1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * This program test's basic kernel shadow stack support. It enables shadow
4 * stack manual via the arch_prctl(), instead of relying on glibc. It's
5 * Makefile doesn't compile with shadow stack support, so it doesn't rely on
6 * any particular glibc. As a result it can't do any operations that require
7 * special glibc shadow stack support (longjmp(), swapcontext(), etc). Just
8 * stick to the basics and hope the compiler doesn't do anything strange.
9 */
10
11 #define _GNU_SOURCE
12
13 #include <sys/syscall.h>
14 #include <asm/mman.h>
15 #include <sys/mman.h>
16 #include <sys/stat.h>
17 #include <sys/wait.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <stdbool.h>
25 #include <x86intrin.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
28 #include <stdint.h>
29 #include <signal.h>
30 #include <pthread.h>
31 #include <sys/ioctl.h>
32 #include <linux/userfaultfd.h>
33 #include <setjmp.h>
34 #include <sys/ptrace.h>
35 #include <sys/signal.h>
36 #include <linux/elf.h>
37 #include <linux/perf_event.h>
38
39 /*
40 * Define the ABI defines if needed, so people can run the tests
41 * without building the headers.
42 */
43 #ifndef __NR_map_shadow_stack
44 #define __NR_map_shadow_stack 453
45
46 #define SHADOW_STACK_SET_TOKEN (1ULL << 0)
47
48 #define ARCH_SHSTK_ENABLE 0x5001
49 #define ARCH_SHSTK_DISABLE 0x5002
50 #define ARCH_SHSTK_LOCK 0x5003
51 #define ARCH_SHSTK_UNLOCK 0x5004
52 #define ARCH_SHSTK_STATUS 0x5005
53
54 #define ARCH_SHSTK_SHSTK (1ULL << 0)
55 #define ARCH_SHSTK_WRSS (1ULL << 1)
56
57 #define NT_X86_SHSTK 0x204
58 #endif
59
60 #define SS_SIZE 0x200000
61 #define PAGE_SIZE 0x1000
62
63 #if (__GNUC__ < 8) || (__GNUC__ == 8 && __GNUC_MINOR__ < 5)
main(int argc,char * argv[])64 int main(int argc, char *argv[])
65 {
66 printf("[SKIP]\tCompiler does not support CET.\n");
67 return 0;
68 }
69 #else
write_shstk(unsigned long * addr,unsigned long val)70 void write_shstk(unsigned long *addr, unsigned long val)
71 {
72 asm volatile("wrssq %[val], (%[addr])\n"
73 : "=m" (addr)
74 : [addr] "r" (addr), [val] "r" (val));
75 }
76
get_ssp(void)77 static inline unsigned long __attribute__((always_inline)) get_ssp(void)
78 {
79 unsigned long ret = 0;
80
81 asm volatile("xor %0, %0; rdsspq %0" : "=r" (ret));
82 return ret;
83 }
84
85 /*
86 * For use in inline enablement of shadow stack.
87 *
88 * The program can't return from the point where shadow stack gets enabled
89 * because there will be no address on the shadow stack. So it can't use
90 * syscall() for enablement, since it is a function.
91 *
92 * Based on code from nolibc.h. Keep a copy here because this can't pull in all
93 * of nolibc.h.
