bugs.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * This is for all the tests related to logic bugs (e.g. bad dereferences,
  4. * bad alignment, bad loops, bad locking, bad scheduling, deep stacks, and
  5. * lockups) along with other things that don't fit well into existing LKDTM
  6. * test source files.
  7. */
  8. #include "lkdtm.h"
  9. #include <linux/cpu.h>
  10. #include <linux/list.h>
  11. #include <linux/hrtimer.h>
  12. #include <linux/sched.h>
  13. #include <linux/sched/signal.h>
  14. #include <linux/sched/task_stack.h>
  15. #include <linux/slab.h>
  16. #include <linux/stop_machine.h>
  17. #include <linux/uaccess.h>
  18. #if IS_ENABLED(CONFIG_X86_32) && !IS_ENABLED(CONFIG_UML)
  19. #include <asm/desc.h>
  20. #endif
  21. struct lkdtm_list {
  22. struct list_head node;
  23. };
  24. /*
  25. * Make sure our attempts to over run the kernel stack doesn't trigger
  26. * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
  27. * recurse past the end of THREAD_SIZE by default.
  28. */
  29. #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
  30. #define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2)
  31. #else
  32. #define REC_STACK_SIZE (THREAD_SIZE / 8UL)
  33. #endif
  34. #define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
  35. static int recur_count = REC_NUM_DEFAULT;
  36. static DEFINE_SPINLOCK(lock_me_up);
  37. /*
  38. * Make sure compiler does not optimize this function or stack frame away:
  39. * - function marked noinline
  40. * - stack variables are marked volatile
  41. * - stack variables are written (memset()) and read (buf[..] passed as arg)
  42. * - function may have external effects (memzero_explicit())
  43. * - no tail recursion possible
  44. */
  45. static int noinline recursive_loop(int remaining)
  46. {
  47. volatile char buf[REC_STACK_SIZE];
  48. volatile int ret;
  49. memset((void *)buf, remaining & 0xFF, sizeof(buf));
  50. if (!remaining)
  51. ret = 0;
  52. else
  53. ret = recursive_loop((int)buf[remaining % sizeof(buf)] - 1);
  54. memzero_explicit((void *)buf, sizeof(buf));
  55. return ret;
  56. }
  57. /* If the depth is negative, use the default, otherwise keep parameter. */
  58. void __init lkdtm_bugs_init(int *recur_param)
  59. {
  60. if (*recur_param < 0)
  61. *recur_param = recur_count;
  62. else
  63. recur_count = *recur_param;
  64. }
  65. static void lkdtm_PANIC(void)
  66. {
  67. panic("dumptest");
  68. }
  69. static int panic_stop_irqoff_fn(void *arg)
  70. {
  71. atomic_t *v = arg;
  72. /*
  73. * As stop_machine() disables interrupts, all CPUs within this function
  74. * have interrupts disabled and cannot take a regular IPI.
  75. *
  76. * The last CPU which enters here will trigger a panic, and as all CPUs
  77. * cannot take a regular IPI, we'll only be able to stop secondaries if
  78. * smp_send_stop() or crash_smp_send_stop() uses an NMI.
  79. */
  80. if (atomic_inc_return(v) == num_online_cpus())
  81. panic("panic stop irqoff test");
  82. for (;;)
  83. cpu_relax();
  84. }
  85. static void lkdtm_PANIC_STOP_IRQOFF(void)
  86. {
  87. atomic_t v = ATOMIC_INIT(0);
  88. stop_machine(panic_stop_irqoff_fn, &v, cpu_online_mask);
  89. }
  90. static bool wait_for_panic;
  91. static enum hrtimer_restart panic_in_hardirq(struct hrtimer *timer)
  92. {
  93. panic("from hard IRQ context");
  94. wait_for_panic = false;
  95. return HRTIMER_NORESTART;
  96. }
  97. static void lkdtm_PANIC_IN_HARDIRQ(void)
  98. {
  99. struct hrtimer timer;
  100. wait_for_panic = true;
  101. hrtimer_setup_on_stack(&timer, panic_in_hardirq,
  102. CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD);
  103. hrtimer_start(&timer, us_to_ktime(100), HRTIMER_MODE_REL_HARD);
