xref: /linux/tools/testing/selftests/x86/test_shadow_stack.c (revision c8faf11cd192214e231626c3ee973a35d8fc33f2)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This program test's basic kernel shadow stack support. It enables shadow
4  * stack manual via the arch_prctl(), instead of relying on glibc. It's
5  * Makefile doesn't compile with shadow stack support, so it doesn't rely on
6  * any particular glibc. As a result it can't do any operations that require
7  * special glibc shadow stack support (longjmp(), swapcontext(), etc). Just
8  * stick to the basics and hope the compiler doesn't do anything strange.
9  */
10 
11 #define _GNU_SOURCE
12 
13 #include <sys/syscall.h>
14 #include <asm/mman.h>
15 #include <sys/mman.h>
16 #include <sys/stat.h>
17 #include <sys/wait.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <stdbool.h>
25 #include <x86intrin.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
28 #include <stdint.h>
29 #include <signal.h>
30 #include <pthread.h>
31 #include <sys/ioctl.h>
32 #include <linux/userfaultfd.h>
33 #include <setjmp.h>
34 #include <sys/ptrace.h>
35 #include <sys/signal.h>
36 #include <linux/elf.h>
37 #include <linux/perf_event.h>
38 
39 /*
40  * Define the ABI defines if needed, so people can run the tests
41  * without building the headers.
42  */
43 #ifndef __NR_map_shadow_stack
44 #define __NR_map_shadow_stack	453
45 
46 #define SHADOW_STACK_SET_TOKEN	(1ULL << 0)
47 
48 #define ARCH_SHSTK_ENABLE	0x5001
49 #define ARCH_SHSTK_DISABLE	0x5002
50 #define ARCH_SHSTK_LOCK		0x5003
51 #define ARCH_SHSTK_UNLOCK	0x5004
52 #define ARCH_SHSTK_STATUS	0x5005
53 
54 #define ARCH_SHSTK_SHSTK	(1ULL <<  0)
55 #define ARCH_SHSTK_WRSS		(1ULL <<  1)
56 
57 #define NT_X86_SHSTK	0x204
58 #endif
59 
60 #define SS_SIZE 0x200000
61 #define PAGE_SIZE 0x1000
62 
63 #if (__GNUC__ < 8) || (__GNUC__ == 8 && __GNUC_MINOR__ < 5)
64 int main(int argc, char *argv[])
65 {
66 	printf("[SKIP]\tCompiler does not support CET.\n");
67 	return 0;
68 }
69 #else
70 void write_shstk(unsigned long *addr, unsigned long val)
71 {
72 	asm volatile("wrssq %[val], (%[addr])\n"
73 		     : "=m" (addr)
74 		     : [addr] "r" (addr), [val] "r" (val));
75 }
76 
77 static inline unsigned long __attribute__((always_inline)) get_ssp(void)
78 {
79 	unsigned long ret = 0;
80 
81 	asm volatile("xor %0, %0; rdsspq %0" : "=r" (ret));
82 	return ret;
83 }
84 
85 /*
86  * For use in inline enablement of shadow stack.
87  *
88  * The program can't return from the point where shadow stack gets enabled
89  * because there will be no address on the shadow stack. So it can't use
90  * syscall() for enablement, since it is a function.
91  *
92  * Based on code from nolibc.h. Keep a copy here because this can't pull in all
93  * of nolibc.h.