94 */
95 #define ARCH_PRCTL(arg1, arg2) \
96 ({ \
97 long _ret; \
98 register long _num asm("eax") = __NR_arch_prctl; \
99 register long _arg1 asm("rdi") = (long)(arg1); \
100 register long _arg2 asm("rsi") = (long)(arg2); \
101 \
102 asm volatile ( \
103 "syscall\n" \
104 : "=a"(_ret) \
105 : "r"(_arg1), "r"(_arg2), \
106 "0"(_num) \
107 : "rcx", "r11", "memory", "cc" \
108 ); \
109 _ret; \
110 })
111
create_shstk(void * addr)112 void *create_shstk(void *addr)
113 {
114 return (void *)syscall(__NR_map_shadow_stack, addr, SS_SIZE, SHADOW_STACK_SET_TOKEN);
115 }
116
create_normal_mem(void * addr)117 void *create_normal_mem(void *addr)
118 {
119 return mmap(addr, SS_SIZE, PROT_READ | PROT_WRITE,
120 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
121 }
122
free_shstk(void * shstk)123 void free_shstk(void *shstk)
124 {
125 munmap(shstk, SS_SIZE);
126 }
127
reset_shstk(void * shstk)128 int reset_shstk(void *shstk)
129 {
130 return madvise(shstk, SS_SIZE, MADV_DONTNEED);
131 }
132
try_shstk(unsigned long new_ssp)133 void try_shstk(unsigned long new_ssp)
134 {
135 unsigned long ssp;
136
137 printf("[INFO]\tnew_ssp = %lx, *new_ssp = %lx\n",
138 new_ssp, *((unsigned long *)new_ssp));
139
140 ssp = get_ssp();
141 printf("[INFO]\tchanging ssp from %lx to %lx\n", ssp, new_ssp);
142
143 asm volatile("rstorssp (%0)\n":: "r" (new_ssp));
144 asm volatile("saveprevssp");
145 printf("[INFO]\tssp is now %lx\n", get_ssp());
146
147 /* Switch back to original shadow stack */
148 ssp -= 8;
149 asm volatile("rstorssp (%0)\n":: "r" (ssp));
150 asm volatile("saveprevssp");
151 }
152
test_shstk_pivot(void)153 int test_shstk_pivot(void)
154 {
155 void *shstk = create_shstk(0);
156
157 if (shstk == MAP_FAILED) {
158 printf("[FAIL]\tError creating shadow stack: %d\n", errno);
159 return 1;
160 }
161 try_shstk((unsigned long)shstk + SS_SIZE - 8);
162 free_shstk(shstk);
163
164 printf("[OK]\tShadow stack pivot\n");
165 return 0;
166 }
167
test_shstk_faults(void)168 int test_shstk_faults(void)
169 {
170 unsigned long *shstk = create_shstk(0);
171
172 /* Read shadow stack, test if it's zero to not get read optimized out */
173 if (*shstk != 0)
174 goto err;
175
176 /* Wrss memory that was already read. */
177 write_shstk(shstk, 1);
178 if (*shstk != 1)
179 goto err;
180
181 /* Page out memory, so we can wrss it again. */
182 if (reset_shstk((void *)shstk))
183 goto err;
184
185 write_shstk(shstk, 1);
186 if (*shstk != 1)
187 goto err;
188
189 printf("[OK]\tShadow stack faults\n");
190 return 0;
191
192 err:
193 return 1;
194 }
195
196 unsigned long saved_ssp;
197 unsigned long saved_ssp_val;
198 volatile bool segv_triggered;
199
violate_ss(void)200 void __attribute__((noinline)) violate_ss(void)
201 {
202 saved_ssp = get_ssp();
203 saved_ssp_val = *(unsigned long *)saved_ssp;
204
205 /* Corrupt shadow stack */
206 printf("[INFO]\tCorrupting shadow stack\n");
207 write_shstk((void *)saved_ssp, 0);
208 }
209
segv_handler(int signum,siginfo_t * si,void * uc)210 void segv_handler(int signum, siginfo_t *si, void *uc)
211 {
212 printf("[INFO]\tGenerated shadow stack violation successfully\n");
213
214 segv_triggered = true;
215
216 /* Fix shadow stack */
217 write_shstk((void *)saved_ssp, saved_ssp_val);
218 }
219
test_shstk_violation(void)220 int test_shstk_violation(void)
221 {
222 struct sigaction sa = {};
223
224 sa.sa_sigaction = segv_handler;
225 sa.sa_flags = SA_SIGINFO;
226 if (sigaction(SIGSEGV, &sa, NULL))
227 return 1;
228
229 segv_triggered = false;
230
231 /* Make sure segv_triggered is set before violate_ss() */
232 asm volatile("" : : : "memory");
233
234 violate_ss();
235
236 signal(SIGSEGV, SIG_DFL);
237
238 printf("[OK]\tShadow stack violation test\n");
239
240 return !segv_triggered;
241 }
242
243 /* Gup test state */
244 #define MAGIC_VAL 0x12345678
245 bool is_shstk_access;
246 void *shstk_ptr;
247 int fd;
248
reset_test_shstk(void * addr)249 void reset_test_shstk(void *addr)
250 {
251 if (shstk_ptr)
252 free_shstk(shstk_ptr);
