xref: /linux/tools/testing/selftests/x86/test_shadow_stack.c (revision 001821b0e79716c4e17c71d8e053a23599a7a508)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This program test's basic kernel shadow stack support. It enables shadow
4  * stack manual via the arch_prctl(), instead of relying on glibc. It's
5  * Makefile doesn't compile with shadow stack support, so it doesn't rely on
6  * any particular glibc. As a result it can't do any operations that require
7  * special glibc shadow stack support (longjmp(), swapcontext(), etc). Just
8  * stick to the basics and hope the compiler doesn't do anything strange.
9  */
10 
11 #define _GNU_SOURCE
12 
13 #include <sys/syscall.h>
14 #include <asm/mman.h>
15 #include <sys/mman.h>
16 #include <sys/stat.h>
17 #include <sys/wait.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <stdbool.h>
25 #include <x86intrin.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
28 #include <stdint.h>
29 #include <signal.h>
30 #include <pthread.h>
31 #include <sys/ioctl.h>
32 #include <linux/userfaultfd.h>
33 #include <setjmp.h>
34 #include <sys/ptrace.h>
35 #include <sys/signal.h>
36 #include <linux/elf.h>
37 
38 /*
39  * Define the ABI defines if needed, so people can run the tests
40  * without building the headers.
41  */
42 #ifndef __NR_map_shadow_stack
43 #define __NR_map_shadow_stack	453
44 
45 #define SHADOW_STACK_SET_TOKEN	(1ULL << 0)
46 
47 #define ARCH_SHSTK_ENABLE	0x5001
48 #define ARCH_SHSTK_DISABLE	0x5002
49 #define ARCH_SHSTK_LOCK		0x5003
50 #define ARCH_SHSTK_UNLOCK	0x5004
51 #define ARCH_SHSTK_STATUS	0x5005
52 
53 #define ARCH_SHSTK_SHSTK	(1ULL <<  0)
54 #define ARCH_SHSTK_WRSS		(1ULL <<  1)
55 
56 #define NT_X86_SHSTK	0x204
57 #endif
58 
59 #define SS_SIZE 0x200000
60 #define PAGE_SIZE 0x1000
61 
62 #if (__GNUC__ < 8) || (__GNUC__ == 8 && __GNUC_MINOR__ < 5)
63 int main(int argc, char *argv[])
64 {
65 	printf("[SKIP]\tCompiler does not support CET.\n");
66 	return 0;
67 }
68 #else
69 void write_shstk(unsigned long *addr, unsigned long val)
70 {
71 	asm volatile("wrssq %[val], (%[addr])\n"
72 		     : "=m" (addr)
73 		     : [addr] "r" (addr), [val] "r" (val));
74 }
75 
76 static inline unsigned long __attribute__((always_inline)) get_ssp(void)
77 {
78 	unsigned long ret = 0;
79 
80 	asm volatile("xor %0, %0; rdsspq %0" : "=r" (ret));
81 	return ret;
82 }
83 
84 /*
85  * For use in inline enablement of shadow stack.
86  *
87  * The program can't return from the point where shadow stack gets enabled
88  * because there will be no address on the shadow stack. So it can't use
89  * syscall() for enablement, since it is a function.
90  *
91  * Based on code from nolibc.h. Keep a copy here because this can't pull in all
92  * of nolibc.h.
