (!remaining) 59 ret = 0; 60 else 61 ret = recursive_loop((int)buf[remaining % sizeof(buf)] - 1); 62 memzero_explicit((void *)buf, sizeof(buf)); 63 return ret; 64 } 65 66 /* If the depth is negative, use the default, otherwise keep parameter. */ 67 void __init lkdtm_bugs_init(int *recur_param) 68 { 69 if (*recur_param < 0) 70 *recur_param = recur_count; 71 else 72 recur_count = *recur_param; 73 } 74 75 static void lkdtm_PANIC(void) 76 { 77 panic("dumptest"); 78 } 79 80 static int panic_stop_irqoff_fn(void *arg) 81 { 82 atomic_t *v = arg; 83 84 /* 85 * As stop_machine() disables interrupts, all CPUs within this function 86 * have interrupts disabled and cannot take a regular IPI. 87 * 88 * The last CPU which enters here will trigger a panic, and as all CPUs 89 * cannot take a regular IPI, we'll only be able to stop secondaries if 90 * smp_send_stop() or crash_smp_send_stop() uses an NMI. 91 */ 92 if (atomic_inc_return(v) == num_online_cpus()) 93 panic("panic stop irqoff test"); 94 95 for (;;) 96 cpu_relax(); 97 } 98 99 static void lkdtm_PANIC_STOP_IRQOFF(void) 100 { 101 atomic_t v = ATOMIC_INIT(0); 102 stop_machine(panic_stop_irqoff_fn, &v, cpu_online_mask); 103 } 104 105 static bool wait_for_panic; 106 107 static enum hrtimer_restart panic_in_hardirq(struct hrtimer *timer) 108 { 109 panic("from hard IRQ context"); 110 111 wait_for_panic = false; 112 return HRTIMER_NORESTART; 113 } 114 115 static void lkdtm_PANIC_IN_HARDIRQ(void) 116 { 117 struct hrtimer timer; 118 119 wait_for_panic = true; 120 hrtimer_setup_on_stack(&timer, panic_in_hardirq, 121 CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD); 122 hrtimer_start(&timer, us_to_ktime(100), HRTIMER_MODE_REL_HARD); 123 124 while (READ_ONCE(wait_for_panic)) 125 cpu_relax(); 126 127 hrtimer_cancel(&timer); 128 } 129 130 static void lkdtm_BUG(void) 131 { 132 BUG(); 133 } 134 135 static bool wait_for_bug; 136 137 static enum hrtimer_restart bug_in_hardirq(struct hrtimer *timer) 138 { 139 BUG(); 140 141 wait_for_bug = false; 142 return HRTIMER_NORESTART; 143 } 144 145 static void lkdtm_BUG_IN_HARDIRQ(void) 146 { 147 struct hrtimer timer; 148 149 wait_for_bug = true; 150 hrtimer_setup_on_stack(&timer, bug_in_hardirq, 151 CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD); 152 hrtimer_start(&timer, us_to_ktime(100), HRTIMER_MODE_REL_HARD); 153 154 while (READ_ONCE(wait_for_bug)) 155 cpu_relax(); 156 157 hrtimer_cancel(&timer); 158 } 159 160 static int warn_counter; 161 162 static void lkdtm_WARNING(void) 163 { 164 WARN_ON(++warn_counter); 165 } 166 167 static void lkdtm_WARNING_MESSAGE(void) 168 { 169 WARN(1, "Warning message trigger count: %d\n", ++warn_counter); 170 } 171 172 static void lkdtm_EXCEPTION(void) 173 { 174 *((volatile int *) 0) = 0; 175 } 176 177 static void lkdtm_LOOP(void) 178 { 179 for (;;) 180 ; 181 } 182 183 static void lkdtm_EXHAUST_STACK(void) 184 { 185 pr_info("Calling function with %lu frame size to depth %d ...\n", 186 REC_STACK_SIZE, recur_count); 187 recursive_loop(recur_count); 188 pr_info("FAIL: survived without exhausting stack?!