253 shstk_ptr = create_shstk(addr);
254 }
255
test_access_fix_handler(int signum,siginfo_t * si,void * uc)256 void test_access_fix_handler(int signum, siginfo_t *si, void *uc)
257 {
258 printf("[INFO]\tViolation from %s\n", is_shstk_access ? "shstk access" : "normal write");
259
260 segv_triggered = true;
261
262 /* Fix shadow stack */
263 if (is_shstk_access) {
264 reset_test_shstk(shstk_ptr);
265 return;
266 }
267
268 free_shstk(shstk_ptr);
269 create_normal_mem(shstk_ptr);
270 }
271
test_shstk_access(void * ptr)272 bool test_shstk_access(void *ptr)
273 {
274 is_shstk_access = true;
275 segv_triggered = false;
276 write_shstk(ptr, MAGIC_VAL);
277
278 asm volatile("" : : : "memory");
279
280 return segv_triggered;
281 }
282
test_write_access(void * ptr)283 bool test_write_access(void *ptr)
284 {
285 is_shstk_access = false;
286 segv_triggered = false;
287 *(unsigned long *)ptr = MAGIC_VAL;
288
289 asm volatile("" : : : "memory");
290
291 return segv_triggered;
292 }
293
gup_write(void * ptr)294 bool gup_write(void *ptr)
295 {
296 unsigned long val;
297
298 lseek(fd, (unsigned long)ptr, SEEK_SET);
299 if (write(fd, &val, sizeof(val)) < 0)
300 return 1;
301
302 return 0;
303 }
304
gup_read(void * ptr)305 bool gup_read(void *ptr)
306 {
307 unsigned long val;
308
309 lseek(fd, (unsigned long)ptr, SEEK_SET);
310 if (read(fd, &val, sizeof(val)) < 0)
311 return 1;
312
313 return 0;
314 }
315
test_gup(void)316 int test_gup(void)
317 {
318 struct sigaction sa = {};
319 int status;
320 pid_t pid;
321
322 sa.sa_sigaction = test_access_fix_handler;
323 sa.sa_flags = SA_SIGINFO;
324 if (sigaction(SIGSEGV, &sa, NULL))
325 return 1;
326
327 segv_triggered = false;
328
329 fd = open("/proc/self/mem", O_RDWR);
330 if (fd == -1)
331 return 1;
332
333 reset_test_shstk(0);
334 if (gup_read(shstk_ptr))
335 return 1;
336 if (test_shstk_access(shstk_ptr))
337 return 1;
338 printf("[INFO]\tGup read -> shstk access success\n");
339
340 reset_test_shstk(0);
341 if (gup_write(shstk_ptr))
342 return 1;
343 if (test_shstk_access(shstk_ptr))
344 return 1;
345 printf("[INFO]\tGup write -> shstk access success\n");
346
347 reset_test_shstk(0);
348 if (gup_read(shstk_ptr))
349 return 1;
350 if (!test_write_access(shstk_ptr))
351 return 1;
352 printf("[INFO]\tGup read -> write access success\n");
353
354 reset_test_shstk(0);
355 if (gup_write(shstk_ptr))
356 return 1;
357 if (!test_write_access(shstk_ptr))
358 return 1;
359 printf("[INFO]\tGup write -> write access success\n");
360
361 close(fd);
362
363 /* COW/gup test */
364 reset_test_shstk(0);
365 pid = fork();
366 if (!pid) {
367 fd = open("/proc/self/mem", O_RDWR);
368 if (fd == -1)
369 exit(1);
370
371 if (gup_write(shstk_ptr)) {
372 close(fd);
373 exit(1);
374 }
375 close(fd);
376 exit(0);
377 }
378 waitpid(pid, &status, 0);
379 if (WEXITSTATUS(status)) {
380 printf("[FAIL]\tWrite in child failed\n");
381 return 1;
382 }
383 if (*(unsigned long *)shstk_ptr == MAGIC_VAL) {
384 printf("[FAIL]\tWrite in child wrote through to shared memory\n");
385 return 1;
386 }
387
388 printf("[INFO]\tCow gup write -> write access success\n");
389
390 free_shstk(shstk_ptr);
391
392 signal(SIGSEGV, SIG_DFL);
393
394 printf("[OK]\tShadow gup test\n");
395
396 return 0;
397 }
398
test_mprotect(void)399 int test_mprotect(void)
400 {
401 struct sigaction sa = {};
402
403 sa.sa_sigaction = test_access_fix_handler;
404 sa.sa_flags = SA_SIGINFO;
405 if (sigaction(SIGSEGV, &sa, NULL))
406 return 1;
407
408 segv_triggered = false;
409
410 /* mprotect a shadow stack as read only */
411 reset_test_shstk(0);
412 if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
413 printf("[FAIL]\tmprotect(PROT_READ) failed\n");
414 return 1;
415 }
416
417 /* try to wrss it and fail */
418 if (!test_shstk_access(shstk_ptr)) {
419 printf("[FAIL]\tShadow stack access to read-only memory succeeded\n");
420 return 1;
421 }
422
423 /*
424 * The shadow stack was reset above to resolve the fault, make the new one
425 * read-only.
