xref: /linux/tools/testing/selftests/arm64/gcs/libc-gcs.c (revision c771600c6af14749609b49565ffb4cac2959710d)

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (C) 2023 ARM Limited.
 */

#define _GNU_SOURCE

#include <pthread.h>
#include <stdbool.h>

#include <sys/auxv.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/ptrace.h>
#include <sys/uio.h>

#include <asm/hwcap.h>
#include <asm/mman.h>

#include <linux/compiler.h>

#include "kselftest_harness.h"

#include "gcs-util.h"

#define my_syscall2(num, arg1, arg2)                                          \
({                                                                            \
	register long _num  __asm__ ("x8") = (num);                           \
	register long _arg1 __asm__ ("x0") = (long)(arg1);                    \
	register long _arg2 __asm__ ("x1") = (long)(arg2);                    \
	register long _arg3 __asm__ ("x2") = 0;                               \
	register long _arg4 __asm__ ("x3") = 0;                               \
	register long _arg5 __asm__ ("x4") = 0;                               \
	                                                                      \
	__asm__  volatile (                                                   \
		"svc #0\n"                                                    \
		: "=r"(_arg1)                                                 \
		: "r"(_arg1), "r"(_arg2),                                     \
		  "r"(_arg3), "r"(_arg4),                                     \
		  "r"(_arg5), "r"(_num)					      \
		: "memory", "cc"                                              \
	);                                                                    \
	_arg1;                                                                \
})

static noinline void gcs_recurse(int depth)
{
	if (depth)
		gcs_recurse(depth - 1);

	/* Prevent tail call optimization so we actually recurse */
	asm volatile("dsb sy" : : : "memory");
}

/* Smoke test that a function call and return works*/
TEST(can_call_function)
{
	gcs_recurse(0);
}

static void *gcs_test_thread(void *arg)
{
	int ret;
	unsigned long mode;

	/*
	 * Some libcs don't seem to fill unused arguments with 0 but
	 * the kernel validates this so we supply all 5 arguments.
	 */
	ret = prctl(PR_GET_SHADOW_STACK_STATUS, &mode, 0, 0, 0);
	if (ret != 0) {
		ksft_print_msg("PR_GET_SHADOW_STACK_STATUS failed: %d\n", ret);
		return NULL;
	}

	if (!(mode & PR_SHADOW_STACK_ENABLE)) {
		ksft_print_msg("GCS not enabled in thread, mode is %lu\n",
			       mode);
		return NULL;
	}

	/* Just in case... */
	gcs_recurse(0);

	/* Use a non-NULL value to indicate a pass */
	return &gcs_test_thread;
}

/* Verify that if we start a new thread it has GCS enabled */
TEST(gcs_enabled_thread)
{
	pthread_t thread;
	void *thread_ret;
	int ret;

	ret = pthread_create(&thread, NULL, gcs_test_thread, NULL);
	ASSERT_TRUE(ret == 0);
	if (ret != 0)
		return;

	ret = pthread_join(thread, &thread_ret);
	ASSERT_TRUE(ret == 0);
	if (ret != 0)
		return;

	ASSERT_TRUE(thread_ret != NULL);
}

/* Read the GCS until we find the terminator */
TEST(gcs_find_terminator)
{
	unsigned long *gcs, *cur;

	gcs = get_gcspr();
	cur = gcs;
	while (*cur)
		cur++;

	ksft_print_msg("GCS in use from %p-%p\n", gcs, cur);

	/*
	 * We should have at least whatever called into this test so
	 * the two pointer should differ.
	 */
	ASSERT_TRUE(gcs != cur);
}

/*
 * We can access a GCS via ptrace
 *
 * This could usefully have a fixture but note that each test is
 * fork()ed into a new child whcih causes issues.  Might be better to
 * lift at least some of this out into a separate, non-harness, test
 * program.
 */
TEST(ptrace_read_write)
{
	pid_t child, pid;
	int ret, status;
	siginfo_t si;
	uint64_t val, rval, gcspr;
	struct user_gcs child_gcs;
	struct iovec iov, local_iov, remote_iov;

	child = fork();
	if (child == -1) {
		ksft_print_msg("fork() failed: %d (%s)\n",
			       errno, strerror(errno));
		ASSERT_NE(child, -1);
	}

	if (child == 0) {
		/*
		 * In child, make sure there's something on the stack and
		 * ask to be traced.
		 */
		gcs_recurse(0);
		if (ptrace(PTRACE_TRACEME, -1, NULL, NULL))
			ksft_exit_fail_msg("PTRACE_TRACEME %s",
					   strerror(errno));

		if (raise(SIGSTOP))
			ksft_exit_fail_msg("raise(SIGSTOP) %s",
					   strerror(errno));

		return;
	}

	ksft_print_msg("Child: %d\n", child);