93  */
94 #define ARCH_PRCTL(arg1, arg2)					\
95 ({								\
96 	long _ret;						\
97 	register long _num  asm("eax") = __NR_arch_prctl;	\
98 	register long _arg1 asm("rdi") = (long)(arg1);		\
99 	register long _arg2 asm("rsi") = (long)(arg2);		\
100 								\
101 	asm volatile (						\
102 		"syscall\n"					\
103 		: "=a"(_ret)					\
104 		: "r"(_arg1), "r"(_arg2),			\
105 		  "0"(_num)					\
106 		: "rcx", "r11", "memory", "cc"			\
107 	);							\
108 	_ret;							\
109 })
110 
111 void *create_shstk(void *addr)
112 {
113 	return (void *)syscall(__NR_map_shadow_stack, addr, SS_SIZE, SHADOW_STACK_SET_TOKEN);
114 }
115 
116 void *create_normal_mem(void *addr)
117 {
118 	return mmap(addr, SS_SIZE, PROT_READ | PROT_WRITE,
119 		    MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
120 }
121 
122 void free_shstk(void *shstk)
123 {
124 	munmap(shstk, SS_SIZE);
125 }
126 
127 int reset_shstk(void *shstk)
128 {
129 	return madvise(shstk, SS_SIZE, MADV_DONTNEED);
130 }
131 
132 void try_shstk(unsigned long new_ssp)
133 {
134 	unsigned long ssp;
135 
136 	printf("[INFO]\tnew_ssp = %lx, *new_ssp = %lx\n",
137 	       new_ssp, *((unsigned long *)new_ssp));
138 
139 	ssp = get_ssp();
140 	printf("[INFO]\tchanging ssp from %lx to %lx\n", ssp, new_ssp);
141 
142 	asm volatile("rstorssp (%0)\n":: "r" (new_ssp));
143 	asm volatile("saveprevssp");
144 	printf("[INFO]\tssp is now %lx\n", get_ssp());
145 
146 	/* Switch back to original shadow stack */
147 	ssp -= 8;
148 	asm volatile("rstorssp (%0)\n":: "r" (ssp));
149 	asm volatile("saveprevssp");
150 }
151 
152 int test_shstk_pivot(void)
153 {
154 	void *shstk = create_shstk(0);
155 
156 	if (shstk == MAP_FAILED) {
157 		printf("[FAIL]\tError creating shadow stack: %d\n", errno);
158 		return 1;
159 	}
160 	try_shstk((unsigned long)shstk + SS_SIZE - 8);
161 	free_shstk(shstk);
162 
163 	printf("[OK]\tShadow stack pivot\n");
164 	return 0;
165 }
166 
167 int test_shstk_faults(void)
168 {
169 	unsigned long *shstk = create_shstk(0);
170 
171 	/* Read shadow stack, test if it's zero to not get read optimized out */
172 	if (*shstk != 0)
173 		goto err;
174 
175 	/* Wrss memory that was already read. */
176 	write_shstk(shstk, 1);
177 	if (*shstk != 1)
178 		goto err;
179 
180 	/* Page out memory, so we can wrss it again. */
181 	if (reset_shstk((void *)shstk))
182 		goto err;
183 
184 	write_shstk(shstk, 1);
185 	if (*shstk != 1)
186 		goto err;
187 
188 	printf("[OK]\tShadow stack faults\n");
189 	return 0;
190 
191 err:
192 	return 1;
193 }
194 
195 unsigned long saved_ssp;
196 unsigned long saved_ssp_val;
197 volatile bool segv_triggered;
198 
199 void __attribute__((noinline)) violate_ss(void)
200 {
201 	saved_ssp = get_ssp();
202 	saved_ssp_val = *(unsigned long *)saved_ssp;
203 
204 	/* Corrupt shadow stack */
205 	printf("[INFO]\tCorrupting shadow stack\n");
206 	write_shstk((void *)saved_ssp, 0);
207 }
208 
209 void segv_handler(int signum, siginfo_t *si, void *uc)
210 {
211 	printf("[INFO]\tGenerated shadow stack violation successfully\n");
212 
213 	segv_triggered = true;
214 
215 	/* Fix shadow stack */
216 	write_shstk((void *)saved_ssp, saved_ssp_val);
217 }
218 
219 int test_shstk_violation(void)
220 {
221 	struct sigaction sa = {};
222 
223 	sa.sa_sigaction = segv_handler;
224 	sa.sa_flags = SA_SIGINFO;
225 	if (sigaction(SIGSEGV, &sa, NULL))
226 		return 1;
227 
228 	segv_triggered = false;
229 
230 	/* Make sure segv_triggered is set before violate_ss() */
231 	asm volatile("" : : : "memory");
232 
233 	violate_ss();
234 
235 	signal(SIGSEGV, SIG_DFL);
236 
237 	printf("[OK]\tShadow stack violation test\n");
238 
239 	return !segv_triggered;
240 }
241 
242 /* Gup test state */
243 #define MAGIC_VAL 0x12345678
244 bool is_shstk_access;
245 void *shstk_ptr;
246 int fd;
247 
248 void reset_test_shstk(void *addr)
249 {
250 	if (shstk_ptr)
251 		free_shstk(shstk_ptr);
252 	shstk_ptr = create_shstk(addr);
253 }