426 */
427 if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
428 printf("[FAIL]\tmprotect(PROT_READ) failed\n");
429 return 1;
430 }
431
432 /* then back to writable */
433 if (mprotect(shstk_ptr, SS_SIZE, PROT_WRITE | PROT_READ) < 0) {
434 printf("[FAIL]\tmprotect(PROT_WRITE) failed\n");
435 return 1;
436 }
437
438 /* then wrss to it and succeed */
439 if (test_shstk_access(shstk_ptr)) {
440 printf("[FAIL]\tShadow stack access to mprotect() writable memory failed\n");
441 return 1;
442 }
443
444 free_shstk(shstk_ptr);
445
446 signal(SIGSEGV, SIG_DFL);
447
448 printf("[OK]\tmprotect() test\n");
449
450 return 0;
451 }
452
453 char zero[4096];
454
uffd_thread(void * arg)455 static void *uffd_thread(void *arg)
456 {
457 struct uffdio_copy req;
458 int uffd = *(int *)arg;
459 struct uffd_msg msg;
460 int ret;
461
462 while (1) {
463 ret = read(uffd, &msg, sizeof(msg));
464 if (ret > 0)
465 break;
466 else if (errno == EAGAIN)
467 continue;
468 return (void *)1;
469 }
470
471 req.dst = msg.arg.pagefault.address;
472 req.src = (__u64)zero;
473 req.len = 4096;
474 req.mode = 0;
475
476 if (ioctl(uffd, UFFDIO_COPY, &req))
477 return (void *)1;
478
479 return (void *)0;
480 }
481
test_userfaultfd(void)482 int test_userfaultfd(void)
483 {
484 struct uffdio_register uffdio_register;
485 struct uffdio_api uffdio_api;
486 struct sigaction sa = {};
487 pthread_t thread;
488 void *res;
489 int uffd;
490
491 sa.sa_sigaction = test_access_fix_handler;
492 sa.sa_flags = SA_SIGINFO;
493 if (sigaction(SIGSEGV, &sa, NULL))
494 return 1;
495
496 uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
497 if (uffd < 0) {
498 printf("[SKIP]\tUserfaultfd unavailable.\n");
499 return 0;
500 }
501
502 reset_test_shstk(0);
503
504 uffdio_api.api = UFFD_API;
505 uffdio_api.features = 0;
506 if (ioctl(uffd, UFFDIO_API, &uffdio_api))
507 goto err;
508
509 uffdio_register.range.start = (__u64)shstk_ptr;
510 uffdio_register.range.len = 4096;
511 uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
512 if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register))
513 goto err;
514
515 if (pthread_create(&thread, NULL, &uffd_thread, &uffd))
516 goto err;
517
518 reset_shstk(shstk_ptr);
519 test_shstk_access(shstk_ptr);
520
521 if (pthread_join(thread, &res))
522 goto err;
523
524 if (test_shstk_access(shstk_ptr))
525 goto err;
526
527 free_shstk(shstk_ptr);
528
529 signal(SIGSEGV, SIG_DFL);
530
531 if (!res)
532 printf("[OK]\tUserfaultfd test\n");
533 return !!res;
534 err:
535 free_shstk(shstk_ptr);
536 close(uffd);
537 signal(SIGSEGV, SIG_DFL);
538 return 1;
539 }
540
541 /* Simple linked list for keeping track of mappings in test_guard_gap() */
542 struct node {
543 struct node *next;
544 void *mapping;
545 };
546
547 /*
548 * This tests whether mmap will place other mappings in a shadow stack's guard
549 * gap. The steps are:
550 * 1. Finds an empty place by mapping and unmapping something.