94  */
95 #define ARCH_PRCTL(arg1, arg2)					\
96 ({								\
97 	long _ret;						\
98 	register long _num  asm("eax") = __NR_arch_prctl;	\
99 	register long _arg1 asm("rdi") = (long)(arg1);		\
100 	register long _arg2 asm("rsi") = (long)(arg2);		\
101 								\
102 	asm volatile (						\
103 		"syscall\n"					\
104 		: "=a"(_ret)					\
105 		: "r"(_arg1), "r"(_arg2),			\
106 		  "0"(_num)					\
107 		: "rcx", "r11", "memory", "cc"			\
108 	);							\
109 	_ret;							\
110 })
111 
112 void *create_shstk(void *addr)
113 {
114 	return (void *)syscall(__NR_map_shadow_stack, addr, SS_SIZE, SHADOW_STACK_SET_TOKEN);
115 }
116 
117 void *create_normal_mem(void *addr)
118 {
119 	return mmap(addr, SS_SIZE, PROT_READ | PROT_WRITE,
120 		    MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
121 }
122 
123 void free_shstk(void *shstk)
124 {
125 	munmap(shstk, SS_SIZE);
126 }
127 
128 int reset_shstk(void *shstk)
129 {
130 	return madvise(shstk, SS_SIZE, MADV_DONTNEED);
131 }
132 
133 void try_shstk(unsigned long new_ssp)
134 {
135 	unsigned long ssp;
136 
137 	printf("[INFO]\tnew_ssp = %lx, *new_ssp = %lx\n",
138 	       new_ssp, *((unsigned long *)new_ssp));
139 
140 	ssp = get_ssp();
141 	printf("[INFO]\tchanging ssp from %lx to %lx\n", ssp, new_ssp);
142 
143 	asm volatile("rstorssp (%0)\n":: "r" (new_ssp));
144 	asm volatile("saveprevssp");
145 	printf("[INFO]\tssp is now %lx\n", get_ssp());
146 
147 	/* Switch back to original shadow stack */
148 	ssp -= 8;
149 	asm volatile("rstorssp (%0)\n":: "r" (ssp));
150 	asm volatile("saveprevssp");
151 }
152 
153 int test_shstk_pivot(void)
154 {
155 	void *shstk = create_shstk(0);
156 
157 	if (shstk == MAP_FAILED) {
158 		printf("[FAIL]\tError creating shadow stack: %d\n", errno);
159 		return 1;
160 	}
161 	try_shstk((unsigned long)shstk + SS_SIZE - 8);
162 	free_shstk(shstk);
163 
164 	printf("[OK]\tShadow stack pivot\n");
165 	return 0;
166 }
167 
168 int test_shstk_faults(void)
169 {
170 	unsigned long *shstk = create_shstk(0);
171 
172 	/* Read shadow stack, test if it's zero to not get read optimized out */
173 	if (*shstk != 0)
174 		goto err;
175 
176 	/* Wrss memory that was already read. */
177 	write_shstk(shstk, 1);
178 	if (*shstk != 1)
179 		goto err;
180 
181 	/* Page out memory, so we can wrss it again. */
182 	if (reset_shstk((void *)shstk))
183 		goto err;
184 
185 	write_shstk(shstk, 1);
186 	if (*shstk != 1)
187 		goto err;
188 
189 	printf("[OK]\tShadow stack faults\n");
190 	return 0;
191 
192 err:
193 	return 1;
194 }
195 
196 unsigned long saved_ssp;
197 unsigned long saved_ssp_val;
198 volatile bool segv_triggered;
199 
200 void __attribute__((noinline)) violate_ss(void)
201 {
202 	saved_ssp = get_ssp();
203 	saved_ssp_val = *(unsigned long *)saved_ssp;
204 
205 	/* Corrupt shadow stack */
206 	printf("[INFO]\tCorrupting shadow stack\n");
207 	write_shstk((void *)saved_ssp, 0);
208 }
209 
210 void segv_handler(int signum, siginfo_t *si, void *uc)
211 {
212 	printf("[INFO]\tGenerated shadow stack violation successfully\n");
213 
214 	segv_triggered = true;
215 
216 	/* Fix shadow stack */
217 	write_shstk((void *)saved_ssp, saved_ssp_val);
218 }
219 
220 int test_shstk_violation(void)
221 {
222 	struct sigaction sa = {};
223 
224 	sa.sa_sigaction = segv_handler;
225 	sa.sa_flags = SA_SIGINFO;
226 	if (sigaction(SIGSEGV, &sa, NULL))
227 		return 1;
228 
229 	segv_triggered = false;
230 
231 	/* Make sure segv_triggered is set before violate_ss() */
232 	asm volatile("" : : : "memory");
233 
234 	violate_ss();
235 
236 	signal(SIGSEGV, SIG_DFL);
237 
238 	printf("[OK]\tShadow stack violation test\n");
239 
240 	return !segv_triggered;
241 }
242 
243 /* Gup test state */
244 #define MAGIC_VAL 0x12345678
245 bool is_shstk_access;
246 void *shstk_ptr;
247 int fd;
248 
249 void reset_test_shstk(void *addr)
250 {
251 	if (shstk_ptr)
252 		free_shstk(shstk_ptr);
253 	shstk_ptr = create_shstk(addr);
254 }
