1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Tests Memory Protection Keys (see Documentation/core-api/protection-keys.rst) 4 * 5 * The testcases in this file exercise various flows related to signal handling, 6 * using an alternate signal stack, with the default pkey (pkey 0) disabled. 7 * 8 * Compile with: 9 * gcc -mxsave -o pkey_sighandler_tests -O2 -g -std=gnu99 -pthread -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm 10 * gcc -mxsave -m32 -o pkey_sighandler_tests -O2 -g -std=gnu99 -pthread -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm 11 */ 12 #define _GNU_SOURCE 13 #define __SANE_USERSPACE_TYPES__ 14 #include <errno.h> 15 #include <sys/syscall.h> 16 #include <string.h> 17 #include <stdio.h> 18 #include <stdint.h> 19 #include <stdbool.h> 20 #include <signal.h> 21 #include <assert.h> 22 #include <stdlib.h> 23 #include <sys/mman.h> 24 #include <sys/types.h> 25 #include <sys/stat.h> 26 #include <unistd.h> 27 #include <pthread.h> 28 #include <limits.h> 29 30 #include "pkey-helpers.h" 31 32 #define STACK_SIZE PTHREAD_STACK_MIN 33 34 void expected_pkey_fault(int pkey) {} 35 36 pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; 37 pthread_cond_t cond = PTHREAD_COND_INITIALIZER; 38 siginfo_t siginfo = {0}; 39 40 /* 41 * We need to use inline assembly instead of glibc's syscall because glibc's 42 * syscall will attempt to access the PLT in order to call a library function 43 * which is protected by MPK 0 which we don't have access to. 44 */ 45 static inline __always_inline 46 long syscall_raw(long n, long a1, long a2, long a3, long a4, long a5, long a6) 47 { 48 unsigned long ret; 49 #ifdef __x86_64__ 50 register long r10 asm("r10") = a4; 51 register long r8 asm("r8") = a5; 52 register long r9 asm("r9") = a6; 53 asm volatile ("syscall" 54 : "=a"(ret) 55 : "a"(n), "D"(a1), "S"(a2), "d"(a3), "r"(r10), "r"(r8), "r"(r9) 56 : "rcx", "r11", "memory"); 57 #elif defined __i386__ 58 asm volatile ("int $0x80" 59 : "=a"(ret) 60 : "a"(n), "b"(a1), "c"(a2), "d"(a3), "S"(a4), "D"(a5) 61 : "memory"); 62 #else 63 # error syscall_raw() not implemented 64 #endif 65 return ret; 66 } 67 68 static void sigsegv_handler(int signo, siginfo_t *info, void *ucontext) 69 { 70 pthread_mutex_lock(&mutex); 71 72 memcpy(&siginfo, info, sizeof(siginfo_t)); 73 74 pthread_cond_signal(&cond); 75 pthread_mutex_unlock(&mutex); 76 77 syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); 78 } 79 80 static void sigusr1_handler(int signo, siginfo_t *info, void *ucontext) 81 { 82 pthread_mutex_lock(&mutex); 83 84 memcpy(&siginfo, info, sizeof(siginfo_t)); 85 86 pthread_cond_signal(&cond); 87 pthread_mutex_unlock(&mutex); 88 } 89 90 static void sigusr2_handler(int signo, siginfo_t *info, void *ucontext) 91 { 92 /* 93 * pkru should be the init_pkru value which enabled MPK 0 so 94 * we can use library functions. 95 */ 96 printf("%s invoked.\n", __func__); 97 } 98 99 static void raise_sigusr2(void) 100 { 101 pid_t tid = 0; 102 103 tid = syscall_raw(SYS_gettid, 0, 0, 0, 0, 0, 0); 104 105 syscall_raw(SYS_tkill, tid, SIGUSR2, 0, 0, 0, 0); 106 107 /* 108 * We should return from the signal handler here and be able to 109 * return to the interrupted thread. 