	/* Attach to the child */
	while (1) {
		int sig;

		pid = wait(&status);
		if (pid == -1) {
			ksft_print_msg("wait() failed: %s",
				       strerror(errno));
			goto error;
		}

		/*
		 * This should never happen but it's hard to flag in
		 * the framework.
		 */
		if (pid != child)
			continue;

		if (WIFEXITED(status) || WIFSIGNALED(status))
			ksft_exit_fail_msg("Child died unexpectedly\n");

		if (!WIFSTOPPED(status))
			goto error;

		sig = WSTOPSIG(status);

		if (ptrace(PTRACE_GETSIGINFO, pid, NULL, &si)) {
			if (errno == ESRCH) {
				ASSERT_NE(errno, ESRCH);
				return;
			}

			if (errno == EINVAL) {
				sig = 0; /* bust group-stop */
				goto cont;
			}

			ksft_print_msg("PTRACE_GETSIGINFO: %s\n",
				       strerror(errno));
			goto error;
		}

		if (sig == SIGSTOP && si.si_code == SI_TKILL &&
		    si.si_pid == pid)
			break;

	cont:
		if (ptrace(PTRACE_CONT, pid, NULL, sig)) {
			if (errno == ESRCH) {
				ASSERT_NE(errno, ESRCH);
				return;
			}

			ksft_print_msg("PTRACE_CONT: %s\n", strerror(errno));
			goto error;
		}
	}

	/* Where is the child GCS? */
	iov.iov_base = &child_gcs;
	iov.iov_len = sizeof(child_gcs);
	ret = ptrace(PTRACE_GETREGSET, child, NT_ARM_GCS, &iov);
	if (ret != 0) {
		ksft_print_msg("Failed to read child GCS state: %s (%d)\n",
			       strerror(errno), errno);
		goto error;
	}

	/* We should have inherited GCS over fork(), confirm */
	if (!(child_gcs.features_enabled & PR_SHADOW_STACK_ENABLE)) {
		ASSERT_TRUE(child_gcs.features_enabled &
			    PR_SHADOW_STACK_ENABLE);
		goto error;
	}

	gcspr = child_gcs.gcspr_el0;
	ksft_print_msg("Child GCSPR 0x%lx, flags %llx, locked %llx\n",
		       gcspr, child_gcs.features_enabled,
		       child_gcs.features_locked);

	/* Ideally we'd cross check with the child memory map */

	errno = 0;
	val = ptrace(PTRACE_PEEKDATA, child, (void *)gcspr, NULL);
	ret = errno;
	if (ret != 0)
		ksft_print_msg("PTRACE_PEEKDATA failed: %s (%d)\n",
			       strerror(ret), ret);
	EXPECT_EQ(ret, 0);

	/* The child should be in a function, the GCSPR shouldn't be 0 */
	EXPECT_NE(val, 0);

	/* Same thing via process_vm_readv() */
	local_iov.iov_base = &rval;
	local_iov.iov_len = sizeof(rval);
	remote_iov.iov_base = (void *)gcspr;
	remote_iov.iov_len = sizeof(rval);
	ret = process_vm_readv(child, &local_iov, 1, &remote_iov, 1, 0);
	if (ret == -1)
		ksft_print_msg("process_vm_readv() failed: %s (%d)\n",
			       strerror(errno), errno);
	EXPECT_EQ(ret, sizeof(rval));
	EXPECT_EQ(val, rval);

	/* Write data via a peek */
	ret = ptrace(PTRACE_POKEDATA, child, (void *)gcspr, NULL);
	if (ret == -1)
		ksft_print_msg("PTRACE_POKEDATA failed: %s (%d)\n",
			       strerror(errno), errno);
	EXPECT_EQ(ret, 0);
	EXPECT_EQ(0, ptrace(PTRACE_PEEKDATA, child, (void *)gcspr, NULL));