551 * 2. Map a shadow stack in the middle of the known empty area.
552 * 3. Map a bunch of PAGE_SIZE mappings. These will use the search down
553 * direction, filling any gaps until it encounters the shadow stack's
554 * guard gap.
555 * 4. When a mapping lands below the shadow stack from step 2, then all
556 * of the above gaps are filled. The search down algorithm will have
557 * looked at the shadow stack gaps.
558 * 5. See if it landed in the gap.
559 */
test_guard_gap_other_gaps(void)560 int test_guard_gap_other_gaps(void)
561 {
562 void *free_area, *shstk, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
563 struct node *head = NULL, *cur;
564
565 free_area = mmap(0, SS_SIZE * 3, PROT_READ | PROT_WRITE,
566 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
567 munmap(free_area, SS_SIZE * 3);
568
569 shstk = create_shstk(free_area + SS_SIZE);
570 if (shstk == MAP_FAILED)
571 return 1;
572
573 while (test_map > shstk) {
574 test_map = mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE,
575 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
576 if (test_map == MAP_FAILED)
577 return 1;
578 cur = malloc(sizeof(*cur));
579 cur->mapping = test_map;
580
581 cur->next = head;
582 head = cur;
583 }
584
585 while (head) {
586 cur = head;
587 head = cur->next;
588 munmap(cur->mapping, PAGE_SIZE);
589 free(cur);
590 }
591
592 free_shstk(shstk);
593
594 if (shstk - test_map - PAGE_SIZE != PAGE_SIZE)
595 return 1;
596
597 printf("[OK]\tGuard gap test, other mapping's gaps\n");
598
599 return 0;
600 }
601
602 /* Tests respecting the guard gap of the mapping getting placed */
test_guard_gap_new_mappings_gaps(void)603 int test_guard_gap_new_mappings_gaps(void)
604 {
605 void *free_area, *shstk_start, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
606 struct node *head = NULL, *cur;
607 int ret = 0;
608
609 free_area = mmap(0, PAGE_SIZE * 4, PROT_READ | PROT_WRITE,
610 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
611 munmap(free_area, PAGE_SIZE * 4);
612
613 /* Test letting map_shadow_stack find a free space */
614 shstk_start = mmap(free_area, PAGE_SIZE, PROT_READ | PROT_WRITE,
615 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
616 if (shstk_start == MAP_FAILED || shstk_start != free_area)
617 return 1;
618
619 while (test_map > shstk_start) {
620 test_map = (void *)syscall(__NR_map_shadow_stack, 0, PAGE_SIZE, 0);
621 if (test_map == MAP_FAILED) {
622 printf("[INFO]\tmap_shadow_stack MAP_FAILED\n");
623 ret = 1;
624 break;
625 }
626
627 cur = malloc(sizeof(*cur));
628 cur->mapping = test_map;
629
630 cur->next = head;
631 head = cur;
632
633 if (test_map == free_area + PAGE_SIZE) {
634 printf("[INFO]\tNew mapping has other mapping in guard gap!\n");
635 ret = 1;
636 break;
637 }
638 }
639
640 while (head) {
641 cur = head;
642 head = cur->next;
643 munmap(cur->mapping, PAGE_SIZE);
644 free(cur);
645 }
646
647 munmap(shstk_start, PAGE_SIZE);
648
649 if (!ret)
650 printf("[OK]\tGuard gap test, placement mapping's gaps\n");
651
652 return ret;
653 }
654
655 /*
656 * Too complicated to pull it out of the 32 bit header, but also get the
657 * 64 bit one needed above. Just define a copy here.
658 */
659 #define __NR_compat_sigaction 67
660
661 /*
662 * Call 32 bit signal handler to get 32 bit signals ABI. Make sure
663 * to push the registers that will get clobbered.