  104. while (READ_ONCE(wait_for_panic))
  105. cpu_relax();
  106. hrtimer_cancel(&timer);
  107. }
  108. static void lkdtm_BUG(void)
  109. {
  110. BUG();
  111. }
  112. static bool wait_for_bug;
  113. static enum hrtimer_restart bug_in_hardirq(struct hrtimer *timer)
  114. {
  115. BUG();
  116. wait_for_bug = false;
  117. return HRTIMER_NORESTART;
  118. }
  119. static void lkdtm_BUG_IN_HARDIRQ(void)
  120. {
  121. struct hrtimer timer;
  122. wait_for_bug = true;
  123. hrtimer_setup_on_stack(&timer, bug_in_hardirq,
  124. CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD);
  125. hrtimer_start(&timer, us_to_ktime(100), HRTIMER_MODE_REL_HARD);
  126. while (READ_ONCE(wait_for_bug))
  127. cpu_relax();
  128. hrtimer_cancel(&timer);
  129. }
  130. static int warn_counter;
  131. static void lkdtm_WARNING(void)
  132. {
  133. WARN_ON(++warn_counter);
  134. }
  135. static void lkdtm_WARNING_MESSAGE(void)
  136. {
  137. WARN(1, "Warning message trigger count: %d\n", ++warn_counter);
  138. }
  139. static void lkdtm_EXCEPTION(void)
  140. {
  141. *((volatile int *) 0) = 0;
  142. }
  143. static void lkdtm_LOOP(void)
  144. {
  145. for (;;)
  146. ;
  147. }
  148. static void lkdtm_EXHAUST_STACK(void)
  149. {
  150. pr_info("Calling function with %lu frame size to depth %d ...\n",
  151. REC_STACK_SIZE, recur_count);
  152. recursive_loop(recur_count);
  153. pr_info("FAIL: survived without exhausting stack?!\n");
  154. }
  155. static noinline void __lkdtm_CORRUPT_STACK(void *stack)
  156. {
  157. memset(stack, '\xff', 64);
  158. }
  159. /* This should trip the stack canary, not corrupt the return address. */
  160. static noinline void lkdtm_CORRUPT_STACK(void)
  161. {
  162. /* Use default char array length that triggers stack protection. */
  163. char data[8] __aligned(sizeof(void *));
  164. pr_info("Corrupting stack containing char array ...\n");
  165. __lkdtm_CORRUPT_STACK((void *)&data);
  166. }
  167. /* Same as above but will only get a canary with -fstack-protector-strong */
  168. static noinline void lkdtm_CORRUPT_STACK_STRONG(void)
  169. {
  170. union {
  171. unsigned short shorts[4];
  172. unsigned long *ptr;
  173. } data __aligned(sizeof(void *));
  174. pr_info("Corrupting stack containing union ...\n");
  175. __lkdtm_CORRUPT_STACK((void *)&data);
  176. }
  177. static pid_t stack_pid;
  178. static unsigned long stack_addr;
  179. static void lkdtm_REPORT_STACK(void)
  180. {
  181. volatile uintptr_t magic;
  182. pid_t pid = task_pid_nr(current);
  183. if (pid != stack_pid) {
  184. pr_info("Starting stack offset tracking for pid %d\n", pid);
  185. stack_pid = pid;
  186. stack_addr = (uintptr_t)&magic;
  187. }
  188. pr_info("Stack offset: %d\n", (int)(stack_addr - (uintptr_t)&magic));
  189. }
  190. static pid_t stack_canary_pid;
  191. static unsigned long stack_canary;
  192. static unsigned long stack_canary_offset;
  193. static noinline void __lkdtm_REPORT_STACK_CANARY(void *stack)
  194. {
  195. int i = 0;
  196. pid_t pid = task_pid_nr(current);
  197. unsigned long *canary = (unsigned long *)stack;
  198. unsigned long current_offset = 0, init_offset = 0;
  199. /* Do our best to find the canary in a 16 word window ... */
  200. for (i = 1; i < 16; i++) {
  201. canary = (unsigned long *)stack + i;
  202. #ifdef CONFIG_STACKPROTECTOR
  203. if (*canary == current->stack_canary)
  204. current_offset = i;
  205. if (*canary == init_task.stack_canary)
  206. init_offset = i;
  207. #endif
  208. }
  209. if (current_offset == 0) {
  210. /*
  211. * If the canary doesn't match what's in the task_struct,
  212. * we're either using a global canary or the stack frame
  213. * layout changed.
