1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS 4 * 5 * This does MOV SS from a watchpointed address followed by various 6 * types of kernel entries. A MOV SS that hits a watchpoint will queue 7 * up a #DB trap but will not actually deliver that trap. The trap 8 * will be delivered after the next instruction instead. The CPU's logic 9 * seems to be: 10 * 11 * - Any fault: drop the pending #DB trap. 12 * - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then 13 * deliver #DB. 14 * - ICEBP: enter the kernel but do not deliver the watchpoint trap 15 * - breakpoint: only one #DB is delivered (phew!) 16 * 17 * There are plenty of ways for a kernel to handle this incorrectly. This 18 * test tries to exercise all the cases. 19 * 20 * This should mostly cover CVE-2018-1087 and CVE-2018-8897. 21 */ 22 #define _GNU_SOURCE 23 24 #include <stdlib.h> 25 #include <sys/ptrace.h> 26 #include <sys/types.h> 27 #include <sys/wait.h> 28 #include <sys/user.h> 29 #include <sys/syscall.h> 30 #include <unistd.h> 31 #include <errno.h> 32 #include <stddef.h> 33 #include <stdio.h> 34 #include <err.h> 35 #include <string.h> 36 #include <setjmp.h> 37 #include <sys/prctl.h> 38 39 #define X86_EFLAGS_RF (1UL << 16) 40 41 #if __x86_64__ 42 # define REG_IP REG_RIP 43 #else 44 # define REG_IP REG_EIP 45 #endif 46 47 unsigned short ss; 48 extern unsigned char breakpoint_insn[]; 49 sigjmp_buf jmpbuf; 50 51 static void enable_watchpoint(void) 52 { 53 pid_t parent = getpid(); 54 int status; 55 56 pid_t child = fork(); 57 if (child < 0) 58 err(1, "fork"); 59 60 if (child) { 61 if (waitpid(child, &status, 0) != child) 62 err(1, "waitpid for child"); 63 } else { 64 unsigned long dr0, dr1, dr7; 65 66 dr0 = (unsigned long)&ss; 67 dr1 = (unsigned long)breakpoint_insn; 68 dr7 = ((1UL << 1) | /* G0 */ 69 (3UL << 16) | /* RW0 = read or write */ 70 (1UL << 18) | /* LEN0 = 2 bytes */ 71 (1UL << 3)); /* G1, RW1 = insn */ 72 73 if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0) 74 err(1, "PTRACE_ATTACH"); 75 76 if (waitpid(parent, &status, 0) != parent) 77 err(1, "waitpid for child"); 78 79 if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0) 80 err(1, "PTRACE_POKEUSER DR0"); 81 82 if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0) 83 err(1, "PTRACE_POKEUSER DR1"); 84 85 if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0) 86 err(1, "PTRACE_POKEUSER DR7"); 87 88 printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n", dr0, dr1, dr7); 89 90 if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0) 91 err(1, "PTRACE_DETACH"); 92 93 exit(0); 94 } 95 } 96 97 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), 98 int flags) 99 { 100 struct sigaction sa; 101 memset(&sa, 0, sizeof(sa)); 102 sa.sa_sigaction = handler; 103 sa.sa_flags = SA_SIGINFO | flags; 104 sigemptyset(&sa.sa_mask); 105 if (sigaction(sig, &sa, 0)) 106 err(1, "sigaction"); 107 } 108 109 static char const * const signames[] = { 110 [SIGSEGV] = "SIGSEGV", 111 [SIGBUS] = "SIBGUS", 112 [SIGTRAP] = "SIGTRAP", 113 [SIGILL] = "SIGILL", 114 }; 115 116 static void sigtrap(int sig, siginfo_t *si, void *ctx_void) 117 { 118 ucontext_t *ctx = ctx_void; 119 120 printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n", 121 (unsigned long)ctx->uc_mcontext.gregs[REG_IP], 122 !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF)); 123 } 124 125 static void handle_and_return(int sig, siginfo_t *si, void *ctx_void) 126 { 127 ucontext_t *ctx = ctx_void; 128 129 printf("\tGot %s with RIP=%lx\n", signames[sig], 130 (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); 131 } 132 133 static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void) 134 { 135 ucontext_t *ctx = ctx_void; 136 137 printf("\tGot %s with RIP=%lx\n", signames[sig], 138 (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); 139 140 siglongjmp(jmpbuf, 1); 141 } 142 143 int main() 144 { 145 unsigned long nr; 146 147 asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss)); 148 printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss); 149 150 if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0) 151 printf("\tPR_SET_PTRACER_ANY