254 
255 void test_access_fix_handler(int signum, siginfo_t *si, void *uc)
256 {
257 	printf("[INFO]\tViolation from %s\n", is_shstk_access ? "shstk access" : "normal write");
258 
259 	segv_triggered = true;
260 
261 	/* Fix shadow stack */
262 	if (is_shstk_access) {
263 		reset_test_shstk(shstk_ptr);
264 		return;
265 	}
266 
267 	free_shstk(shstk_ptr);
268 	create_normal_mem(shstk_ptr);
269 }
270 
271 bool test_shstk_access(void *ptr)
272 {
273 	is_shstk_access = true;
274 	segv_triggered = false;
275 	write_shstk(ptr, MAGIC_VAL);
276 
277 	asm volatile("" : : : "memory");
278 
279 	return segv_triggered;
280 }
281 
282 bool test_write_access(void *ptr)
283 {
284 	is_shstk_access = false;
285 	segv_triggered = false;
286 	*(unsigned long *)ptr = MAGIC_VAL;
287 
288 	asm volatile("" : : : "memory");
289 
290 	return segv_triggered;
291 }
292 
293 bool gup_write(void *ptr)
294 {
295 	unsigned long val;
296 
297 	lseek(fd, (unsigned long)ptr, SEEK_SET);
298 	if (write(fd, &val, sizeof(val)) < 0)
299 		return 1;
300 
301 	return 0;
302 }
303 
304 bool gup_read(void *ptr)
305 {
306 	unsigned long val;
307 
308 	lseek(fd, (unsigned long)ptr, SEEK_SET);
309 	if (read(fd, &val, sizeof(val)) < 0)
310 		return 1;
311 
312 	return 0;
313 }
314 
315 int test_gup(void)
316 {
317 	struct sigaction sa = {};
318 	int status;
319 	pid_t pid;
320 
321 	sa.sa_sigaction = test_access_fix_handler;
322 	sa.sa_flags = SA_SIGINFO;
323 	if (sigaction(SIGSEGV, &sa, NULL))
324 		return 1;
325 
326 	segv_triggered = false;
327 
328 	fd = open("/proc/self/mem", O_RDWR);
329 	if (fd == -1)
330 		return 1;
331 
332 	reset_test_shstk(0);
333 	if (gup_read(shstk_ptr))
334 		return 1;
335 	if (test_shstk_access(shstk_ptr))
336 		return 1;
337 	printf("[INFO]\tGup read -> shstk access success\n");
338 
339 	reset_test_shstk(0);
340 	if (gup_write(shstk_ptr))
341 		return 1;
342 	if (test_shstk_access(shstk_ptr))
343 		return 1;
344 	printf("[INFO]\tGup write -> shstk access success\n");
345 
346 	reset_test_shstk(0);
347 	if (gup_read(shstk_ptr))
348 		return 1;
349 	if (!test_write_access(shstk_ptr))
350 		return 1;
351 	printf("[INFO]\tGup read -> write access success\n");
352 
353 	reset_test_shstk(0);
354 	if (gup_write(shstk_ptr))
355 		return 1;
356 	if (!test_write_access(shstk_ptr))
357 		return 1;
358 	printf("[INFO]\tGup write -> write access success\n");
359 
360 	close(fd);
361 
362 	/* COW/gup test */
363 	reset_test_shstk(0);
364 	pid = fork();
365 	if (!pid) {
366 		fd = open("/proc/self/mem", O_RDWR);
367 		if (fd == -1)
368 			exit(1);
369 
370 		if (gup_write(shstk_ptr)) {
371 			close(fd);
372 			exit(1);
373 		}
374 		close(fd);
375 		exit(0);
376 	}
377 	waitpid(pid, &status, 0);
378 	if (WEXITSTATUS(status)) {
379 		printf("[FAIL]\tWrite in child failed\n");
380 		return 1;
381 	}
382 	if (*(unsigned long *)shstk_ptr == MAGIC_VAL) {
383 		printf("[FAIL]\tWrite in child wrote through to shared memory\n");
384 		return 1;
385 	}
386 
387 	printf("[INFO]\tCow gup write -> write access success\n");
388 
389 	free_shstk(shstk_ptr);
390 
391 	signal(SIGSEGV, SIG_DFL);
392 
393 	printf("[OK]\tShadow gup test\n");
394 
395 	return 0;
396 }
397 
398 int test_mprotect(void)
399 {
400 	struct sigaction sa = {};
401 
402 	sa.sa_sigaction = test_access_fix_handler;
403 	sa.sa_flags = SA_SIGINFO;
404 	if (sigaction(SIGSEGV, &sa, NULL))
405 		return 1;
406 
407 	segv_triggered = false;
408 
409 	/* mprotect a shadow stack as read only */
410 	reset_test_shstk(0);
411 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
412 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
413 		return 1;
414 	}
415 
416 	/* try to wrss it and fail */
417 	if (!test_shstk_access(shstk_ptr)) {
418 		printf("[FAIL]\tShadow stack access to read-only memory succeeded\n");
419 		return 1;
420 	}
421 
422 	/*
423 	 * The shadow stack was reset above to resolve the fault, make the new one
424 	 * read-only.