  214. */
  215. if (init_offset != 0) {
  216. pr_err("FAIL: global stack canary found at offset %ld (canary for pid %d matches init_task's)!\n",
  217. init_offset, pid);
  218. } else {
  219. pr_warn("FAIL: did not correctly locate stack canary :(\n");
  220. pr_expected_config(CONFIG_STACKPROTECTOR);
  221. }
  222. return;
  223. } else if (init_offset != 0) {
  224. pr_warn("WARNING: found both current and init_task canaries nearby?!\n");
  225. }
  226. canary = (unsigned long *)stack + current_offset;
  227. if (stack_canary_pid == 0) {
  228. stack_canary = *canary;
  229. stack_canary_pid = pid;
  230. stack_canary_offset = current_offset;
  231. pr_info("Recorded stack canary for pid %d at offset %ld\n",
  232. stack_canary_pid, stack_canary_offset);
  233. } else if (pid == stack_canary_pid) {
  234. pr_warn("ERROR: saw pid %d again -- please use a new pid\n", pid);
  235. } else {
  236. if (current_offset != stack_canary_offset) {
  237. pr_warn("ERROR: canary offset changed from %ld to %ld!?\n",
  238. stack_canary_offset, current_offset);
  239. return;
  240. }
  241. if (*canary == stack_canary) {
  242. pr_warn("FAIL: canary identical for pid %d and pid %d at offset %ld!\n",
  243. stack_canary_pid, pid, current_offset);
  244. } else {
  245. pr_info("ok: stack canaries differ between pid %d and pid %d at offset %ld.\n",
  246. stack_canary_pid, pid, current_offset);
  247. /* Reset the test. */
  248. stack_canary_pid = 0;
  249. }
  250. }
  251. }
  252. static void lkdtm_REPORT_STACK_CANARY(void)
  253. {
  254. /* Use default char array length that triggers stack protection. */
  255. char data[8] __aligned(sizeof(void *)) = { };
  256. __lkdtm_REPORT_STACK_CANARY((void *)&data);
  257. }
  258. static void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)
  259. {
  260. static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5};
  261. u32 *p;
  262. u32 val = 0x12345678;
  263. p = (u32 *)(data + 1);
  264. if (*p == 0)
  265. val = 0x87654321;
  266. *p = val;
  267. if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
  268. pr_err("XFAIL: arch has CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS\n");
  269. }
  270. static void lkdtm_SOFTLOCKUP(void)
  271. {
  272. preempt_disable();
  273. for (;;)
  274. cpu_relax();
  275. }
  276. static void lkdtm_HARDLOCKUP(void)
  277. {
  278. local_irq_disable();
  279. for (;;)
  280. cpu_relax();
  281. }
  282. static void __lkdtm_SMP_CALL_LOCKUP(void *unused)
  283. {
  284. for (;;)
  285. cpu_relax();
  286. }
  287. static void lkdtm_SMP_CALL_LOCKUP(void)
  288. {
  289. unsigned int cpu, target;
  290. cpus_read_lock();
  291. cpu = get_cpu();
  292. target = cpumask_any_but(cpu_online_mask, cpu);
  293. if (target >= nr_cpu_ids) {
  294. pr_err("FAIL: no other online CPUs\n");
  295. goto out_put_cpus;
  296. }
  297. smp_call_function_single(target, __lkdtm_SMP_CALL_LOCKUP, NULL, 1);
  298. pr_err("FAIL: did not hang\n");
  299. out_put_cpus:
  300. put_cpu();
  301. cpus_read_unlock();
  302. }
  303. static void lkdtm_SPINLOCKUP(void)
  304. {
  305. /* Must be called twice to trigger. */
  306. spin_lock(&lock_me_up);
  307. /* Let sparse know we intended to exit holding the lock. */
  308. __release(&lock_me_up);
  309. }
  310. static void __noreturn lkdtm_HUNG_TASK(void)
  311. {
  312. set_current_state(TASK_UNINTERRUPTIBLE);
  313. schedule();
  314. BUG();
  315. }
  316. static volatile unsigned int huge = INT_MAX - 2;
  317. static volatile unsigned int ignored;
  318. static void lkdtm_OVERFLOW_SIGNED(void)
  319. {
  320. int value;
  321. value = huge;
  322. pr_info("Normal signed addition ...\n");
  323. value += 1;
  324. ignored = value;
  325. pr_info("Overflowing signed addition ...\n");
  326. value += 4;
  327. ignored = value;
  328. }
  329. static void lkdtm_OVERFLOW_UNSIGNED(void)
  330. {
  331. unsigned int value;
  332. value = huge;
  333. pr_info("Normal unsigned addition ...\n");
  334. value += 1;
  335. ignored = value;
  336. pr_info("Overflowing unsigned addition ...\n");
  337. value += 4;
  338. ignored = value;
  339. }
  340. /* Intentionally using unannotated flex array definition. */
  341. struct array_bounds_flex_array {
  342. int one;
  343. int two;
  344. char data[];
  345. };
  346. struct array_bounds {
  347. int one;
  348. int two;
  349. char data[8];
  350. int three;
  351. };
  352. static void lkdtm_ARRAY_BOUNDS(void)
  353. {
  354. struct array_bounds_flex_array *not_checked;
  355. struct array_bounds *checked;
  356. volatile int i;
  357. not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
  358. checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
  359. if (!not_checked || !checked) {
  360. kfree(not_checked);
  361. kfree(checked);
  362. return;
  363. }
  364. pr_info("Array access within bounds ...\n");
  365. /* For both, touch all bytes in the actual member size. */
  366. for (i = 0; i < sizeof(checked->data); i++)
  367. checked->data[i] = 'A';
  368. /*
  369. * For the uninstrumented flex array member, also touch 1 byte
  370. * beyond to verify it is correctly uninstrumented.