255 
256 void test_access_fix_handler(int signum, siginfo_t *si, void *uc)
257 {
258 	printf("[INFO]\tViolation from %s\n", is_shstk_access ? "shstk access" : "normal write");
259 
260 	segv_triggered = true;
261 
262 	/* Fix shadow stack */
263 	if (is_shstk_access) {
264 		reset_test_shstk(shstk_ptr);
265 		return;
266 	}
267 
268 	free_shstk(shstk_ptr);
269 	create_normal_mem(shstk_ptr);
270 }
271 
272 bool test_shstk_access(void *ptr)
273 {
274 	is_shstk_access = true;
275 	segv_triggered = false;
276 	write_shstk(ptr, MAGIC_VAL);
277 
278 	asm volatile("" : : : "memory");
279 
280 	return segv_triggered;
281 }
282 
283 bool test_write_access(void *ptr)
284 {
285 	is_shstk_access = false;
286 	segv_triggered = false;
287 	*(unsigned long *)ptr = MAGIC_VAL;
288 
289 	asm volatile("" : : : "memory");
290 
291 	return segv_triggered;
292 }
293 
294 bool gup_write(void *ptr)
295 {
296 	unsigned long val;
297 
298 	lseek(fd, (unsigned long)ptr, SEEK_SET);
299 	if (write(fd, &val, sizeof(val)) < 0)
300 		return 1;
301 
302 	return 0;
303 }
304 
305 bool gup_read(void *ptr)
306 {
307 	unsigned long val;
308 
309 	lseek(fd, (unsigned long)ptr, SEEK_SET);
310 	if (read(fd, &val, sizeof(val)) < 0)
311 		return 1;
312 
313 	return 0;
314 }
315 
316 int test_gup(void)
317 {
318 	struct sigaction sa = {};
319 	int status;
320 	pid_t pid;
321 
322 	sa.sa_sigaction = test_access_fix_handler;
323 	sa.sa_flags = SA_SIGINFO;
324 	if (sigaction(SIGSEGV, &sa, NULL))
325 		return 1;
326 
327 	segv_triggered = false;
328 
329 	fd = open("/proc/self/mem", O_RDWR);
330 	if (fd == -1)
331 		return 1;
332 
333 	reset_test_shstk(0);
334 	if (gup_read(shstk_ptr))
335 		return 1;
336 	if (test_shstk_access(shstk_ptr))
337 		return 1;
338 	printf("[INFO]\tGup read -> shstk access success\n");
339 
340 	reset_test_shstk(0);
341 	if (gup_write(shstk_ptr))
342 		return 1;
343 	if (test_shstk_access(shstk_ptr))
344 		return 1;
345 	printf("[INFO]\tGup write -> shstk access success\n");
346 
347 	reset_test_shstk(0);
348 	if (gup_read(shstk_ptr))
349 		return 1;
350 	if (!test_write_access(shstk_ptr))
351 		return 1;
352 	printf("[INFO]\tGup read -> write access success\n");
353 
354 	reset_test_shstk(0);
355 	if (gup_write(shstk_ptr))
356 		return 1;
357 	if (!test_write_access(shstk_ptr))
358 		return 1;
359 	printf("[INFO]\tGup write -> write access success\n");
360 
361 	close(fd);
362 
363 	/* COW/gup test */
364 	reset_test_shstk(0);
365 	pid = fork();
366 	if (!pid) {
367 		fd = open("/proc/self/mem", O_RDWR);
368 		if (fd == -1)
369 			exit(1);
370 
371 		if (gup_write(shstk_ptr)) {
372 			close(fd);
373 			exit(1);
374 		}
375 		close(fd);
376 		exit(0);
377 	}
378 	waitpid(pid, &status, 0);
379 	if (WEXITSTATUS(status)) {
380 		printf("[FAIL]\tWrite in child failed\n");
381 		return 1;
382 	}
383 	if (*(unsigned long *)shstk_ptr == MAGIC_VAL) {
384 		printf("[FAIL]\tWrite in child wrote through to shared memory\n");
385 		return 1;
386 	}
387 
388 	printf("[INFO]\tCow gup write -> write access success\n");
389 
390 	free_shstk(shstk_ptr);
391 
392 	signal(SIGSEGV, SIG_DFL);
393 
394 	printf("[OK]\tShadow gup test\n");
395 
396 	return 0;
397 }
398 
399 int test_mprotect(void)
400 {
401 	struct sigaction sa = {};
402 
403 	sa.sa_sigaction = test_access_fix_handler;
404 	sa.sa_flags = SA_SIGINFO;
405 	if (sigaction(SIGSEGV, &sa, NULL))
406 		return 1;
407 
408 	segv_triggered = false;
409 
410 	/* mprotect a shadow stack as read only */
411 	reset_test_shstk(0);
412 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
413 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
414 		return 1;
415 	}
416 
417 	/* try to wrss it and fail */
418 	if (!test_shstk_access(shstk_ptr)) {
419 		printf("[FAIL]\tShadow stack access to read-only memory succeeded\n");
420 		return 1;
421 	}
422 
423 	/*
424 	 * The shadow stack was reset above to resolve the fault, make the new one
425 	 * read-only.