110 */ 111 } 112 113 static void *thread_segv_with_pkey0_disabled(void *ptr) 114 { 115 /* Disable MPK 0 (and all others too) */ 116 __write_pkey_reg(0x55555555); 117 118 /* Segfault (with SEGV_MAPERR) */ 119 *(int *) (0x1) = 1; 120 return NULL; 121 } 122 123 static void *thread_segv_pkuerr_stack(void *ptr) 124 { 125 /* Disable MPK 0 (and all others too) */ 126 __write_pkey_reg(0x55555555); 127 128 /* After we disable MPK 0, we can't access the stack to return */ 129 return NULL; 130 } 131 132 static void *thread_segv_maperr_ptr(void *ptr) 133 { 134 stack_t *stack = ptr; 135 int *bad = (int *)1; 136 137 /* 138 * Setup alternate signal stack, which should be pkey_mprotect()ed by 139 * MPK 0. The thread's stack cannot be used for signals because it is 140 * not accessible by the default init_pkru value of 0x55555554. 141 */ 142 syscall_raw(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0); 143 144 /* Disable MPK 0. Only MPK 1 is enabled. */ 145 __write_pkey_reg(0x55555551); 146 147 /* Segfault */ 148 *bad = 1; 149 syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); 150 return NULL; 151 } 152 153 /* 154 * Verify that the sigsegv handler is invoked when pkey 0 is disabled. 155 * Note that the new thread stack and the alternate signal stack is 156 * protected by MPK 0. 157 */ 158 static void test_sigsegv_handler_with_pkey0_disabled(void) 159 { 160 struct sigaction sa; 161 pthread_attr_t attr; 162 pthread_t thr; 163 164 sa.sa_flags = SA_SIGINFO; 165 166 sa.sa_sigaction = sigsegv_handler; 167 sigemptyset(&sa.sa_mask); 168 if (sigaction(SIGSEGV, &sa, NULL) == -1) { 169 perror("sigaction"); 170 exit(EXIT_FAILURE); 171 } 172 173 memset(&siginfo, 0, sizeof(siginfo)); 174 175 pthread_attr_init(&attr); 176 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); 177 178 pthread_create(&thr, &attr, thread_segv_with_pkey0_disabled, NULL); 179 180 pthread_mutex_lock(&mutex); 181 while (siginfo.si_signo == 0) 182 pthread_cond_wait(&cond, &mutex); 183 pthread_mutex_unlock(&mutex); 184 185 ksft_test_result(siginfo.si_signo == SIGSEGV && 186 siginfo.si_code == SEGV_MAPERR && 187 siginfo.si_addr == (void *)1, 188 "%s\n", __func__); 189 } 190 191 /* 192 * Verify that the sigsegv handler is invoked when pkey 0 is disabled. 193 * Note that the new thread stack and the alternate signal stack is 194 * protected by MPK 0, which renders them inaccessible when MPK 0 195 * is disabled. So just the return from the thread should cause a 196 * segfault with SEGV_PKUERR. 197 */ 198 static void test_sigsegv_handler_cannot_access_stack(void) 199 { 200 struct sigaction sa; 201 pthread_attr_t attr; 202 pthread_t thr; 203 204 sa.sa_flags = SA_SIGINFO; 205 206 sa.sa_sigaction = sigsegv_handler; 207 sigemptyset(&sa.sa_mask); 208 if (sigaction(SIGSEGV, &sa, NULL) == -1) { 209 perror("sigaction"); 210 exit(EXIT_FAILURE); 211 } 212 213 memset(&siginfo, 0, sizeof(siginfo)); 214 215 pthread_attr_init(&attr); 216 pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); 217 218 pthread_create(&thr, &attr, thread_segv_pkuerr_stack, NULL); 219 220 pthread_mutex_lock(&mutex); 221 while (siginfo.si_signo == 0) 222 pthread_cond_wait(&cond, &mutex); 223 pthread_mutex_unlock(&mutex); 224 225 ksft_test_result(siginfo.si_signo == SIGSEGV && 226 siginfo.si_code == SEGV_PKUERR, 227 "%s\n", __func__); 228 } 229 230 /* 231 * Verify that the sigsegv handler that uses an alternate signal stack 232 * is correctly invoked for a thread which uses a non-zero MPK to protect 233 * its own stack, and disables all other MPKs (including 0). 