From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88C8CC433E1 for ; Thu, 21 May 2020 23:02:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5E5AF20814 for ; Thu, 21 May 2020 23:02:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="RgU4WO+i" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730762AbgEUXCy (ORCPT ); Thu, 21 May 2020 19:02:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730729AbgEUXCx (ORCPT ); Thu, 21 May 2020 19:02:53 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C06A9C08C5C1 for ; Thu, 21 May 2020 16:02:53 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id n18so4246975pfa.2 for ; Thu, 21 May 2020 16:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=8nwjEFXdL/qUT1MJlEJzZkoOSwVlfdmOoeCx+p6vxrE=; b=RgU4WO+iyUMpoS5Z7G1UNPucVaogpfMoCFArK4kvdZ8ETrqoN6g1IZhOT4XI8XYda2 vxCk9HIYJbL0RbCUUEYZbH2OS7nN/P9wvYFbXpogvFKXCyBtqf2Mm/xghKi7KpRNaPXO evXz+sLd+jp/Adz7MOToQ4EBb0yBVjkCoYDio= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=8nwjEFXdL/qUT1MJlEJzZkoOSwVlfdmOoeCx+p6vxrE=; b=TY8PWVA7ewb9a4yGkfFXNhC7I3eEPBWAw4xImhXAfdz74pFt9Xg31GscKrXpZUV+y3 B/TRLc6lJOIR/wNi3P/FEScP/rn1MaGcZSoyu16iBzGb7H61HsUXYNyR/w5kr/+yAS4G 6KgF206V9Js0MN6Sm2UIB6SrhYT1wveDkPf+wDnwCIz0JOUeC1+NN1kz0kbxshp0Lolg gkxgCJWkDrey3cUZRTxD6Gix4k59n8cWS2ulaCKGEJPJ9uS82PGbYc9TA+5dLvfPTScF wksdS7Del+QFnCvPVErxMXo31AjhAziCAIUOF9woQarqrsCFZlJG8V2CwstSK9VNGo5L q44A== X-Gm-Message-State: AOAM531M1oQ85bd+o6kGFH+orenZ1dOZvRbetUnON32QRShihC1luKaq 3Eg5k8uJjX2EEGqf4xAOOK1lwQ== X-Google-Smtp-Source: ABdhPJxoV6c5OWcfIIC3DzUQxrFj4PClfBbCCV1XGCZnTmTBfeU4oyT29bAmI6AQQZD/aNP0zoxYYA== X-Received: by 2002:aa7:9251:: with SMTP id 17mr919104pfp.315.1590102173085; Thu, 21 May 2020 16:02:53 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i98sm5471997pje.37.2020.05.21.16.02.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2020 16:02:52 -0700 (PDT) Date: Thu, 21 May 2020 16:02:50 -0700 From: Kees Cook To: Yu-cheng Yu Cc: x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V. Shankar" , Vedvyas Shanbhogue , Dave Martin , Weijiang Yang Subject: Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test Message-ID: <202005211550.AF0E83BB@keescook> References: <20200521211720.20236-1-yu-cheng.yu@intel.com> <20200521211720.20236-6-yu-cheng.yu@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200521211720.20236-6-yu-cheng.yu@intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote: > Introduce a quick test to verify shadow stack and IBT are working. Cool! :) I'd love to see either more of a commit log or more comments in the test code itself. I had to spend a bit of time trying to understand how the test was working. (i.e. using ucontext to "reset", using segv handler to catch some of them, etc.) I have not yet figured out why you need to send USR1/USR2 for two of them instead of direct calls? More notes below... > > Signed-off-by: Yu-cheng Yu > --- > tools/testing/selftests/x86/Makefile | 2 +- > tools/testing/selftests/x86/cet_quick_test.c | 128 +++++++++++++++++++ > 2 files changed, 129 insertions(+), 1 deletion(-) > create mode 100644 tools/testing/selftests/x86/cet_quick_test.c > > diff --git a/tools/testing/selftests/x86/Makefile b/tools/testing/selftests/x86/Makefile > index f1bf5ab87160..26e68272117a 100644 > --- a/tools/testing/selftests/x86/Makefile > +++ b/tools/testing/selftests/x86/Makefile > @@ -14,7 +14,7 @@ CAN_BUILD_CET := $(shell ./check_cc.sh $(CC) trivial_program.c -fcf-protection) > TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ > check_initial_reg_state sigreturn iopl ioperm \ > protection_keys test_vdso test_vsyscall mov_ss_trap \ > - syscall_arg_fault > + syscall_arg_fault cet_quick_test > TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ > test_FCMOV test_FCOMI test_FISTTP \ > vdso_restorer > diff --git a/tools/testing/selftests/x86/cet_quick_test.c b/tools/testing/selftests/x86/cet_quick_test.c > new file mode 100644 > index 000000000000..e84bbbcfd26f > --- /dev/null > +++ b/tools/testing/selftests/x86/cet_quick_test.c > @@ -0,0 +1,128 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* Quick tests to verify Shadow Stack and IBT are working */ > + > +#include > +#include > +#include > +#include > +#include > + > +ucontext_t ucp; > +int result[4] = {-1, -1, -1, -1}; I think you likely want three states: no signal, failed, and okay. Perhaps -1 for "no signal" like you have above, zero for failed, and 1 for okay. > +int test_id; > + > +void stack_hacked(unsigned long x) > +{ > + result[test_id] = -1; So this is set to 0: "I absolutely bypassed the protection". > + test_id++; > + setcontext(&ucp); > +} > + > +#pragma GCC push_options > +#pragma GCC optimize ("O0") Can you avoid compiler-specific pragmas? (Or verify that Clang also behaves correctly here?) Maybe it's better to just build the entire file with -O0 in the Makefile? > +void ibt_violation(void) > +{ > +#ifdef __i386__ > + asm volatile("lea 1f, %eax"); > + asm volatile("jmp *%eax"); > +#else > + asm volatile("lea 1f, %rax"); > + asm volatile("jmp *%rax"); > +#endif > + asm volatile("1:"); > + result[test_id] = -1; Set to 0, and if the segv doesn't see it, we know for sure it failed. > + test_id++; > + setcontext(&ucp); > +} > + > +void shstk_violation(void) > +{ > +#ifdef __i386__ > + unsigned long x = 0; > + > + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked; > +#else > + unsigned long long x = 0; > + > + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked; > +#endif > +} > +#pragma GCC pop_options > + > +void segv_handler(int signum, siginfo_t *si, void *uc) > +{ Does anything in siginfo_t indicate which kind of failure you're detecting? It'd be nice to verify test_id matches the failure mode being tested. > + result[test_id] = 0; > + test_id++; > + setcontext(&ucp); > +} > + > +void user1_handler(int signum, siginfo_t *si, void *uc) > +{ > + shstk_violation(); > +} > + > +void user2_handler(int signum, siginfo_t *si, void *uc) > +{ > + ibt_violation(); > +} > + > +int main(int argc, char *argv[]) > +{ > + struct sigaction sa; > + int r; > + > + r = sigemptyset(&sa.sa_mask); > + if (r) > + return -1; > + > + sa.sa_flags = SA_SIGINFO; > + > + /* > + * Control protection fault handler > + */ > + sa.sa_sigaction = segv_handler; > + r = sigaction(SIGSEGV, &sa, NULL); > + if (r) > + return -1; > + > + /* > + * Handler to test Shadow stack > + */ > + sa.sa_sigaction = user1_handler; > + r = sigaction(SIGUSR1, &sa, NULL); > + if (r) > + return -1; > + > + /* > + * Handler to test IBT > + */ > + sa.sa_sigaction = user2_handler; > + r = sigaction(SIGUSR2, &sa, NULL); > + if (r) > + return -1; > + > + test_id = 0; > + r = getcontext(&ucp); > + if (r) > + return -1; > + > + if (test_id == 0) > + shstk_violation(); > + else if (test_id == 1) > + ibt_violation(); > + else if (test_id == 2) > + raise(SIGUSR1); > + else if (test_id == 3) > + raise(SIGUSR2); > + > + r = 0; > + printf("[%s]\tShadow stack\n", result[0] ? "FAIL":"OK"); Then these are result[0] == -1 ? "untested" : (result[0] ? "OK" : "FAIL")) > + r += result[0]; > + printf("[%s]\tIBT\n", result[1] ? "FAIL":"OK"); > + r += result[1]; > + printf("[%s]\tShadow stack in signal\n", result[2] ? "FAIL":"OK"); > + r += result[2]; > + printf("[%s]\tIBT in signal\n", result[3] ? "FAIL":"OK"); > + r += result[3]; > + return r; > +} > -- > 2.21.0 > -- Kees Cook