426 	 */
427 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
428 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
429 		return 1;
430 	}
431 
432 	/* then back to writable */
433 	if (mprotect(shstk_ptr, SS_SIZE, PROT_WRITE | PROT_READ) < 0) {
434 		printf("[FAIL]\tmprotect(PROT_WRITE) failed\n");
435 		return 1;
436 	}
437 
438 	/* then wrss to it and succeed */
439 	if (test_shstk_access(shstk_ptr)) {
440 		printf("[FAIL]\tShadow stack access to mprotect() writable memory failed\n");
441 		return 1;
442 	}
443 
444 	free_shstk(shstk_ptr);
445 
446 	signal(SIGSEGV, SIG_DFL);
447 
448 	printf("[OK]\tmprotect() test\n");
449 
450 	return 0;
451 }
452 
453 char zero[4096];
454 
455 static void *uffd_thread(void *arg)
456 {
457 	struct uffdio_copy req;
458 	int uffd = *(int *)arg;
459 	struct uffd_msg msg;
460 	int ret;
461 
462 	while (1) {
463 		ret = read(uffd, &msg, sizeof(msg));
464 		if (ret > 0)
465 			break;
466 		else if (errno == EAGAIN)
467 			continue;
468 		return (void *)1;
469 	}
470 
471 	req.dst = msg.arg.pagefault.address;
472 	req.src = (__u64)zero;
473 	req.len = 4096;
474 	req.mode = 0;
475 
476 	if (ioctl(uffd, UFFDIO_COPY, &req))
477 		return (void *)1;
478 
479 	return (void *)0;
480 }
481 
482 int test_userfaultfd(void)
483 {
484 	struct uffdio_register uffdio_register;
485 	struct uffdio_api uffdio_api;
486 	struct sigaction sa = {};
487 	pthread_t thread;
488 	void *res;
489 	int uffd;
490 
491 	sa.sa_sigaction = test_access_fix_handler;
492 	sa.sa_flags = SA_SIGINFO;
493 	if (sigaction(SIGSEGV, &sa, NULL))
494 		return 1;
495 
496 	uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
497 	if (uffd < 0) {
498 		printf("[SKIP]\tUserfaultfd unavailable.\n");
499 		return 0;
500 	}
501 
502 	reset_test_shstk(0);
503 
504 	uffdio_api.api = UFFD_API;
505 	uffdio_api.features = 0;
506 	if (ioctl(uffd, UFFDIO_API, &uffdio_api))
507 		goto err;
508 
509 	uffdio_register.range.start = (__u64)shstk_ptr;
510 	uffdio_register.range.len = 4096;
511 	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
512 	if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register))
513 		goto err;
514 
515 	if (pthread_create(&thread, NULL, &uffd_thread, &uffd))
516 		goto err;
517 
518 	reset_shstk(shstk_ptr);
519 	test_shstk_access(shstk_ptr);
520 
521 	if (pthread_join(thread, &res))
522 		goto err;
523 
524 	if (test_shstk_access(shstk_ptr))
525 		goto err;
526 
527 	free_shstk(shstk_ptr);
528 
529 	signal(SIGSEGV, SIG_DFL);
530 
531 	if (!res)
532 		printf("[OK]\tUserfaultfd test\n");
533 	return !!res;
534 err:
535 	free_shstk(shstk_ptr);
536 	close(uffd);
537 	signal(SIGSEGV, SIG_DFL);
538 	return 1;
539 }
540 
541 /* Simple linked list for keeping track of mappings in test_guard_gap() */
542 struct node {
543 	struct node *next;
544 	void *mapping;
545 };
546 
547 /*
548  * This tests whether mmap will place other mappings in a shadow stack's guard
549  * gap. The steps are:
550  *   1. Finds an empty place by mapping and unmapping something.