	/* Restore what we had before */
	ret = ptrace(PTRACE_POKEDATA, child, (void *)gcspr, val);
	if (ret == -1)
		ksft_print_msg("PTRACE_POKEDATA failed: %s (%d)\n",
			       strerror(errno), errno);
	EXPECT_EQ(ret, 0);
	EXPECT_EQ(val, ptrace(PTRACE_PEEKDATA, child, (void *)gcspr, NULL));

	/* That's all, folks */
	kill(child, SIGKILL);
	return;

error:
	kill(child, SIGKILL);
	ASSERT_FALSE(true);
}

FIXTURE(map_gcs)
{
	unsigned long *stack;
};

FIXTURE_VARIANT(map_gcs)
{
	size_t stack_size;
	unsigned long flags;
};

FIXTURE_VARIANT_ADD(map_gcs, s2k_cap_marker)
{
	.stack_size = 2 * 1024,
	.flags = SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s2k_cap)
{
	.stack_size = 2 * 1024,
	.flags = SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s2k_marker)
{
	.stack_size = 2 * 1024,
	.flags = SHADOW_STACK_SET_MARKER,
};

FIXTURE_VARIANT_ADD(map_gcs, s2k)
{
	.stack_size = 2 * 1024,
	.flags = 0,
};

FIXTURE_VARIANT_ADD(map_gcs, s4k_cap_marker)
{
	.stack_size = 4 * 1024,
	.flags = SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s4k_cap)
{
	.stack_size = 4 * 1024,
	.flags = SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s3k_marker)
{
	.stack_size = 4 * 1024,
	.flags = SHADOW_STACK_SET_MARKER,
};

FIXTURE_VARIANT_ADD(map_gcs, s4k)
{
	.stack_size = 4 * 1024,
	.flags = 0,
};

FIXTURE_VARIANT_ADD(map_gcs, s16k_cap_marker)
{
	.stack_size = 16 * 1024,
	.flags = SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s16k_cap)
{
	.stack_size = 16 * 1024,
	.flags = SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s16k_marker)
{
	.stack_size = 16 * 1024,
	.flags = SHADOW_STACK_SET_MARKER,
};

FIXTURE_VARIANT_ADD(map_gcs, s16k)
{
	.stack_size = 16 * 1024,
	.flags = 0,
};

FIXTURE_VARIANT_ADD(map_gcs, s64k_cap_marker)
{
	.stack_size = 64 * 1024,
	.flags = SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s64k_cap)
{
	.stack_size = 64 * 1024,
	.flags = SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s64k_marker)
{
	.stack_size = 64 * 1024,
	.flags = SHADOW_STACK_SET_MARKER,
};

FIXTURE_VARIANT_ADD(map_gcs, s64k)
{
	.stack_size = 64 * 1024,
	.flags = 0,
};

FIXTURE_VARIANT_ADD(map_gcs, s128k_cap_marker)
{
	.stack_size = 128 * 1024,
	.flags = SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s128k_cap)
{
	.stack_size = 128 * 1024,
	.flags = SHADOW_STACK_SET_TOKEN,
};

FIXTURE_VARIANT_ADD(map_gcs, s128k_marker)
{
	.stack_size = 128 * 1024,
	.flags = SHADOW_STACK_SET_MARKER,
};

FIXTURE_VARIANT_ADD(map_gcs, s128k)
{
	.stack_size = 128 * 1024,
	.flags = 0,
};

FIXTURE_SETUP(map_gcs)
{
	self->stack = (void *)syscall(__NR_map_shadow_stack, 0,
				      variant->stack_size,
				      variant->flags);
	ASSERT_FALSE(self->stack == MAP_FAILED);
	ksft_print_msg("Allocated stack from %p-%p\n", self->stack,
		       self->stack + variant->stack_size);
}

FIXTURE_TEARDOWN(map_gcs)
{
	int ret;

	if (self->stack != MAP_FAILED) {
		ret = munmap(self->stack, variant->stack_size);
		ASSERT_EQ(ret, 0);
	}
}

/* The stack has a cap token */
TEST_F(map_gcs, stack_capped)
{
	unsigned long *stack = self->stack;
	size_t cap_index;

	cap_index = (variant->stack_size / sizeof(unsigned long));

	switch (variant->flags & (SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN)) {
	case SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN:
		cap_index -= 2;
		break;
	case SHADOW_STACK_SET_TOKEN:
		cap_index -= 1;
		break;
	case SHADOW_STACK_SET_MARKER:
	case 0:
		/* No cap, no test */
		return;
	}