664 */
sigaction32(int signum,const struct sigaction * restrict act,struct sigaction * restrict oldact)665 int sigaction32(int signum, const struct sigaction *restrict act,
666 struct sigaction *restrict oldact)
667 {
668 register long syscall_reg asm("eax") = __NR_compat_sigaction;
669 register long signum_reg asm("ebx") = signum;
670 register long act_reg asm("ecx") = (long)act;
671 register long oldact_reg asm("edx") = (long)oldact;
672 int ret = 0;
673
674 asm volatile ("int $0x80;"
675 : "=a"(ret), "=m"(oldact)
676 : "r"(syscall_reg), "r"(signum_reg), "r"(act_reg),
677 "r"(oldact_reg)
678 : "r8", "r9", "r10", "r11"
679 );
680
681 return ret;
682 }
683
684 sigjmp_buf jmp_buffer;
685
segv_gp_handler(int signum,siginfo_t * si,void * uc)686 void segv_gp_handler(int signum, siginfo_t *si, void *uc)
687 {
688 segv_triggered = true;
689
690 /*
691 * To work with old glibc, this can't rely on siglongjmp working with
692 * shadow stack enabled, so disable shadow stack before siglongjmp().
693 */
694 ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
695 siglongjmp(jmp_buffer, -1);
696 }
697
698 /*
699 * Transition to 32 bit mode and check that a #GP triggers a segfault.
700 */
test_32bit(void)701 int test_32bit(void)
702 {
703 struct sigaction sa = {};
704 struct sigaction *sa32;
705
706 /* Create sigaction in 32 bit address range */
707 sa32 = mmap(0, 4096, PROT_READ | PROT_WRITE,
708 MAP_32BIT | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
709 sa32->sa_flags = SA_SIGINFO;
710
711 sa.sa_sigaction = segv_gp_handler;
712 sa.sa_flags = SA_SIGINFO;
713 if (sigaction(SIGSEGV, &sa, NULL))
714 return 1;
715
716
717 segv_triggered = false;
718
719 /* Make sure segv_triggered is set before triggering the #GP */
720 asm volatile("" : : : "memory");
721
722 /*
723 * Set handler to somewhere in 32 bit address space
724 */
725 sa32->sa_handler = (void *)sa32;
726 if (sigaction32(SIGUSR1, sa32, NULL))
727 return 1;
728
729 if (!sigsetjmp(jmp_buffer, 1))
730 raise(SIGUSR1);
731
732 if (segv_triggered)
733 printf("[OK]\t32 bit test\n");
734
735 return !segv_triggered;
736 }
737
parse_uint_from_file(const char * file,const char * fmt)738 static int parse_uint_from_file(const char *file, const char *fmt)
739 {
740 int err, ret;
741 FILE *f;
742
743 f = fopen(file, "re");
744 if (!f) {
745 err = -errno;
746 printf("failed to open '%s': %d\n", file, err);
747 return err;
748 }
749 err = fscanf(f, fmt, &ret);
750 if (err != 1) {
751 err = err == EOF ? -EIO : -errno;
752 printf("failed to parse '%s': %d\n", file, err);
753 fclose(f);
754 return err;
755 }
756 fclose(f);
757 return ret;
758 }
759
determine_uprobe_perf_type(void)760 static int determine_uprobe_perf_type(void)
761 {
762 const char *file = "/sys/bus/event_source/devices/uprobe/type";
763
764 return parse_uint_from_file(file, "%d\n");
765 }
766
determine_uprobe_retprobe_bit(void)767 static int determine_uprobe_retprobe_bit(void)
768 {
769 const char *file = "/sys/bus/event_source/devices/uprobe/format/retprobe";
770
771 return parse_uint_from_file(file, "config:%d\n");
772 }
773
get_uprobe_offset(const void * addr)774 static ssize_t get_uprobe_offset(const void *addr)
775 {
776 size_t start, end, base;
777 char buf[256];
778 bool found = false;
779 FILE *f;
780
781 f = fopen("/proc/self/maps", "r");
782 if (!f)
783 return -errno;
784
785 while (fscanf(f, "%zx-%zx %s %zx %*[^\n]\n", &start, &end, buf, &base) == 4) {
786 if (buf[2] == 'x' && (uintptr_t)addr >= start && (uintptr_t)addr < end) {
787 found = true;
788 break;
789 }
790 }
791
792 fclose(f);
793
794 if (!found)
795 return -ESRCH;
796
797 return (uintptr_t)addr - start + base;
798 }
799
uretprobe_trigger(void)800 static __attribute__((noinline)) void uretprobe_trigger(void)
801 {
802 asm volatile ("");
803 }
804
805 /*
806 * This test setups return uprobe, which is sensitive to shadow stack
807 * (crashes without extra fix). After executing the uretprobe we fail
808 * the test if we receive SIGSEGV, no crash means we're good.