succeeded\n"); 152 153 printf("\tSet up a watchpoint\n"); 154 sethandler(SIGTRAP, sigtrap, 0); 155 enable_watchpoint(); 156 157 printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n"); 158 asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss)); 159 160 printf("[RUN]\tMOV SS; INT3\n"); 161 asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss)); 162 163 printf("[RUN]\tMOV SS; INT 3\n"); 164 asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss)); 165 166 printf("[RUN]\tMOV SS; CS CS INT3\n"); 167 asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss)); 168 169 printf("[RUN]\tMOV SS; CSx14 INT3\n"); 170 asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss)); 171 172 printf("[RUN]\tMOV SS; INT 4\n"); 173 sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); 174 asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss)); 175 176 #ifdef __i386__ 177 printf("[RUN]\tMOV SS; INTO\n"); 178 sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); 179 nr = -1; 180 asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into" 181 : [tmp] "+r" (nr) : [ss] "m" (ss)); 182 #endif 183 184 if (sigsetjmp(jmpbuf, 1) == 0) { 185 printf("[RUN]\tMOV SS; ICEBP\n"); 186 187 /* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */ 188 sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); 189 190 asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss)); 191 } 192 193 if (sigsetjmp(jmpbuf, 1) == 0) { 194 printf("[RUN]\tMOV SS; CLI\n"); 195 sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); 196 asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss)); 197 } 198 199 if (sigsetjmp(jmpbuf, 1) == 0) { 200 printf("[RUN]\tMOV SS; #PF\n"); 201 sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); 202 asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]" 203 : [tmp] "=r" (nr) : [ss] "m" (ss)); 204 } 205 206 /* 207 * INT $1: if #DB has DPL=3 and there isn't special handling, 208 * then the kernel will die. 209 */ 210 if (sigsetjmp(jmpbuf, 1) == 0) { 211 printf("[RUN]\tMOV SS; INT 1\n"); 212 sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); 213 asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss)); 214 } 215 216 #ifdef __x86_64__ 217 /* 218 * In principle, we should test 32-bit SYSCALL as well, but 219 * the calling convention is so unpredictable that it's 220 * not obviously worth the effort. 221 */ 222 if (sigsetjmp(jmpbuf, 1) == 0) { 223 printf("[RUN]\tMOV SS; SYSCALL\n"); 224 sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); 225 nr = SYS_getpid; 226 /* 227 * Toggle the high bit of RSP to make it noncanonical to 228 * strengthen this test on non-SMAP systems. 229 */ 230 asm volatile ("btc $63, %%rsp\n\t" 231 "mov %[ss], %%ss; syscall\n\t" 232 "btc $63, %%rsp" 233 : "+a" (nr) : [ss] "m" (ss) 234 : "rcx" 235 #ifdef __x86_64__ 236 , "r11" 237 #endif 238 ); 239 } 240 #endif 241 242 printf("[RUN]\tMOV SS; breakpointed NOP\n"); 243 asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss)); 244 245 /* 246 * Invoking SYSENTER directly breaks all the rules. Just handle 247 * the SIGSEGV. 248 */ 249 if (sigsetjmp(jmpbuf, 1) == 0) { 250 printf("[RUN]\tMOV SS; SYSENTER\n"); 251 stack_t stack = { 252 .ss_sp = malloc(sizeof(char) * SIGSTKSZ), 253 .ss_size = SIGSTKSZ, 254 }; 255 if (sigaltstack(&stack, NULL) != 0) 256 err(1, "sigaltstack"); 257 sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK); 258 nr = SYS_getpid; 259 free(stack.ss_sp); 260 /* Clear EBP first to make sure we segfault cleanly. */ 261 asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr) 262 : [ss] "m" (ss) : "flags", "rcx" 263 #ifdef __x86_64__ 264 , "r11" 265 #endif 266 ); 267 268 /* We're unreachable here. SYSENTER forgets RIP. */ 269 } 270 271 if (sigsetjmp(jmpbuf, 1) == 0) { 272 printf("[RUN]\tMOV SS; INT $0x80\n"); 273 sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); 274 nr = 20; /* compat getpid */ 275 asm volatile ("mov %[ss], %%ss; int $0x80" 276 : "+a" (nr) : [ss] "m" (ss) 277 : "flags" 278 #ifdef __x86_64__ 279 , "r8", "r9", "r10", "r11" 280 #endif 281 ); 282 } 283 284 printf("[OK]\tI aten't dead\n"); 285 return 0; 286 } 287