	ASSERT_EQ(stack[cap_index], GCS_CAP(&stack[cap_index]));
}

/* The top of the stack is 0 */
TEST_F(map_gcs, stack_terminated)
{
	unsigned long *stack = self->stack;
	size_t term_index;

	if (!(variant->flags & SHADOW_STACK_SET_MARKER))
		return;

	term_index = (variant->stack_size / sizeof(unsigned long)) - 1;

	ASSERT_EQ(stack[term_index], 0);
}

/* Writes should fault */
TEST_F_SIGNAL(map_gcs, not_writeable, SIGSEGV)
{
	self->stack[0] = 0;
}

/* Put it all together, we can safely switch to and from the stack */
TEST_F(map_gcs, stack_switch)
{
	size_t cap_index;
	cap_index = (variant->stack_size / sizeof(unsigned long));
	unsigned long *orig_gcspr_el0, *pivot_gcspr_el0;

	/* Skip over the stack terminator and point at the cap */
	switch (variant->flags & (SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN)) {
	case SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN:
		cap_index -= 2;
		break;
	case SHADOW_STACK_SET_TOKEN:
		cap_index -= 1;
		break;
	case SHADOW_STACK_SET_MARKER:
	case 0:
		/* No cap, no test */
		return;
	}
	pivot_gcspr_el0 = &self->stack[cap_index];

	/* Pivot to the new GCS */
	ksft_print_msg("Pivoting to %p from %p, target has value 0x%lx\n",
		       pivot_gcspr_el0, get_gcspr(),
		       *pivot_gcspr_el0);
	gcsss1(pivot_gcspr_el0);
	orig_gcspr_el0 = gcsss2();
	ksft_print_msg("Pivoted to %p from %p, target has value 0x%lx\n",
		       get_gcspr(), orig_gcspr_el0,
		       *pivot_gcspr_el0);

	ksft_print_msg("Pivoted, GCSPR_EL0 now %p\n", get_gcspr());

	/* New GCS must be in the new buffer */
	ASSERT_TRUE((unsigned long)get_gcspr() > (unsigned long)self->stack);
	ASSERT_TRUE((unsigned long)get_gcspr() <=
		    (unsigned long)self->stack + variant->stack_size);

	/* We should be able to use all but 2 slots of the new stack */
	ksft_print_msg("Recursing %zu levels\n", cap_index - 1);
	gcs_recurse(cap_index - 1);

	/* Pivot back to the original GCS */
	gcsss1(orig_gcspr_el0);
	pivot_gcspr_el0 = gcsss2();

	gcs_recurse(0);
	ksft_print_msg("Pivoted back to GCSPR_EL0 0x%p\n", get_gcspr());
}

/* We fault if we try to go beyond the end of the stack */
TEST_F_SIGNAL(map_gcs, stack_overflow, SIGSEGV)
{
	size_t cap_index;
	cap_index = (variant->stack_size / sizeof(unsigned long));
	unsigned long *orig_gcspr_el0, *pivot_gcspr_el0;

	/* Skip over the stack terminator and point at the cap */
	switch (variant->flags & (SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN)) {
	case SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN:
		cap_index -= 2;
		break;
	case SHADOW_STACK_SET_TOKEN:
		cap_index -= 1;
		break;
	case SHADOW_STACK_SET_MARKER:
	case 0:
		/* No cap, no test but we need to SEGV to avoid a false fail */
		orig_gcspr_el0 = get_gcspr();
		*orig_gcspr_el0 = 0;
		return;
	}
	pivot_gcspr_el0 = &self->stack[cap_index];

	/* Pivot to the new GCS */
	ksft_print_msg("Pivoting to %p from %p, target has value 0x%lx\n",
		       pivot_gcspr_el0, get_gcspr(),
		       *pivot_gcspr_el0);
	gcsss1(pivot_gcspr_el0);
	orig_gcspr_el0 = gcsss2();
	ksft_print_msg("Pivoted to %p from %p, target has value 0x%lx\n",
		       pivot_gcspr_el0, orig_gcspr_el0,
		       *pivot_gcspr_el0);

	ksft_print_msg("Pivoted, GCSPR_EL0 now %p\n", get_gcspr());

	/* New GCS must be in the new buffer */
	ASSERT_TRUE((unsigned long)get_gcspr() > (unsigned long)self->stack);
	ASSERT_TRUE((unsigned long)get_gcspr() <=
		    (unsigned long)self->stack + variant->stack_size);