425 	 */
426 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
427 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
428 		return 1;
429 	}
430 
431 	/* then back to writable */
432 	if (mprotect(shstk_ptr, SS_SIZE, PROT_WRITE | PROT_READ) < 0) {
433 		printf("[FAIL]\tmprotect(PROT_WRITE) failed\n");
434 		return 1;
435 	}
436 
437 	/* then wrss to it and succeed */
438 	if (test_shstk_access(shstk_ptr)) {
439 		printf("[FAIL]\tShadow stack access to mprotect() writable memory failed\n");
440 		return 1;
441 	}
442 
443 	free_shstk(shstk_ptr);
444 
445 	signal(SIGSEGV, SIG_DFL);
446 
447 	printf("[OK]\tmprotect() test\n");
448 
449 	return 0;
450 }
451 
452 char zero[4096];
453 
454 static void *uffd_thread(void *arg)
455 {
456 	struct uffdio_copy req;
457 	int uffd = *(int *)arg;
458 	struct uffd_msg msg;
459 	int ret;
460 
461 	while (1) {
462 		ret = read(uffd, &msg, sizeof(msg));
463 		if (ret > 0)
464 			break;
465 		else if (errno == EAGAIN)
466 			continue;
467 		return (void *)1;
468 	}
469 
470 	req.dst = msg.arg.pagefault.address;
471 	req.src = (__u64)zero;
472 	req.len = 4096;
473 	req.mode = 0;
474 
475 	if (ioctl(uffd, UFFDIO_COPY, &req))
476 		return (void *)1;
477 
478 	return (void *)0;
479 }
480 
481 int test_userfaultfd(void)
482 {
483 	struct uffdio_register uffdio_register;
484 	struct uffdio_api uffdio_api;
485 	struct sigaction sa = {};
486 	pthread_t thread;
487 	void *res;
488 	int uffd;
489 
490 	sa.sa_sigaction = test_access_fix_handler;
491 	sa.sa_flags = SA_SIGINFO;
492 	if (sigaction(SIGSEGV, &sa, NULL))
493 		return 1;
494 
495 	uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
496 	if (uffd < 0) {
497 		printf("[SKIP]\tUserfaultfd unavailable.\n");
498 		return 0;
499 	}
500 
501 	reset_test_shstk(0);
502 
503 	uffdio_api.api = UFFD_API;
504 	uffdio_api.features = 0;
505 	if (ioctl(uffd, UFFDIO_API, &uffdio_api))
506 		goto err;
507 
508 	uffdio_register.range.start = (__u64)shstk_ptr;
509 	uffdio_register.range.len = 4096;
510 	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
511 	if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register))
512 		goto err;
513 
514 	if (pthread_create(&thread, NULL, &uffd_thread, &uffd))
515 		goto err;
516 
517 	reset_shstk(shstk_ptr);
518 	test_shstk_access(shstk_ptr);
519 
520 	if (pthread_join(thread, &res))
521 		goto err;
522 
523 	if (test_shstk_access(shstk_ptr))
524 		goto err;
525 
526 	free_shstk(shstk_ptr);
527 
528 	signal(SIGSEGV, SIG_DFL);
529 
530 	if (!res)
531 		printf("[OK]\tUserfaultfd test\n");
532 	return !!res;
533 err:
534 	free_shstk(shstk_ptr);
535 	close(uffd);
536 	signal(SIGSEGV, SIG_DFL);
537 	return 1;
538 }
539 
540 /* Simple linked list for keeping track of mappings in test_guard_gap() */
541 struct node {
542 	struct node *next;
543 	void *mapping;
544 };
545 
546 /*
547  * This tests whether mmap will place other mappings in a shadow stack's guard
548  * gap. The steps are:
549  *   1. Finds an empty place by mapping and unmapping something.