\n"); 189 } 190 191 static noinline void __lkdtm_CORRUPT_STACK(void *stack) 192 { 193 memset(stack, '\xff', 64); 194 } 195 196 /* This should trip the stack canary, not corrupt the return address. */ 197 static noinline void lkdtm_CORRUPT_STACK(void) 198 { 199 /* Use default char array length that triggers stack protection. */ 200 char data[8] __aligned(sizeof(void *)); 201 202 pr_info("Corrupting stack containing char array ...\n"); 203 __lkdtm_CORRUPT_STACK((void *)&data); 204 } 205 206 /* Same as above but will only get a canary with -fstack-protector-strong */ 207 static noinline void lkdtm_CORRUPT_STACK_STRONG(void) 208 { 209 union { 210 unsigned short shorts[4]; 211 unsigned long *ptr; 212 } data __aligned(sizeof(void *)); 213 214 pr_info("Corrupting stack containing union ...\n"); 215 __lkdtm_CORRUPT_STACK((void *)&data); 216 } 217 218 static pid_t stack_pid; 219 static unsigned long stack_addr; 220 221 static void lkdtm_REPORT_STACK(void) 222 { 223 volatile uintptr_t magic; 224 pid_t pid = task_pid_nr(current); 225 226 if (pid != stack_pid) { 227 pr_info("Starting stack offset tracking for pid %d\n", pid); 228 stack_pid = pid; 229 stack_addr = (uintptr_t)&magic; 230 } 231 232 pr_info("Stack offset: %d\n", (int)(stack_addr - (uintptr_t)&magic)); 233 } 234 235 static pid_t stack_canary_pid; 236 static unsigned long stack_canary; 237 static unsigned long stack_canary_offset; 238 239 static noinline void __lkdtm_REPORT_STACK_CANARY(void *stack) 240 { 241 int i = 0; 242 pid_t pid = task_pid_nr(current); 243 unsigned long *canary = (unsigned long *)stack; 244 unsigned long current_offset = 0, init_offset = 0; 245 246 /* Do our best to find the canary in a 16 word window ... */ 247 for (i = 1; i < 16; i++) { 248 canary = (unsigned long *)stack + i; 249 #ifdef CONFIG_STACKPROTECTOR 250 if (*canary == current->stack_canary) 251 current_offset = i; 252 if (*canary == init_task.stack_canary) 253 init_offset = i; 254 #endif 255 } 256 257 if (current_offset == 0) { 258 /* 259 * If the canary doesn't match what's in the task_struct, 260 * we're either using a global canary or the stack frame 261 * layout changed. 262 */ 263 if (init_offset != 0) { 264 pr_err("FAIL: global stack canary found at offset %ld (canary for pid %d matches init_task's)!\n", 265 init_offset, pid); 266 } else { 267 pr_warn("FAIL: did not correctly locate stack canary :(\n"); 268 pr_expected_config(CONFIG_STACKPROTECTOR); 269 } 270 271 return; 272 } else if (init_offset != 0) { 273 pr_warn("WARNING: found both current and init_task canaries nearby?!\n"); 274 } 275 276 canary = (unsigned long *)stack + current_offset; 277 if (stack_canary_pid == 0) { 278 stack_canary = *canary; 279 stack_canary_pid = pid; 280 stack_canary_offset = current_offset; 281 pr_info("Recorded stack canary for pid %d at offset %ld\n", 282 stack_canary_pid, stack_canary_offset); 283 } else if (pid == stack_canary_pid) { 284 pr_warn("ERROR: saw pid %d again -- please use a new pid\n", pid); 285 } else { 286 if (current_offset != stack_canary_offset) { 287 pr_warn("ERROR: canary offset changed from %ld to %ld!?\n", 288 stack_canary_offset, current_offset); 289 return; 290 } 291 292 if (*canary == stack_canary) { 293 pr_warn("FAIL: canary identical for pid %d and pid %d at offset %ld!\n", 294 stack_canary_pid, pid, current_offset); 295 } else { 296 pr_info("ok: stack canaries differ between pid %d and pid %d at offset %ld.