809 *
810 * Helper functions above borrowed from bpf selftests.
811 */
test_uretprobe(void)812 static int test_uretprobe(void)
813 {
814 const size_t attr_sz = sizeof(struct perf_event_attr);
815 const char *file = "/proc/self/exe";
816 int bit, fd = 0, type, err = 1;
817 struct perf_event_attr attr;
818 struct sigaction sa = {};
819 ssize_t offset;
820
821 type = determine_uprobe_perf_type();
822 if (type < 0) {
823 if (type == -ENOENT)
824 printf("[SKIP]\tUretprobe test, uprobes are not available\n");
825 return 0;
826 }
827
828 offset = get_uprobe_offset(uretprobe_trigger);
829 if (offset < 0)
830 return 1;
831
832 bit = determine_uprobe_retprobe_bit();
833 if (bit < 0)
834 return 1;
835
836 sa.sa_sigaction = segv_gp_handler;
837 sa.sa_flags = SA_SIGINFO;
838 if (sigaction(SIGSEGV, &sa, NULL))
839 return 1;
840
841 /* Setup return uprobe through perf event interface. */
842 memset(&attr, 0, attr_sz);
843 attr.size = attr_sz;
844 attr.type = type;
845 attr.config = 1 << bit;
846 attr.config1 = (__u64) (unsigned long) file;
847 attr.config2 = offset;
848
849 fd = syscall(__NR_perf_event_open, &attr, 0 /* pid */, -1 /* cpu */,
850 -1 /* group_fd */, PERF_FLAG_FD_CLOEXEC);
851 if (fd < 0)
852 goto out;
853
854 if (sigsetjmp(jmp_buffer, 1))
855 goto out;
856
857 ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK);
858
859 /*
860 * This either segfaults and goes through sigsetjmp above
861 * or succeeds and we're good.
862 */
863 uretprobe_trigger();
864
865 printf("[OK]\tUretprobe test\n");
866 err = 0;
867
868 out:
869 ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
870 signal(SIGSEGV, SIG_DFL);
871 if (fd)
872 close(fd);
873 return err;
874 }
875
segv_handler_ptrace(int signum,siginfo_t * si,void * uc)876 void segv_handler_ptrace(int signum, siginfo_t *si, void *uc)
877 {
878 /* The SSP adjustment caused a segfault. */
879 exit(0);
880 }
881
test_ptrace(void)882 int test_ptrace(void)
883 {
884 unsigned long saved_ssp, ssp = 0;
885 struct sigaction sa= {};
886 struct iovec iov;
887 int status;
888 int pid;
889
890 iov.iov_base = &ssp;
891 iov.iov_len = sizeof(ssp);
892
893 pid = fork();
894 if (!pid) {
895 ssp = get_ssp();
896
897 sa.sa_sigaction = segv_handler_ptrace;
898 sa.sa_flags = SA_SIGINFO;
899 if (sigaction(SIGSEGV, &sa, NULL))
900 return 1;
901
902 ptrace(PTRACE_TRACEME, NULL, NULL, NULL);
903 /*
904 * The parent will tweak the SSP and return from this function
905 * will #CP.