550  *   2. Map a shadow stack in the middle of the known empty area.
551  *   3. Map a bunch of PAGE_SIZE mappings. These will use the search down
552  *      direction, filling any gaps until it encounters the shadow stack's
553  *      guard gap.
554  *   4. When a mapping lands below the shadow stack from step 2, then all
555  *      of the above gaps are filled. The search down algorithm will have
556  *      looked at the shadow stack gaps.
557  *   5. See if it landed in the gap.
558  */
559 int test_guard_gap_other_gaps(void)
560 {
561 	void *free_area, *shstk, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
562 	struct node *head = NULL, *cur;
563 
564 	free_area = mmap(0, SS_SIZE * 3, PROT_READ | PROT_WRITE,
565 			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
566 	munmap(free_area, SS_SIZE * 3);
567 
568 	shstk = create_shstk(free_area + SS_SIZE);
569 	if (shstk == MAP_FAILED)
570 		return 1;
571 
572 	while (test_map > shstk) {
573 		test_map = mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE,
574 				MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
575 		if (test_map == MAP_FAILED)
576 			return 1;
577 		cur = malloc(sizeof(*cur));
578 		cur->mapping = test_map;
579 
580 		cur->next = head;
581 		head = cur;
582 	}
583 
584 	while (head) {
585 		cur = head;
586 		head = cur->next;
587 		munmap(cur->mapping, PAGE_SIZE);
588 		free(cur);
589 	}
590 
591 	free_shstk(shstk);
592 
593 	if (shstk - test_map - PAGE_SIZE != PAGE_SIZE)
594 		return 1;
595 
596 	printf("[OK]\tGuard gap test, other mapping's gaps\n");
597 
598 	return 0;
599 }
600 
601 /* Tests respecting the guard gap of the mapping getting placed */
602 int test_guard_gap_new_mappings_gaps(void)
603 {
604 	void *free_area, *shstk_start, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
605 	struct node *head = NULL, *cur;
606 	int ret = 0;
607 
608 	free_area = mmap(0, PAGE_SIZE * 4, PROT_READ | PROT_WRITE,
609 			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
610 	munmap(free_area, PAGE_SIZE * 4);
611 
612 	/* Test letting map_shadow_stack find a free space */
613 	shstk_start = mmap(free_area, PAGE_SIZE, PROT_READ | PROT_WRITE,
614 			   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
615 	if (shstk_start == MAP_FAILED || shstk_start != free_area)
616 		return 1;
617 
618 	while (test_map > shstk_start) {
619 		test_map = (void *)syscall(__NR_map_shadow_stack, 0, PAGE_SIZE, 0);
620 		if (test_map == MAP_FAILED) {
621 			printf("[INFO]\tmap_shadow_stack MAP_FAILED\n");
622 			ret = 1;
623 			break;
624 		}
625 
626 		cur = malloc(sizeof(*cur));
627 		cur->mapping = test_map;
628 
629 		cur->next = head;
630 		head = cur;
631 
632 		if (test_map == free_area + PAGE_SIZE) {
633 			printf("[INFO]\tNew mapping has other mapping in guard gap!\n");
634 			ret = 1;
635 			break;
636 		}
637 	}
638 
639 	while (head) {
640 		cur = head;
641 		head = cur->next;
642 		munmap(cur->mapping, PAGE_SIZE);
643 		free(cur);
644 	}
645 
646 	munmap(shstk_start, PAGE_SIZE);
647 
648 	if (!ret)
649 		printf("[OK]\tGuard gap test, placement mapping's gaps\n");
650 
651 	return ret;
652 }
653 
654 /*
655  * Too complicated to pull it out of the 32 bit header, but also get the
656  * 64 bit one needed above. Just define a copy here.
657  */
658 #define __NR_compat_sigaction 67
659 
660 /*
661  * Call 32 bit signal handler to get 32 bit signals ABI. Make sure
662  * to push the registers that will get clobbered.
