* [PATCH] selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE
@ 2020-05-27 23:02 Andy Lutomirski
2020-06-22 17:01 ` [tip: x86/fsgsbase] " tip-bot2 for Andy Lutomirski
0 siblings, 1 reply; 2+ messages in thread
From: Andy Lutomirski @ 2020-05-27 23:02 UTC (permalink / raw)
To: X86 ML, LKML; +Cc: Andy Lutomirski
If the kernel erroneously allows WRGSBASE and user code writes a
negative value, paranoid_entry will get confused. Check for this by
writing a negative value to GSBASE and doing SYSENTER with TF set.
A successful run looks like:
[RUN] SYSENTER with TF, invalid state, and GSBASE < 0
[SKIP] Illegal instruction
A failed run causes a kernel hang, and I believe it's because we
double-fault and then get a never ending series of page faults and,
when we exhaust the double fault stack we double fault again,
starting the process over.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
.../testing/selftests/x86/syscall_arg_fault.c | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/tools/testing/selftests/x86/syscall_arg_fault.c b/tools/testing/selftests/x86/syscall_arg_fault.c
index bc0ecc2e862e..62fba40866d5 100644
--- a/tools/testing/selftests/x86/syscall_arg_fault.c
+++ b/tools/testing/selftests/x86/syscall_arg_fault.c
@@ -72,6 +72,7 @@ static void sigsegv_or_sigbus(int sig, siginfo_t *info, void *ctx_void)
if (ax != -EFAULT && ax != -ENOSYS) {
printf("[FAIL]\tAX had the wrong value: 0x%lx\n",
(unsigned long)ax);
+ printf("\tIP = 0x%lx\n", (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
n_errs++;
} else {
printf("[OK]\tSeems okay\n");
@@ -226,5 +227,30 @@ int main()
}
set_eflags(get_eflags() & ~X86_EFLAGS_TF);
+#ifdef __x86_64__
+ printf("[RUN]\tSYSENTER with TF, invalid state, and GSBASE < 0\n");
+
+ if (sigsetjmp(jmpbuf, 1) == 0) {
+ sigtrap_consecutive_syscalls = 0;
+
+ asm volatile ("wrgsbase %%rax\n\t"
+ :: "a" (0xffffffffffff0000UL));
+
+ set_eflags(get_eflags() | X86_EFLAGS_TF);
+ asm volatile (
+ "movl $-1, %%eax\n\t"
+ "movl $-1, %%ebx\n\t"
+ "movl $-1, %%ecx\n\t"
+ "movl $-1, %%edx\n\t"
+ "movl $-1, %%esi\n\t"
+ "movl $-1, %%edi\n\t"
+ "movl $-1, %%ebp\n\t"
+ "movl $-1, %%esp\n\t"
+ "sysenter"
+ : : : "memory", "flags");
+ }
+ set_eflags(get_eflags() & ~X86_EFLAGS_TF);
+#endif
+
return 0;
}
--
2.25.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [tip: x86/fsgsbase] selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE
2020-05-27 23:02 [PATCH] selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE Andy Lutomirski
@ 2020-06-22 17:01 ` tip-bot2 for Andy Lutomirski
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot2 for Andy Lutomirski @ 2020-06-22 17:01 UTC (permalink / raw)
To: linux-tip-commits; +Cc: Andy Lutomirski, Borislav Petkov, x86, LKML
The following commit has been merged into the x86/fsgsbase branch of tip:
Commit-ID: a5d25e01c8146ad8846da4760422e12242fceafe
Gitweb: https://git.kernel.org/tip/a5d25e01c8146ad8846da4760422e12242fceafe
Author: Andy Lutomirski <luto@kernel.org>
AuthorDate: Wed, 27 May 2020 16:02:36 -07:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Mon, 22 Jun 2020 18:56:36 +02:00
selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE
If the kernel erroneously allows WRGSBASE and user code writes a
negative value, paranoid_entry will get confused. Check for this by
writing a negative value to GSBASE and doing SYSENTER with TF set. A
successful run looks like:
[RUN] SYSENTER with TF, invalid state, and GSBASE < 0
[SKIP] Illegal instruction
A failed run causes a kernel hang, and I believe it's because we
double-fault and then get a never ending series of page faults and,
when we exhaust the double fault stack we double fault again,
starting the process over.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/f4f71efc91b9eae5e3dae21c9aee1c70cf5f370e.1590620529.git.luto@kernel.org
---
tools/testing/selftests/x86/syscall_arg_fault.c | 26 ++++++++++++++++-
1 file changed, 26 insertions(+)
diff --git a/tools/testing/selftests/x86/syscall_arg_fault.c b/tools/testing/selftests/x86/syscall_arg_fault.c
index bc0ecc2..62fba40 100644
--- a/tools/testing/selftests/x86/syscall_arg_fault.c
+++ b/tools/testing/selftests/x86/syscall_arg_fault.c
@@ -72,6 +72,7 @@ static void sigsegv_or_sigbus(int sig, siginfo_t *info, void *ctx_void)
if (ax != -EFAULT && ax != -ENOSYS) {
printf("[FAIL]\tAX had the wrong value: 0x%lx\n",
(unsigned long)ax);
+ printf("\tIP = 0x%lx\n", (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
n_errs++;
} else {
printf("[OK]\tSeems okay\n");
@@ -226,5 +227,30 @@ int main()
}
set_eflags(get_eflags() & ~X86_EFLAGS_TF);
+#ifdef __x86_64__
+ printf("[RUN]\tSYSENTER with TF, invalid state, and GSBASE < 0\n");
+
+ if (sigsetjmp(jmpbuf, 1) == 0) {
+ sigtrap_consecutive_syscalls = 0;
+
+ asm volatile ("wrgsbase %%rax\n\t"
+ :: "a" (0xffffffffffff0000UL));
+
+ set_eflags(get_eflags() | X86_EFLAGS_TF);
+ asm volatile (
+ "movl $-1, %%eax\n\t"
+ "movl $-1, %%ebx\n\t"
+ "movl $-1, %%ecx\n\t"
+ "movl $-1, %%edx\n\t"
+ "movl $-1, %%esi\n\t"
+ "movl $-1, %%edi\n\t"
+ "movl $-1, %%ebp\n\t"
+ "movl $-1, %%esp\n\t"
+ "sysenter"
+ : : : "memory", "flags");
+ }
+ set_eflags(get_eflags() & ~X86_EFLAGS_TF);
+#endif
+
return 0;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-22 17:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-27 23:02 [PATCH] selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE Andy Lutomirski
2020-06-22 17:01 ` [tip: x86/fsgsbase] " tip-bot2 for Andy Lutomirski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).