906 */
907 raise(SIGTRAP);
908
909 exit(1);
910 }
911
912 while (waitpid(pid, &status, 0) != -1 && WSTOPSIG(status) != SIGTRAP);
913
914 if (ptrace(PTRACE_GETREGSET, pid, NT_X86_SHSTK, &iov)) {
915 printf("[INFO]\tFailed to PTRACE_GETREGS\n");
916 goto out_kill;
917 }
918
919 if (!ssp) {
920 printf("[INFO]\tPtrace child SSP was 0\n");
921 goto out_kill;
922 }
923
924 saved_ssp = ssp;
925
926 iov.iov_len = 0;
927 if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
928 printf("[INFO]\tToo small size accepted via PTRACE_SETREGS\n");
929 goto out_kill;
930 }
931
932 iov.iov_len = sizeof(ssp) + 1;
933 if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
934 printf("[INFO]\tToo large size accepted via PTRACE_SETREGS\n");
935 goto out_kill;
936 }
937
938 ssp += 1;
939 if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
940 printf("[INFO]\tUnaligned SSP written via PTRACE_SETREGS\n");
941 goto out_kill;
942 }
943
944 ssp = 0xFFFFFFFFFFFF0000;
945 if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
946 printf("[INFO]\tKernel range SSP written via PTRACE_SETREGS\n");
947 goto out_kill;
948 }
949
950 /*
951 * Tweak the SSP so the child with #CP when it resumes and returns
952 * from raise()
953 */
954 ssp = saved_ssp + 8;
955 iov.iov_len = sizeof(ssp);
956 if (ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
957 printf("[INFO]\tFailed to PTRACE_SETREGS\n");
958 goto out_kill;
959 }
960
961 if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) {
962 printf("[INFO]\tFailed to PTRACE_DETACH\n");
963 goto out_kill;
964 }
965
966 waitpid(pid, &status, 0);
967 if (WEXITSTATUS(status))
968 return 1;
969
970 printf("[OK]\tPtrace test\n");
971 return 0;
972
973 out_kill:
974 kill(pid, SIGKILL);
975 return 1;
976 }
977
main(int argc,char * argv[])978 int main(int argc, char *argv[])
979 {
980 int ret = 0;
981
982 if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
983 printf("[SKIP]\tCould not enable Shadow stack\n");
984 return 1;
985 }
986
987 if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
988 ret = 1;
989 printf("[FAIL]\tDisabling shadow stack failed\n");
990 }
991
992 if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
993 printf("[SKIP]\tCould not re-enable Shadow stack\n");
994 return 1;
995 }
996
997 if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_WRSS)) {
998 printf("[SKIP]\tCould not enable WRSS\n");
999 ret = 1;
1000 goto out;
1001 }
1002
1003 /* Should have succeeded if here, but this is a test, so double check. */
1004 if (!get_ssp()) {
1005 printf("[FAIL]\tShadow stack disabled\n");
1006 return 1;
1007 }
1008
1009 if (test_shstk_pivot()) {
1010 ret = 1;
1011 printf("[FAIL]\tShadow stack pivot\n");
1012 goto out;
1013 }
1014
1015 if (test_shstk_faults()) {
1016 ret = 1;
1017 printf("[FAIL]\tShadow stack fault test\n");
1018 goto out;
1019 }
1020
1021 if (test_shstk_violation()) {
1022 ret = 1;
1023 printf("[FAIL]\tShadow stack violation test\n");
1024 goto out;
1025 }
1026
1027 if (test_gup()) {
1028 ret = 1;
1029 printf("[FAIL]\tShadow shadow stack gup\n");
1030 goto out;
1031 }
1032
1033 if (test_mprotect()) {
1034 ret = 1;
1035 printf("[FAIL]\tShadow shadow mprotect test\n");
1036 goto out;
1037 }
1038
1039 if (test_userfaultfd()) {
1040 ret = 1;
1041 printf("[FAIL]\tUserfaultfd test\n");
1042 goto out;
1043 }
1044
1045 if (test_guard_gap_other_gaps()) {
1046 ret = 1;
1047 printf("[FAIL]\tGuard gap test, other mappings' gaps\n");
1048 goto out;
1049 }
1050
1051 if (test_guard_gap_new_mappings_gaps()) {
1052 ret = 1;
1053 printf("[FAIL]\tGuard gap test, placement mapping's gaps\n");
1054 goto out;
1055 }
1056
1057 if (test_ptrace()) {
1058 ret = 1;
1059 printf("[FAIL]\tptrace test\n");
1060 }
1061
1062 if (test_32bit()) {
1063 ret = 1;
1064 printf("[FAIL]\t32 bit test\n");
1065 goto out;
1066 }
1067
1068 if (test_uretprobe()) {
1069 ret = 1;
1070 printf("[FAIL]\turetprobe test\n");
1071 goto out;
1072 }
1073
1074 return ret;
1075
1076 out:
1077 /*
1078 * Disable shadow stack before the function returns, or there will be a
1079 * shadow stack violation.
1080 */
1081 if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
1082 ret = 1;
1083 printf("[FAIL]\tDisabling shadow stack failed\n");
1084 }
1085
1086 return ret;
1087 }
1088 #endif
1089