551  *   2. Map a shadow stack in the middle of the known empty area.
552  *   3. Map a bunch of PAGE_SIZE mappings. These will use the search down
553  *      direction, filling any gaps until it encounters the shadow stack's
554  *      guard gap.
555  *   4. When a mapping lands below the shadow stack from step 2, then all
556  *      of the above gaps are filled. The search down algorithm will have
557  *      looked at the shadow stack gaps.
558  *   5. See if it landed in the gap.
559  */
560 int test_guard_gap_other_gaps(void)
561 {
562 	void *free_area, *shstk, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
563 	struct node *head = NULL, *cur;
564 
565 	free_area = mmap(0, SS_SIZE * 3, PROT_READ | PROT_WRITE,
566 			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
567 	munmap(free_area, SS_SIZE * 3);
568 
569 	shstk = create_shstk(free_area + SS_SIZE);
570 	if (shstk == MAP_FAILED)
571 		return 1;
572 
573 	while (test_map > shstk) {
574 		test_map = mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE,
575 				MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
576 		if (test_map == MAP_FAILED)
577 			return 1;
578 		cur = malloc(sizeof(*cur));
579 		cur->mapping = test_map;
580 
581 		cur->next = head;
582 		head = cur;
583 	}
584 
585 	while (head) {
586 		cur = head;
587 		head = cur->next;
588 		munmap(cur->mapping, PAGE_SIZE);
589 		free(cur);
590 	}
591 
592 	free_shstk(shstk);
593 
594 	if (shstk - test_map - PAGE_SIZE != PAGE_SIZE)
595 		return 1;
596 
597 	printf("[OK]\tGuard gap test, other mapping's gaps\n");
598 
599 	return 0;
600 }
601 
602 /* Tests respecting the guard gap of the mapping getting placed */
603 int test_guard_gap_new_mappings_gaps(void)
604 {
605 	void *free_area, *shstk_start, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
606 	struct node *head = NULL, *cur;
607 	int ret = 0;
608 
609 	free_area = mmap(0, PAGE_SIZE * 4, PROT_READ | PROT_WRITE,
610 			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
611 	munmap(free_area, PAGE_SIZE * 4);
612 
613 	/* Test letting map_shadow_stack find a free space */
614 	shstk_start = mmap(free_area, PAGE_SIZE, PROT_READ | PROT_WRITE,
615 			   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
616 	if (shstk_start == MAP_FAILED || shstk_start != free_area)
617 		return 1;
618 
619 	while (test_map > shstk_start) {
620 		test_map = (void *)syscall(__NR_map_shadow_stack, 0, PAGE_SIZE, 0);
621 		if (test_map == MAP_FAILED) {
622 			printf("[INFO]\tmap_shadow_stack MAP_FAILED\n");
623 			ret = 1;
624 			break;
625 		}
626 
627 		cur = malloc(sizeof(*cur));
628 		cur->mapping = test_map;
629 
630 		cur->next = head;
631 		head = cur;
632 
633 		if (test_map == free_area + PAGE_SIZE) {
634 			printf("[INFO]\tNew mapping has other mapping in guard gap!\n");
635 			ret = 1;
636 			break;
637 		}
638 	}
639 
640 	while (head) {
641 		cur = head;
642 		head = cur->next;
643 		munmap(cur->mapping, PAGE_SIZE);
644 		free(cur);
645 	}
646 
647 	munmap(shstk_start, PAGE_SIZE);
648 
649 	if (!ret)
650 		printf("[OK]\tGuard gap test, placement mapping's gaps\n");
651 
652 	return ret;
653 }
654 
655 /*
656  * Too complicated to pull it out of the 32 bit header, but also get the
657  * 64 bit one needed above. Just define a copy here.
658  */
659 #define __NR_compat_sigaction 67
660 
661 /*
662  * Call 32 bit signal handler to get 32 bit signals ABI. Make sure
663  * to push the registers that will get clobbered.