\n", 297 stack_canary_pid, pid, current_offset); 298 /* Reset the test. */ 299 stack_canary_pid = 0; 300 } 301 } 302 } 303 304 static void lkdtm_REPORT_STACK_CANARY(void) 305 { 306 /* Use default char array length that triggers stack protection. */ 307 char data[8] __aligned(sizeof(void *)) = { }; 308 309 __lkdtm_REPORT_STACK_CANARY((void *)&data); 310 } 311 312 static void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void) 313 { 314 static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5}; 315 u32 *p; 316 u32 val = 0x12345678; 317 318 p = (u32 *)(data + 1); 319 if (*p == 0) 320 val = 0x87654321; 321 *p = val; 322 323 if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) 324 pr_err("XFAIL: arch has CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS\n"); 325 } 326 327 static void lkdtm_SOFTLOCKUP(void) 328 { 329 preempt_disable(); 330 for (;;) 331 cpu_relax(); 332 } 333 334 static void lkdtm_HARDLOCKUP(void) 335 { 336 local_irq_disable(); 337 for (;;) 338 cpu_relax(); 339 } 340 341 static void __lkdtm_SMP_CALL_LOCKUP(void *unused) 342 { 343 for (;;) 344 cpu_relax(); 345 } 346 347 static void lkdtm_SMP_CALL_LOCKUP(void) 348 { 349 unsigned int cpu, target; 350 351 cpus_read_lock(); 352 353 cpu = get_cpu(); 354 target = cpumask_any_but(cpu_online_mask, cpu); 355 356 if (target >= nr_cpu_ids) { 357 pr_err("FAIL: no other online CPUs\n"); 358 goto out_put_cpus; 359 } 360 361 smp_call_function_single(target, __lkdtm_SMP_CALL_LOCKUP, NULL, 1); 362 363 pr_err("FAIL: did not hang\n"); 364 365 out_put_cpus: 366 put_cpu(); 367 cpus_read_unlock(); 368 } 369 370 static void lkdtm_SPINLOCKUP(void) 371 { 372 /* Must be called twice to trigger. */ 373 spin_lock(&lock_me_up); 374 /* Let sparse know we intended to exit holding the lock. */ 375 __release(&lock_me_up); 376 } 377 378 static void __noreturn lkdtm_HUNG_TASK(void) 379 { 380 set_current_state(TASK_UNINTERRUPTIBLE); 381 schedule(); 382 BUG(); 383 } 384 385 static volatile unsigned int huge = INT_MAX - 2; 386 static volatile unsigned int ignored; 387 388 static void lkdtm_OVERFLOW_SIGNED(void) 389 { 390 int value; 391 392 value = huge; 393 pr_info("Normal signed addition ...\n"); 394 value += 1; 395 ignored = value; 396 397 pr_info("Overflowing signed addition ...\n"); 398 value += 4; 399 ignored = value; 400 } 401 402 403 static void lkdtm_OVERFLOW_UNSIGNED(void) 404 { 405 unsigned int value; 406 407 value = huge; 408 pr_info("Normal unsigned addition ...\n"); 409 value += 1; 410 ignored = value; 411 412 pr_info("Overflowing unsigned addition ...\n"); 413 value += 4; 414 ignored = value; 415 } 416 417 /* Intentionally using unannotated flex array definition. */ 418 struct array_bounds_flex_array { 419 int one; 420 int two; 421 char data[]; 422 }; 423 424 struct array_bounds { 425 int one; 426 int two; 427 char data[8]; 428 int three; 429 }; 430 431 static void lkdtm_ARRAY_BOUNDS(void) 432 { 433 struct array_bounds_flex_array *not_checked; 434 struct array_bounds *checked; 435 volatile int i; 436 437 not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL); 438 checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL); 439 if (!not_checked || !checked) { 440 kfree(not_checked); 441 kfree(checked); 442 return; 443 } 444 445 pr_info("Array access within bounds ...