	/* Now try to recurse, we should fault doing this. */
	ksft_print_msg("Recursing %zu levels...\n", cap_index + 1);
	gcs_recurse(cap_index + 1);
	ksft_print_msg("...done\n");

	/* Clean up properly to try to guard against spurious passes. */
	gcsss1(orig_gcspr_el0);
	pivot_gcspr_el0 = gcsss2();
	ksft_print_msg("Pivoted back to GCSPR_EL0 0x%p\n", get_gcspr());
}

FIXTURE(map_invalid_gcs)
{
};

FIXTURE_VARIANT(map_invalid_gcs)
{
	size_t stack_size;
};

FIXTURE_SETUP(map_invalid_gcs)
{
}

FIXTURE_TEARDOWN(map_invalid_gcs)
{
}

/* GCS must be larger than 16 bytes */
FIXTURE_VARIANT_ADD(map_invalid_gcs, too_small)
{
	.stack_size = 8,
};

/* GCS size must be 16 byte aligned */
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_1)  { .stack_size = 1024 + 1  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_2)  { .stack_size = 1024 + 2  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_3)  { .stack_size = 1024 + 3  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_4)  { .stack_size = 1024 + 4  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_5)  { .stack_size = 1024 + 5  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_6)  { .stack_size = 1024 + 6  };
FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_7)  { .stack_size = 1024 + 7  };

TEST_F(map_invalid_gcs, do_map)
{
	void *stack;

	stack = (void *)syscall(__NR_map_shadow_stack, 0,
				variant->stack_size, 0);
	ASSERT_TRUE(stack == MAP_FAILED);
	if (stack != MAP_FAILED)
		munmap(stack, variant->stack_size);
}

FIXTURE(invalid_mprotect)
{
	unsigned long *stack;
	size_t stack_size;
};

FIXTURE_VARIANT(invalid_mprotect)
{
	unsigned long flags;
};

FIXTURE_SETUP(invalid_mprotect)
{
	self->stack_size = sysconf(_SC_PAGE_SIZE);
	self->stack = (void *)syscall(__NR_map_shadow_stack, 0,
				      self->stack_size, 0);
	ASSERT_FALSE(self->stack == MAP_FAILED);
	ksft_print_msg("Allocated stack from %p-%p\n", self->stack,
		       self->stack + self->stack_size);
}

FIXTURE_TEARDOWN(invalid_mprotect)
{
	int ret;

	if (self->stack != MAP_FAILED) {
		ret = munmap(self->stack, self->stack_size);
		ASSERT_EQ(ret, 0);
	}
}

FIXTURE_VARIANT_ADD(invalid_mprotect, exec)
{
	.flags = PROT_EXEC,
};

TEST_F(invalid_mprotect, do_map)
{
	int ret;

	ret = mprotect(self->stack, self->stack_size, variant->flags);
	ASSERT_EQ(ret, -1);
}

TEST_F(invalid_mprotect, do_map_read)
{
	int ret;

	ret = mprotect(self->stack, self->stack_size,
		       variant->flags | PROT_READ);
	ASSERT_EQ(ret, -1);
}

int main(int argc, char **argv)
{
	unsigned long gcs_mode;
	int ret;

	if (!(getauxval(AT_HWCAP) & HWCAP_GCS))
		ksft_exit_skip("SKIP GCS not supported\n");

	/*
	 * Force shadow stacks on, our tests *should* be fine with or
	 * without libc support and with or without this having ended
	 * up tagged for GCS and enabled by the dynamic linker.  We
	 * can't use the libc prctl() function since we can't return
	 * from enabling the stack.
	 */
	ret = my_syscall2(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &gcs_mode);
	if (ret) {
		ksft_print_msg("Failed to read GCS state: %d\n", ret);
		return EXIT_FAILURE;
	}

	if (!(gcs_mode & PR_SHADOW_STACK_ENABLE)) {
		gcs_mode = PR_SHADOW_STACK_ENABLE;
		ret = my_syscall2(__NR_prctl, PR_SET_SHADOW_STACK_STATUS,
				  gcs_mode);
		if (ret) {
			ksft_print_msg("Failed to configure GCS: %d\n", ret);
			return EXIT_FAILURE;
		}
	}

	/* Avoid returning in case libc doesn't understand GCS */
	exit(test_harness_run(argc, argv));
}