664  */
665 int sigaction32(int signum, const struct sigaction *restrict act,
666 		struct sigaction *restrict oldact)
667 {
668 	register long syscall_reg asm("eax") = __NR_compat_sigaction;
669 	register long signum_reg asm("ebx") = signum;
670 	register long act_reg asm("ecx") = (long)act;
671 	register long oldact_reg asm("edx") = (long)oldact;
672 	int ret = 0;
673 
674 	asm volatile ("int $0x80;"
675 		      : "=a"(ret), "=m"(oldact)
676 		      : "r"(syscall_reg), "r"(signum_reg), "r"(act_reg),
677 			"r"(oldact_reg)
678 		      : "r8", "r9", "r10", "r11"
679 		     );
680 
681 	return ret;
682 }
683 
684 sigjmp_buf jmp_buffer;
685 
686 void segv_gp_handler(int signum, siginfo_t *si, void *uc)
687 {
688 	segv_triggered = true;
689 
690 	/*
691 	 * To work with old glibc, this can't rely on siglongjmp working with
692 	 * shadow stack enabled, so disable shadow stack before siglongjmp().
693 	 */
694 	ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
695 	siglongjmp(jmp_buffer, -1);
696 }
697 
698 /*
699  * Transition to 32 bit mode and check that a #GP triggers a segfault.
700  */
701 int test_32bit(void)
702 {
703 	struct sigaction sa = {};
704 	struct sigaction *sa32;
705 
706 	/* Create sigaction in 32 bit address range */
707 	sa32 = mmap(0, 4096, PROT_READ | PROT_WRITE,
708 		    MAP_32BIT | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
709 	sa32->sa_flags = SA_SIGINFO;
710 
711 	sa.sa_sigaction = segv_gp_handler;
712 	sa.sa_flags = SA_SIGINFO;
713 	if (sigaction(SIGSEGV, &sa, NULL))
714 		return 1;
715 
716 
717 	segv_triggered = false;
718 
719 	/* Make sure segv_triggered is set before triggering the #GP */
720 	asm volatile("" : : : "memory");
721 
722 	/*
723 	 * Set handler to somewhere in 32 bit address space
724 	 */
725 	sa32->sa_handler = (void *)sa32;
726 	if (sigaction32(SIGUSR1, sa32, NULL))
727 		return 1;
728 
729 	if (!sigsetjmp(jmp_buffer, 1))
730 		raise(SIGUSR1);
731 
732 	if (segv_triggered)
733 		printf("[OK]\t32 bit test\n");
734 
735 	return !segv_triggered;
736 }
737 
738 static int parse_uint_from_file(const char *file, const char *fmt)
739 {
740 	int err, ret;
741 	FILE *f;
742 
743 	f = fopen(file, "re");
744 	if (!f) {
745 		err = -errno;
746 		printf("failed to open '%s': %d\n", file, err);
747 		return err;
748 	}
749 	err = fscanf(f, fmt, &ret);
750 	if (err != 1) {
751 		err = err == EOF ? -EIO : -errno;
752 		printf("failed to parse '%s': %d\n", file, err);
753 		fclose(f);
754 		return err;
755 	}
756 	fclose(f);
757 	return ret;
758 }
759 
760 static int determine_uprobe_perf_type(void)
761 {
762 	const char *file = "/sys/bus/event_source/devices/uprobe/type";
763 
764 	return parse_uint_from_file(file, "%d\n");
765 }
766 
767 static int determine_uprobe_retprobe_bit(void)
768 {
769 	const char *file = "/sys/bus/event_source/devices/uprobe/format/retprobe";
770 
771 	return parse_uint_from_file(file, "config:%d\n");
772 }
773 
774 static ssize_t get_uprobe_offset(const void *addr)
775 {
776 	size_t start, end, base;
777 	char buf[256];
778 	bool found = false;
779 	FILE *f;
780 
781 	f = fopen("/proc/self/maps", "r");
782 	if (!f)
783 		return -errno;
784 
785 	while (fscanf(f, "%zx-%zx %s %zx %*[^\n]\n", &start, &end, buf, &base) == 4) {
786 		if (buf[2] == 'x' && (uintptr_t)addr >= start && (uintptr_t)addr < end) {
787 			found = true;
788 			break;
789 		}
790 	}
791 
792 	fclose(f);
793 
794 	if (!found)
795 		return -ESRCH;
796 
797 	return (uintptr_t)addr - start + base;
798 }
799 
800 static __attribute__((noinline)) void uretprobe_trigger(void)
801 {
802 	asm volatile ("");
803 }
804 
805 /*
806  * This test setups return uprobe, which is sensitive to shadow stack
807  * (crashes without extra fix). After executing the uretprobe we fail
808  * the test if we receive SIGSEGV, no crash means we're good.
809  *
810  * Helper functions above borrowed from bpf selftests.