\n"); 446 /* For both, touch all bytes in the actual member size. */ 447 for (i = 0; i < sizeof(checked->data); i++) 448 checked->data[i] = 'A'; 449 /* 450 * For the uninstrumented flex array member, also touch 1 byte 451 * beyond to verify it is correctly uninstrumented. 452 */ 453 for (i = 0; i < 2; i++) 454 not_checked->data[i] = 'A'; 455 456 pr_info("Array access beyond bounds ...\n"); 457 for (i = 0; i < sizeof(checked->data) + 1; i++) 458 checked->data[i] = 'B'; 459 460 kfree(not_checked); 461 kfree(checked); 462 pr_err("FAIL: survived array bounds overflow!\n"); 463 if (IS_ENABLED(CONFIG_UBSAN_BOUNDS)) 464 pr_expected_config(CONFIG_UBSAN_TRAP); 465 else 466 pr_expected_config(CONFIG_UBSAN_BOUNDS); 467 } 468 469 struct lkdtm_cb_fam { 470 unsigned long flags; 471 int count; 472 int array[] __counted_by(count); 473 }; 474 475 static volatile int element_count = 4; 476 477 static void lkdtm_FAM_BOUNDS(void) 478 { 479 struct lkdtm_cb_fam *inst; 480 481 inst = kzalloc_flex(*inst, array, element_count + 1); 482 if (!inst) { 483 pr_err("FAIL: could not allocate test struct!\n"); 484 return; 485 } 486 487 inst->count = element_count; 488 pr_info("Array access within bounds ...\n"); 489 inst->array[1] = element_count; 490 ignored = inst->array[1]; 491 492 pr_info("Array access beyond bounds ...\n"); 493 inst->array[element_count] = element_count; 494 ignored = inst->array[element_count]; 495 496 kfree(inst); 497 498 pr_err("FAIL: survived access of invalid flexible array member index!\n"); 499 500 if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY)) 501 pr_warn("This is expected since this %s was built with a compiler that does not support __counted_by\n", 502 lkdtm_kernel_info); 503 else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS)) 504 pr_expected_config(CONFIG_UBSAN_TRAP); 505 else 506 pr_expected_config(CONFIG_UBSAN_BOUNDS); 507 } 508 509 struct lkdtm_extra { 510 short a, b; 511 u16 sixteen; 512 u32 bigger; 513 u64 biggest; 514 }; 515 516 struct lkdtm_cb_ptr { 517 int a, b, c; 518 int nr_extra; 519 char *buf __counted_by_ptr(len); 520 size_t len; 521 struct lkdtm_extra *extra __counted_by_ptr(nr_extra); 522 }; 523 524 static noinline void check_ptr_len(struct lkdtm_cb_ptr *p, size_t len) 525 { 526 if (__member_size(p->buf) != len) 527 pr_err("FAIL: could not determine size of inst->buf: %zu\n", 528 __member_size(p->buf)); 529 else 530 pr_info("good: inst->buf length is %zu\n", len); 531 } 532 533 static void lkdtm_PTR_BOUNDS(void) 534 { 535 struct lkdtm_cb_ptr *inst; 536 537 inst = kzalloc_obj(*inst); 538 if (!inst) { 539 pr_err("FAIL: could not allocate struct lkdtm_cb_ptr!\n"); 540 return; 541 } 542 543 inst->buf = kzalloc(element_count, GFP_KERNEL); 544 if (!inst->buf) { 545 pr_err("FAIL: could not allocate inst->buf!\n"); 546 return; 547 } 548 inst->len = element_count; 549 550 /* Double element_count */ 551 inst->extra = kzalloc_objs(*inst->extra, element_count * 2); 552 inst->nr_extra = element_count * 2; 553 554 pr_info("Pointer access within bounds ...\n"); 555 check_ptr_len(inst, 4); 556 /* All 4 bytes */ 557 inst->buf[0] = 'A'; 558 inst->buf[1] = 'B'; 559 inst->buf[2] = 'C'; 560 inst->buf[3] = 'D'; 561 /* Halfway into the array */ 562 inst->extra[element_count].biggest = 0x1000; 563 564 pr_info("Pointer access beyond bounds ...