234 */ 235 static void test_sigsegv_handler_with_different_pkey_for_stack(void) 236 { 237 struct sigaction sa; 238 static stack_t sigstack; 239 void *stack; 240 int pkey; 241 int parent_pid = 0; 242 int child_pid = 0; 243 244 sa.sa_flags = SA_SIGINFO | SA_ONSTACK; 245 246 sa.sa_sigaction = sigsegv_handler; 247 248 sigemptyset(&sa.sa_mask); 249 if (sigaction(SIGSEGV, &sa, NULL) == -1) { 250 perror("sigaction"); 251 exit(EXIT_FAILURE); 252 } 253 254 stack = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE, 255 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 256 257 assert(stack != MAP_FAILED); 258 259 /* Allow access to MPK 0 and MPK 1 */ 260 __write_pkey_reg(0x55555550); 261 262 /* Protect the new stack with MPK 1 */ 263 pkey = pkey_alloc(0, 0); 264 pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey); 265 266 /* Set up alternate signal stack that will use the default MPK */ 267 sigstack.ss_sp = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, 268 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 269 sigstack.ss_flags = 0; 270 sigstack.ss_size = STACK_SIZE; 271 272 memset(&siginfo, 0, sizeof(siginfo)); 273 274 /* Use clone to avoid newer glibcs using rseq on new threads */ 275 long ret = syscall_raw(SYS_clone, 276 CLONE_VM | CLONE_FS | CLONE_FILES | 277 CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM | 278 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | 279 CLONE_DETACHED, 280 (long) ((char *)(stack) + STACK_SIZE), 281 (long) &parent_pid, 282 (long) &child_pid, 0, 0); 283 284 if (ret < 0) { 285 errno = -ret; 286 perror("clone"); 287 } else if (ret == 0) { 288 thread_segv_maperr_ptr(&sigstack); 289 syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); 290 } 291 292 pthread_mutex_lock(&mutex); 293 while (siginfo.si_signo == 0) 294 pthread_cond_wait(&cond, &mutex); 295 pthread_mutex_unlock(&mutex); 296 297 ksft_test_result(siginfo.si_signo == SIGSEGV && 298 siginfo.si_code == SEGV_MAPERR && 299 siginfo.si_addr == (void *)1, 300 "%s\n", __func__); 301 } 302 303 /* 304 * Verify that the PKRU value set by the application is correctly 305 * restored upon return from signal handling. 306 */ 307 static void test_pkru_preserved_after_sigusr1(void) 308 { 309 struct sigaction sa; 310 unsigned long pkru = 0x45454544; 311 312 sa.sa_flags = SA_SIGINFO; 313 314 sa.sa_sigaction = sigusr1_handler; 315 sigemptyset(&sa.sa_mask); 316 if (sigaction(SIGUSR1, &sa, NULL) == -1) { 317 perror("sigaction"); 318 exit(EXIT_FAILURE); 319 } 320 321 memset(&siginfo, 0, sizeof(siginfo)); 322 323 __write_pkey_reg(pkru); 324 325 raise(SIGUSR1); 326 327 pthread_mutex_lock(&mutex); 328 while (siginfo.si_signo == 0) 329 pthread_cond_wait(&cond, &mutex); 330 pthread_mutex_unlock(&mutex); 331 332 /* Ensure the pkru value is the same after returning from signal. */ 333 ksft_test_result(pkru == __read_pkey_reg() && 334 siginfo.si_signo == SIGUSR1, 335 "%s\n", __func__); 336 } 337 338 static noinline void *thread_sigusr2_self(void *ptr) 339 { 340 /* 341 * A const char array like "Resuming after SIGUSR2" won't be stored on 342 * the stack and the code could access it via an offset from the program 343 * counter. This makes sure it's on the function's stack frame. 344 */ 345 char str[] = {'R', 'e', 's', 'u', 'm', 'i', 'n', 'g', ' ', 346 'a', 'f', 't', 'e', 'r', ' ', 347 'S', 'I', 'G', 'U', 'S', 'R', '2', 348 '.', '.', '.', '\n', '\0'}; 349 stack_t *stack = ptr; 350 351 /* 352 * Setup alternate signal stack, which should be pkey_mprotect()ed by 353 * MPK 0. The thread's stack cannot be used for signals because it is 354 * not accessible by the default init_pkru value of 0x55555554. 