811  */
812 static int test_uretprobe(void)
813 {
814 	const size_t attr_sz = sizeof(struct perf_event_attr);
815 	const char *file = "/proc/self/exe";
816 	int bit, fd = 0, type, err = 1;
817 	struct perf_event_attr attr;
818 	struct sigaction sa = {};
819 	ssize_t offset;
820 
821 	type = determine_uprobe_perf_type();
822 	if (type < 0) {
823 		if (type == -ENOENT)
824 			printf("[SKIP]\tUretprobe test, uprobes are not available\n");
825 		return 0;
826 	}
827 
828 	offset = get_uprobe_offset(uretprobe_trigger);
829 	if (offset < 0)
830 		return 1;
831 
832 	bit = determine_uprobe_retprobe_bit();
833 	if (bit < 0)
834 		return 1;
835 
836 	sa.sa_sigaction = segv_gp_handler;
837 	sa.sa_flags = SA_SIGINFO;
838 	if (sigaction(SIGSEGV, &sa, NULL))
839 		return 1;
840 
841 	/* Setup return uprobe through perf event interface. */
842 	memset(&attr, 0, attr_sz);
843 	attr.size = attr_sz;
844 	attr.type = type;
845 	attr.config = 1 << bit;
846 	attr.config1 = (__u64) (unsigned long) file;
847 	attr.config2 = offset;
848 
849 	fd = syscall(__NR_perf_event_open, &attr, 0 /* pid */, -1 /* cpu */,
850 		     -1 /* group_fd */, PERF_FLAG_FD_CLOEXEC);
851 	if (fd < 0)
852 		goto out;
853 
854 	if (sigsetjmp(jmp_buffer, 1))
855 		goto out;
856 
857 	ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK);
858 
859 	/*
860 	 * This either segfaults and goes through sigsetjmp above
861 	 * or succeeds and we're good.
862 	 */
863 	uretprobe_trigger();
864 
865 	printf("[OK]\tUretprobe test\n");
866 	err = 0;
867 
868 out:
869 	ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
870 	signal(SIGSEGV, SIG_DFL);
871 	if (fd)
872 		close(fd);
873 	return err;
874 }
875 
876 void segv_handler_ptrace(int signum, siginfo_t *si, void *uc)
877 {
878 	/* The SSP adjustment caused a segfault. */
879 	exit(0);
880 }
881 
882 int test_ptrace(void)
883 {
884 	unsigned long saved_ssp, ssp = 0;
885 	struct sigaction sa= {};
886 	struct iovec iov;
887 	int status;
888 	int pid;
889 
890 	iov.iov_base = &ssp;
891 	iov.iov_len = sizeof(ssp);
892 
893 	pid = fork();
894 	if (!pid) {
895 		ssp = get_ssp();
896 
897 		sa.sa_sigaction = segv_handler_ptrace;
898 		sa.sa_flags = SA_SIGINFO;
899 		if (sigaction(SIGSEGV, &sa, NULL))
900 			return 1;
901 
902 		ptrace(PTRACE_TRACEME, NULL, NULL, NULL);
903 		/*
904 		 * The parent will tweak the SSP and return from this function
905 		 * will #CP.