663  */
664 int sigaction32(int signum, const struct sigaction *restrict act,
665 		struct sigaction *restrict oldact)
666 {
667 	register long syscall_reg asm("eax") = __NR_compat_sigaction;
668 	register long signum_reg asm("ebx") = signum;
669 	register long act_reg asm("ecx") = (long)act;
670 	register long oldact_reg asm("edx") = (long)oldact;
671 	int ret = 0;
672 
673 	asm volatile ("int $0x80;"
674 		      : "=a"(ret), "=m"(oldact)
675 		      : "r"(syscall_reg), "r"(signum_reg), "r"(act_reg),
676 			"r"(oldact_reg)
677 		      : "r8", "r9", "r10", "r11"
678 		     );
679 
680 	return ret;
681 }
682 
683 sigjmp_buf jmp_buffer;
684 
685 void segv_gp_handler(int signum, siginfo_t *si, void *uc)
686 {
687 	segv_triggered = true;
688 
689 	/*
690 	 * To work with old glibc, this can't rely on siglongjmp working with
691 	 * shadow stack enabled, so disable shadow stack before siglongjmp().
692 	 */
693 	ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
694 	siglongjmp(jmp_buffer, -1);
695 }
696 
697 /*
698  * Transition to 32 bit mode and check that a #GP triggers a segfault.
699  */
700 int test_32bit(void)
701 {
702 	struct sigaction sa = {};
703 	struct sigaction *sa32;
704 
705 	/* Create sigaction in 32 bit address range */
706 	sa32 = mmap(0, 4096, PROT_READ | PROT_WRITE,
707 		    MAP_32BIT | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
708 	sa32->sa_flags = SA_SIGINFO;
709 
710 	sa.sa_sigaction = segv_gp_handler;
711 	sa.sa_flags = SA_SIGINFO;
712 	if (sigaction(SIGSEGV, &sa, NULL))
713 		return 1;
714 
715 
716 	segv_triggered = false;
717 
718 	/* Make sure segv_triggered is set before triggering the #GP */
719 	asm volatile("" : : : "memory");
720 
721 	/*
722 	 * Set handler to somewhere in 32 bit address space
723 	 */
724 	sa32->sa_handler = (void *)sa32;
725 	if (sigaction32(SIGUSR1, sa32, NULL))
726 		return 1;
727 
728 	if (!sigsetjmp(jmp_buffer, 1))
729 		raise(SIGUSR1);
730 
731 	if (segv_triggered)
732 		printf("[OK]\t32 bit test\n");
733 
734 	return !segv_triggered;
735 }
736 
737 void segv_handler_ptrace(int signum, siginfo_t *si, void *uc)
738 {
739 	/* The SSP adjustment caused a segfault. */
740 	exit(0);
741 }
742 
743 int test_ptrace(void)
744 {
745 	unsigned long saved_ssp, ssp = 0;
746 	struct sigaction sa= {};
747 	struct iovec iov;
748 	int status;
749 	int pid;
750 
751 	iov.iov_base = &ssp;
752 	iov.iov_len = sizeof(ssp);
753 
754 	pid = fork();
755 	if (!pid) {
756 		ssp = get_ssp();
757 
758 		sa.sa_sigaction = segv_handler_ptrace;
759 		sa.sa_flags = SA_SIGINFO;
760 		if (sigaction(SIGSEGV, &sa, NULL))
761 			return 1;
762 
763 		ptrace(PTRACE_TRACEME, NULL, NULL, NULL);
764 		/*
765 		 * The parent will tweak the SSP and return from this function
766 		 * will #CP.