355 */ 356 syscall(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0); 357 358 /* Disable MPK 0. Only MPK 2 is enabled. */ 359 __write_pkey_reg(0x55555545); 360 361 raise_sigusr2(); 362 363 /* Do something, to show the thread resumed execution after the signal */ 364 syscall_raw(SYS_write, 1, (long) str, sizeof(str) - 1, 0, 0, 0); 365 366 /* 367 * We can't return to test_pkru_sigreturn because it 368 * will attempt to use a %rbp value which is on the stack 369 * of the main thread. 370 */ 371 syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); 372 return NULL; 373 } 374 375 /* 376 * Verify that sigreturn is able to restore altstack even if the thread had 377 * disabled pkey 0. 378 */ 379 static void test_pkru_sigreturn(void) 380 { 381 struct sigaction sa = {0}; 382 static stack_t sigstack; 383 void *stack; 384 int pkey; 385 int parent_pid = 0; 386 int child_pid = 0; 387 388 sa.sa_handler = SIG_DFL; 389 sa.sa_flags = 0; 390 sigemptyset(&sa.sa_mask); 391 392 /* 393 * For this testcase, we do not want to handle SIGSEGV. Reset handler 394 * to default so that the application can crash if it receives SIGSEGV. 395 */ 396 if (sigaction(SIGSEGV, &sa, NULL) == -1) { 397 perror("sigaction"); 398 exit(EXIT_FAILURE); 399 } 400 401 sa.sa_flags = SA_SIGINFO | SA_ONSTACK; 402 sa.sa_sigaction = sigusr2_handler; 403 sigemptyset(&sa.sa_mask); 404 405 if (sigaction(SIGUSR2, &sa, NULL) == -1) { 406 perror("sigaction"); 407 exit(EXIT_FAILURE); 408 } 409 410 stack = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE, 411 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 412 413 assert(stack != MAP_FAILED); 414 415 /* 416 * Allow access to MPK 0 and MPK 2. The child thread (to be created 417 * later in this flow) will have its stack protected by MPK 2, whereas 418 * the current thread's stack is protected by the default MPK 0. Hence 419 * both need to be enabled. 420 */ 421 __write_pkey_reg(0x55555544); 422 423 /* Protect the stack with MPK 2 */ 424 pkey = pkey_alloc(0, 0); 425 pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey); 426 427 /* Set up alternate signal stack that will use the default MPK */ 428 sigstack.ss_sp = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, 429 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 430 sigstack.ss_flags = 0; 431 sigstack.ss_size = STACK_SIZE; 432 433 /* Use clone to avoid newer glibcs using rseq on new threads */ 434 long ret = syscall_raw(SYS_clone, 435 CLONE_VM | CLONE_FS | CLONE_FILES | 436 CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM | 437 CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | 438 CLONE_DETACHED, 439 (long) ((char *)(stack) + STACK_SIZE), 440 (long) &parent_pid, 441 (long) &child_pid, 0, 0); 442 443 if (ret < 0) { 444 errno = -ret; 445 perror("clone"); 446 } else if (ret == 0) { 447 thread_sigusr2_self(&sigstack); 448 syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); 449 } 450 451 child_pid = ret; 452 /* Check that thread exited */ 453 do { 454 sched_yield(); 455 ret = syscall_raw(SYS_tkill, child_pid, 0, 0, 0, 0, 0); 456 } while (ret != -ESRCH && ret != -EINVAL); 457 458 ksft_test_result_pass("%s\n", __func__); 459 } 460 461 static void (*pkey_tests[])(void) = { 462 test_sigsegv_handler_with_pkey0_disabled, 463 test_sigsegv_handler_cannot_access_stack, 464 test_sigsegv_handler_with_different_pkey_for_stack, 465 test_pkru_preserved_after_sigusr1, 466 test_pkru_sigreturn 467 }; 468 469 int main(int argc, char *argv[]) 470 { 471 int i; 472 473 ksft_print_header(); 474 ksft_set_plan(ARRAY_SIZE(pkey_tests)); 475 476 for (i = 0; i < ARRAY_SIZE(pkey_tests); i++) 477 (*pkey_tests[i])(); 478 479 ksft_finished(); 480 return 0; 481 } 482