\n"); 565 ignored = inst->extra[inst->nr_extra].b; 566 567 kfree(inst->extra); 568 kfree(inst->buf); 569 kfree(inst); 570 571 pr_err("FAIL: survived access of invalid pointer member offset!\n"); 572 573 if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY_PTR)) 574 pr_warn("This is expected since this %s was built with a compiler that does not support __counted_by_ptr\n", 575 lkdtm_kernel_info); 576 else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS)) 577 pr_expected_config(CONFIG_UBSAN_TRAP); 578 else 579 pr_expected_config(CONFIG_UBSAN_BOUNDS); 580 } 581 582 static void lkdtm_CORRUPT_LIST_ADD(void) 583 { 584 /* 585 * Initially, an empty list via LIST_HEAD: 586 * test_head.next = &test_head 587 * test_head.prev = &test_head 588 */ 589 LIST_HEAD(test_head); 590 struct lkdtm_list good, bad; 591 void *target[2] = { }; 592 void *redirection = ⌖ 593 594 pr_info("attempting good list addition\n"); 595 596 /* 597 * Adding to the list performs these actions: 598 * test_head.next->prev = &good.node 599 * good.node.next = test_head.next 600 * good.node.prev = test_head 601 * test_head.next = good.node 602 */ 603 list_add(&good.node, &test_head); 604 605 pr_info("attempting corrupted list addition\n"); 606 /* 607 * In simulating this "write what where" primitive, the "what" is 608 * the address of &bad.node, and the "where" is the address held 609 * by "redirection". 610 */ 611 test_head.next = redirection; 612 list_add(&bad.node, &test_head); 613 614 if (target[0] == NULL && target[1] == NULL) 615 pr_err("Overwrite did not happen, but no BUG?!\n"); 616 else { 617 pr_err("list_add() corruption not detected!\n"); 618 pr_expected_config(CONFIG_LIST_HARDENED); 619 } 620 } 621 622 static void lkdtm_CORRUPT_LIST_DEL(void) 623 { 624 LIST_HEAD(test_head); 625 struct lkdtm_list item; 626 void *target[2] = { }; 627 void *redirection = ⌖ 628 629 list_add(&item.node, &test_head); 630 631 pr_info("attempting good list removal\n"); 632 list_del(&item.node); 633 634 pr_info("attempting corrupted list removal\n"); 635 list_add(&item.node, &test_head); 636 637 /* As with the list_add() test above, this corrupts "next". */ 638 item.node.next = redirection; 639 list_del(&item.node); 640 641 if (target[0] == NULL && target[1] == NULL) 642 pr_err("Overwrite did not happen, but no BUG?!\n"); 643 else { 644 pr_err("list_del() corruption not detected!\n"); 645 pr_expected_config(CONFIG_LIST_HARDENED); 646 } 647 } 648 649 /* Test that VMAP_STACK is actually allocating with a leading guard page */ 650 static void lkdtm_STACK_GUARD_PAGE_LEADING(void) 651 { 652 const unsigned char *stack = task_stack_page(current); 653 const unsigned char *ptr = stack - 1; 654 volatile unsigned char byte; 655 656 pr_info("attempting bad read from page below current stack\n"); 657 658 byte = *ptr; 659 660 pr_err("FAIL: accessed page before stack! (byte: %x)\n", byte); 661 } 662 663 /* Test that VMAP_STACK is actually allocating with a trailing guard page */ 664 static void lkdtm_STACK_GUARD_PAGE_TRAILING(void) 665 { 666 const unsigned char *stack = task_stack_page(current); 667 const unsigned char *ptr = stack + THREAD_SIZE; 668 volatile unsigned char byte; 669 670 pr_info("attempting bad read from page above current stack\n"); 671 672 byte = *ptr; 