767 		 */
768 		raise(SIGTRAP);
769 
770 		exit(1);
771 	}
772 
773 	while (waitpid(pid, &status, 0) != -1 && WSTOPSIG(status) != SIGTRAP);
774 
775 	if (ptrace(PTRACE_GETREGSET, pid, NT_X86_SHSTK, &iov)) {
776 		printf("[INFO]\tFailed to PTRACE_GETREGS\n");
777 		goto out_kill;
778 	}
779 
780 	if (!ssp) {
781 		printf("[INFO]\tPtrace child SSP was 0\n");
782 		goto out_kill;
783 	}
784 
785 	saved_ssp = ssp;
786 
787 	iov.iov_len = 0;
788 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
789 		printf("[INFO]\tToo small size accepted via PTRACE_SETREGS\n");
790 		goto out_kill;
791 	}
792 
793 	iov.iov_len = sizeof(ssp) + 1;
794 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
795 		printf("[INFO]\tToo large size accepted via PTRACE_SETREGS\n");
796 		goto out_kill;
797 	}
798 
799 	ssp += 1;
800 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
801 		printf("[INFO]\tUnaligned SSP written via PTRACE_SETREGS\n");
802 		goto out_kill;
803 	}
804 
805 	ssp = 0xFFFFFFFFFFFF0000;
806 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
807 		printf("[INFO]\tKernel range SSP written via PTRACE_SETREGS\n");
808 		goto out_kill;
809 	}
810 
811 	/*
812 	 * Tweak the SSP so the child with #CP when it resumes and returns
813 	 * from raise()
814 	 */
815 	ssp = saved_ssp + 8;
816 	iov.iov_len = sizeof(ssp);
817 	if (ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
818 		printf("[INFO]\tFailed to PTRACE_SETREGS\n");
819 		goto out_kill;
820 	}
821 
822 	if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) {
823 		printf("[INFO]\tFailed to PTRACE_DETACH\n");
824 		goto out_kill;
825 	}
826 
827 	waitpid(pid, &status, 0);
828 	if (WEXITSTATUS(status))
829 		return 1;
830 
831 	printf("[OK]\tPtrace test\n");
832 	return 0;
833 
834 out_kill:
835 	kill(pid, SIGKILL);
836 	return 1;
837 }
838 
839 int main(int argc, char *argv[])
840 {
841 	int ret = 0;
842 
843 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
844 		printf("[SKIP]\tCould not enable Shadow stack\n");
845 		return 1;
846 	}
847 
848 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
849 		ret = 1;
850 		printf("[FAIL]\tDisabling shadow stack failed\n");
851 	}
852 
853 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
854 		printf("[SKIP]\tCould not re-enable Shadow stack\n");
855 		return 1;
856 	}
857 
858 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_WRSS)) {
859 		printf("[SKIP]\tCould not enable WRSS\n");
860 		ret = 1;
861 		goto out;
862 	}
863 
864 	/* Should have succeeded if here, but this is a test, so double check. */
865 	if (!get_ssp()) {
866 		printf("[FAIL]\tShadow stack disabled\n");
867 		return 1;
868 	}
869 
870 	if (test_shstk_pivot()) {
871 		ret = 1;
872 		printf("[FAIL]\tShadow stack pivot\n");
873 		goto out;
874 	}
875 
876 	if (test_shstk_faults()) {
877 		ret = 1;
878 		printf("[FAIL]\tShadow stack fault test\n");
879 		goto out;
880 	}
881 
882 	if (test_shstk_violation()) {
883 		ret = 1;
884 		printf("[FAIL]\tShadow stack violation test\n");
885 		goto out;
886 	}
887 
888 	if (test_gup()) {
889 		ret = 1;
890 		printf("[FAIL]\tShadow shadow stack gup\n");
891 		goto out;
892 	}
893 
894 	if (test_mprotect()) {
895 		ret = 1;
896 		printf("[FAIL]\tShadow shadow mprotect test\n");
897 		goto out;
898 	}
899 
900 	if (test_userfaultfd()) {
901 		ret = 1;
902 		printf("[FAIL]\tUserfaultfd test\n");
903 		goto out;
904 	}
905 
906 	if (test_guard_gap_other_gaps()) {
907 		ret = 1;
908 		printf("[FAIL]\tGuard gap test, other mappings' gaps\n");
909 		goto out;
910 	}
911 
912 	if (test_guard_gap_new_mappings_gaps()) {
913 		ret = 1;
914 		printf("[FAIL]\tGuard gap test, placement mapping's gaps\n");
915 		goto out;
916 	}
917 
918 	if (test_ptrace()) {
919 		ret = 1;
920 		printf("[FAIL]\tptrace test\n");
921 	}
922 
923 	if (test_32bit()) {
924 		ret = 1;
925 		printf("[FAIL]\t32 bit test\n");
926 		goto out;
927 	}
928 
929 	return ret;
930 
931 out:
932 	/*
933 	 * Disable shadow stack before the function returns, or there will be a
934 	 * shadow stack violation.
935 	 */
936 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
937 		ret = 1;
938 		printf("[FAIL]\tDisabling shadow stack failed\n");
939 	}
940 
941 	return ret;
942 }
943 #endif
944