906 		 */
907 		raise(SIGTRAP);
908 
909 		exit(1);
910 	}
911 
912 	while (waitpid(pid, &status, 0) != -1 && WSTOPSIG(status) != SIGTRAP);
913 
914 	if (ptrace(PTRACE_GETREGSET, pid, NT_X86_SHSTK, &iov)) {
915 		printf("[INFO]\tFailed to PTRACE_GETREGS\n");
916 		goto out_kill;
917 	}
918 
919 	if (!ssp) {
920 		printf("[INFO]\tPtrace child SSP was 0\n");
921 		goto out_kill;
922 	}
923 
924 	saved_ssp = ssp;
925 
926 	iov.iov_len = 0;
927 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
928 		printf("[INFO]\tToo small size accepted via PTRACE_SETREGS\n");
929 		goto out_kill;
930 	}
931 
932 	iov.iov_len = sizeof(ssp) + 1;
933 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
934 		printf("[INFO]\tToo large size accepted via PTRACE_SETREGS\n");
935 		goto out_kill;
936 	}
937 
938 	ssp += 1;
939 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
940 		printf("[INFO]\tUnaligned SSP written via PTRACE_SETREGS\n");
941 		goto out_kill;
942 	}
943 
944 	ssp = 0xFFFFFFFFFFFF0000;
945 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
946 		printf("[INFO]\tKernel range SSP written via PTRACE_SETREGS\n");
947 		goto out_kill;
948 	}
949 
950 	/*
951 	 * Tweak the SSP so the child with #CP when it resumes and returns
952 	 * from raise()
953 	 */
954 	ssp = saved_ssp + 8;
955 	iov.iov_len = sizeof(ssp);
956 	if (ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
957 		printf("[INFO]\tFailed to PTRACE_SETREGS\n");
958 		goto out_kill;
959 	}
960 
961 	if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) {
962 		printf("[INFO]\tFailed to PTRACE_DETACH\n");
963 		goto out_kill;
964 	}
965 
966 	waitpid(pid, &status, 0);
967 	if (WEXITSTATUS(status))
968 		return 1;
969 
970 	printf("[OK]\tPtrace test\n");
971 	return 0;
972 
973 out_kill:
974 	kill(pid, SIGKILL);
975 	return 1;
976 }
977 
978 int main(int argc, char *argv[])
979 {
980 	int ret = 0;
981 
982 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
983 		printf("[SKIP]\tCould not enable Shadow stack\n");
984 		return 1;
985 	}
986 
987 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
988 		ret = 1;
989 		printf("[FAIL]\tDisabling shadow stack failed\n");
990 	}
991 
992 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
993 		printf("[SKIP]\tCould not re-enable Shadow stack\n");
994 		return 1;
995 	}
996 
997 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_WRSS)) {
998 		printf("[SKIP]\tCould not enable WRSS\n");
999 		ret = 1;
1000 		goto out;
1001 	}
1002 
1003 	/* Should have succeeded if here, but this is a test, so double check. */
1004 	if (!get_ssp()) {
1005 		printf("[FAIL]\tShadow stack disabled\n");
1006 		return 1;
1007 	}
1008 
1009 	if (test_shstk_pivot()) {
1010 		ret = 1;
1011 		printf("[FAIL]\tShadow stack pivot\n");
1012 		goto out;
1013 	}
1014 
1015 	if (test_shstk_faults()) {
1016 		ret = 1;
1017 		printf("[FAIL]\tShadow stack fault test\n");
1018 		goto out;
1019 	}
1020 
1021 	if (test_shstk_violation()) {
1022 		ret = 1;
1023 		printf("[FAIL]\tShadow stack violation test\n");
1024 		goto out;
1025 	}
1026 
1027 	if (test_gup()) {
1028 		ret = 1;
1029 		printf("[FAIL]\tShadow shadow stack gup\n");
1030 		goto out;
1031 	}
1032 
1033 	if (test_mprotect()) {
1034 		ret = 1;
1035 		printf("[FAIL]\tShadow shadow mprotect test\n");
1036 		goto out;
1037 	}
1038 
1039 	if (test_userfaultfd()) {
1040 		ret = 1;
1041 		printf("[FAIL]\tUserfaultfd test\n");
1042 		goto out;
1043 	}
1044 
1045 	if (test_guard_gap_other_gaps()) {
1046 		ret = 1;
1047 		printf("[FAIL]\tGuard gap test, other mappings' gaps\n");
1048 		goto out;
1049 	}
1050 
1051 	if (test_guard_gap_new_mappings_gaps()) {
1052 		ret = 1;
1053 		printf("[FAIL]\tGuard gap test, placement mapping's gaps\n");
1054 		goto out;
1055 	}
1056 
1057 	if (test_ptrace()) {
1058 		ret = 1;
1059 		printf("[FAIL]\tptrace test\n");
1060 	}
1061 
1062 	if (test_32bit()) {
1063 		ret = 1;
1064 		printf("[FAIL]\t32 bit test\n");
1065 		goto out;
1066 	}
1067 
1068 	if (test_uretprobe()) {
1069 		ret = 1;
1070 		printf("[FAIL]\turetprobe test\n");
1071 		goto out;
1072 	}
1073 
1074 	return ret;
1075 
1076 out:
1077 	/*
1078 	 * Disable shadow stack before the function returns, or there will be a
1079 	 * shadow stack violation.
1080 	 */
1081 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
1082 		ret = 1;
1083 		printf("[FAIL]\tDisabling shadow stack failed\n");
1084 	}
1085 
1086 	return ret;
1087 }
1088 #endif
1089