673 674 pr_err("FAIL: accessed page after stack! (byte: %x)\n", byte); 675 } 676 677 static void lkdtm_UNSET_SMEP(void) 678 { 679 #if IS_ENABLED(CONFIG_X86_64) && !IS_ENABLED(CONFIG_UML) 680 #define MOV_CR4_DEPTH 64 681 void (*direct_write_cr4)(unsigned long val); 682 unsigned char *insn; 683 unsigned long cr4; 684 int i; 685 686 cr4 = native_read_cr4(); 687 688 if ((cr4 & X86_CR4_SMEP) != X86_CR4_SMEP) { 689 pr_err("FAIL: SMEP not in use\n"); 690 return; 691 } 692 cr4 &= ~(X86_CR4_SMEP); 693 694 pr_info("trying to clear SMEP normally\n"); 695 native_write_cr4(cr4); 696 if (cr4 == native_read_cr4()) { 697 pr_err("FAIL: pinning SMEP failed!\n"); 698 cr4 |= X86_CR4_SMEP; 699 pr_info("restoring SMEP\n"); 700 native_write_cr4(cr4); 701 return; 702 } 703 pr_info("ok: SMEP did not get cleared\n"); 704 705 /* 706 * To test the post-write pinning verification we need to call 707 * directly into the middle of native_write_cr4() where the 708 * cr4 write happens, skipping any pinning. This searches for 709 * the cr4 writing instruction. 710 */ 711 insn = (unsigned char *)native_write_cr4; 712 OPTIMIZER_HIDE_VAR(insn); 713 for (i = 0; i < MOV_CR4_DEPTH; i++) { 714 /* mov %rdi, %cr4 */ 715 if (insn[i] == 0x0f && insn[i+1] == 0x22 && insn[i+2] == 0xe7) 716 break; 717 /* mov %rdi,%rax; mov %rax, %cr4 */ 718 if (insn[i] == 0x48 && insn[i+1] == 0x89 && 719 insn[i+2] == 0xf8 && insn[i+3] == 0x0f && 720 insn[i+4] == 0x22 && insn[i+5] == 0xe0) 721 break; 722 } 723 if (i >= MOV_CR4_DEPTH) { 724 pr_info("ok: cannot locate cr4 writing call gadget\n"); 725 return; 726 } 727 direct_write_cr4 = (void *)(insn + i); 728 729 pr_info("trying to clear SMEP with call gadget\n"); 730 direct_write_cr4(cr4); 731 if (native_read_cr4() & X86_CR4_SMEP) { 732 pr_info("ok: SMEP removal was reverted\n"); 733 } else { 734 pr_err("FAIL: cleared SMEP not detected!\n"); 735 cr4 |= X86_CR4_SMEP; 736 pr_info("restoring SMEP\n"); 737 native_write_cr4(cr4); 738 } 739 #else 740 pr_err("XFAIL: this test is x86_64-only\n"); 741 #endif 742 } 743 744 static void lkdtm_DOUBLE_FAULT(void) 745 { 746 #if IS_ENABLED(CONFIG_X86_32) && !IS_ENABLED(CONFIG_UML) 747 /* 748 * Trigger #DF by setting the stack limit to zero. This clobbers 749 * a GDT TLS slot, which is okay because the current task will die 750 * anyway due to the double fault. 751 */ 752 struct desc_struct d = { 753 .type = 3, /* expand-up, writable, accessed data */ 754 .p = 1, /* present */ 755 .d = 1, /* 32-bit */ 756 .g = 0, /* limit in bytes */ 757 .s = 1, /* not system */ 758 }; 759 760 local_irq_disable(); 761 write_gdt_entry(get_cpu_gdt_rw(smp_processor_id()), 762 GDT_ENTRY_TLS_MIN, &d, DESCTYPE_S); 763 764 /* 765 * Put our zero-limit segment in SS and then trigger a fault. The 766 * 4-byte access to (%esp) will fault with #SS, and the attempt to 767 * deliver the fault will recursively cause #SS and result in #DF. 768 * This whole process happens while NMIs and MCEs are blocked by the 769 * MOV SS window. This is nice because an NMI with an invalid SS 770 * would also double-fault, resulting in the NMI or MCE being lost. 771 */ 772 asm volatile ("movw %0, %%ss; addl $0, (%%esp)" :: 773 "r" ((unsigned short)(GDT_ENTRY_TLS_MIN << 3))); 774 775 pr_err("FAIL: tried to double fault but didn't die\n"); 776 #else 777 pr_err("XFAIL: this test is ia32-only\n"); 778 #endif 779 } 780 781 #ifdef CONFIG_ARM64 782 static noinline void change_pac_parameters(void) 783 { 784 if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) { 785 /* Reset the keys of current task */ 786 ptrauth_thread_init_kernel(current); 787 ptrauth_thread_switch_kernel(current); 788 } 789 } 790 #endif 791 792 static noinline void lkdtm_CORRUPT_PAC(void) 793 { 794 #ifdef CONFIG_ARM64 795 #define CORRUPT_PAC_ITERATE 10 796 int i; 797 798 if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) 799 pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n"); 800 801 if (!system_supports_address_auth()) { 802 pr_err("FAIL: CPU lacks pointer authentication feature\n"); 803 return; 804 } 805 806 pr_info("changing PAC parameters to force function return failure...\n"); 807 /* 808 * PAC is a hash value computed from input keys, return address and 809 * stack pointer. As pac has fewer bits so there is a chance of 810 * collision, so iterate few times to reduce the collision probability. 811 */ 812 for (i = 0; i < CORRUPT_PAC_ITERATE; i++) 813 change_pac_parameters(); 814 815 pr_err("FAIL: survived PAC changes! Kernel may be unstable from here\n"); 816 #else 817 pr_err("XFAIL: this test is arm64-only\n"); 818 #endif 819 } 820 821 static void __maybe_unused lkdtm_EFI_RUNTIME_CRASH(void) 822 { 823 static unsigned long size __ro_after_init = sizeof(efi_char16_t); 824 efi_status_t status; 825 826 if (!efi.get_next_variable || 827 !efi_enabled(EFI_RUNTIME_SERVICES) || 828 !efi_rt_services_supported(EFI_RT_SUPPORTED_GET_NEXT_VARIABLE_NAME)) { 829 pr_err("FAIL: EFI GetNextVariableName() is not available\n"); 830 return; 831 } 832 833 /* 834 * Provoke a fault by asking the firmware to write to a read-only 835 * variable. 836 */ 837 status = efi.get_next_variable(&size, L"", &(efi_guid_t){}); 838 839 if (status != EFI_ABORTED || efi_enabled(EFI_RUNTIME_SERVICES)) 840 pr_err("FAIL: EFI GetNextVariable() did not abort (%#lx)\n", 841 status); 842 } 843 844 static struct crashtype crashtypes[] = { 845 CRASHTYPE(PANIC), 846 CRASHTYPE(PANIC_STOP_IRQOFF), 847 CRASHTYPE(PANIC_IN_HARDIRQ), 848 CRASHTYPE(BUG), 849 CRASHTYPE(BUG_IN_HARDIRQ), 850 CRASHTYPE(WARNING), 851 CRASHTYPE(WARNING_MESSAGE), 852 CRASHTYPE(EXCEPTION), 853 CRASHTYPE(LOOP), 854 CRASHTYPE(EXHAUST_STACK), 855 CRASHTYPE(CORRUPT_STACK), 856 CRASHTYPE(CORRUPT_STACK_STRONG), 857 CRASHTYPE(REPORT_STACK), 858 CRASHTYPE(REPORT_STACK_CANARY), 859 CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), 860 CRASHTYPE(SOFTLOCKUP), 861 CRASHTYPE(HARDLOCKUP), 862 CRASHTYPE(SMP_CALL_LOCKUP), 863 CRASHTYPE(SPINLOCKUP), 864 CRASHTYPE(HUNG_TASK), 865 CRASHTYPE(OVERFLOW_SIGNED), 866 CRASHTYPE(OVERFLOW_UNSIGNED), 867 CRASHTYPE(ARRAY_BOUNDS), 868 CRASHTYPE(FAM_BOUNDS), 869 CRASHTYPE(PTR_BOUNDS), 870 CRASHTYPE(CORRUPT_LIST_ADD), 871 CRASHTYPE(CORRUPT_LIST_DEL), 872 CRASHTYPE(STACK_GUARD_PAGE_LEADING), 873 CRASHTYPE(STACK_GUARD_PAGE_TRAILING), 874 CRASHTYPE(UNSET_SMEP), 875 CRASHTYPE(DOUBLE_FAULT), 876 CRASHTYPE(CORRUPT_PAC), 877 #ifdef CONFIG_EFI 878 CRASHTYPE(EFI_RUNTIME_CRASH), 879 #endif 880 }; 881 882 struct crashtype_category bugs_crashtypes = { 883 .crashtypes = crashtypes, 884 .len = ARRAY_SIZE(crashtypes), 885 }; 886