  371. */
  372. for (i = 0; i < 2; i++)
  373. not_checked->data[i] = 'A';
  374. pr_info("Array access beyond bounds ...\n");
  375. for (i = 0; i < sizeof(checked->data) + 1; i++)
  376. checked->data[i] = 'B';
  377. kfree(not_checked);
  378. kfree(checked);
  379. pr_err("FAIL: survived array bounds overflow!\n");
  380. if (IS_ENABLED(CONFIG_UBSAN_BOUNDS))
  381. pr_expected_config(CONFIG_UBSAN_TRAP);
  382. else
  383. pr_expected_config(CONFIG_UBSAN_BOUNDS);
  384. }
  385. struct lkdtm_cb_fam {
  386. unsigned long flags;
  387. int count;
  388. int array[] __counted_by(count);
  389. };
  390. static volatile int element_count = 4;
  391. static void lkdtm_FAM_BOUNDS(void)
  392. {
  393. struct lkdtm_cb_fam *inst;
  394. inst = kzalloc_flex(*inst, array, element_count + 1);
  395. if (!inst) {
  396. pr_err("FAIL: could not allocate test struct!\n");
  397. return;
  398. }
  399. inst->count = element_count;
  400. pr_info("Array access within bounds ...\n");
  401. inst->array[1] = element_count;
  402. ignored = inst->array[1];
  403. pr_info("Array access beyond bounds ...\n");
  404. inst->array[element_count] = element_count;
  405. ignored = inst->array[element_count];
  406. kfree(inst);
  407. pr_err("FAIL: survived access of invalid flexible array member index!\n");
  408. if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY))
  409. pr_warn("This is expected since this %s was built with a compiler that does not support __counted_by\n",
  410. lkdtm_kernel_info);
  411. else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS))
  412. pr_expected_config(CONFIG_UBSAN_TRAP);
  413. else
  414. pr_expected_config(CONFIG_UBSAN_BOUNDS);
  415. }
  416. struct lkdtm_extra {
  417. short a, b;
  418. u16 sixteen;
  419. u32 bigger;
  420. u64 biggest;
  421. };
  422. struct lkdtm_cb_ptr {
  423. int a, b, c;
  424. int nr_extra;
  425. char *buf __counted_by_ptr(len);
  426. size_t len;
  427. struct lkdtm_extra *extra __counted_by_ptr(nr_extra);
  428. };
  429. static noinline void check_ptr_len(struct lkdtm_cb_ptr *p, size_t len)
  430. {
  431. if (__member_size(p->buf) != len)
  432. pr_err("FAIL: could not determine size of inst->buf: %zu\n",
  433. __member_size(p->buf));
  434. else
  435. pr_info("good: inst->buf length is %zu\n", len);
  436. }
  437. static void lkdtm_PTR_BOUNDS(void)
  438. {
  439. struct lkdtm_cb_ptr *inst;
  440. inst = kzalloc_obj(*inst);
  441. if (!inst) {
  442. pr_err("FAIL: could not allocate struct lkdtm_cb_ptr!\n");
  443. return;
  444. }
  445. inst->buf = kzalloc(element_count, GFP_KERNEL);
  446. if (!inst->buf) {
  447. pr_err("FAIL: could not allocate inst->buf!\n");
  448. return;
  449. }
  450. inst->len = element_count;
  451. /* Double element_count */
  452. inst->extra = kzalloc_objs(*inst->extra, element_count * 2);
  453. inst->nr_extra = element_count * 2;
  454. pr_info("Pointer access within bounds ...\n");
  455. check_ptr_len(inst, 4);
  456. /* All 4 bytes */
  457. inst->buf[0] = 'A';
  458. inst->buf[1] = 'B';
  459. inst->buf[2] = 'C';
  460. inst->buf[3] = 'D';
  461. /* Halfway into the array */
  462. inst->extra[element_count].biggest = 0x1000;
  463. pr_info("Pointer access beyond bounds ...\n");
  464. ignored = inst->extra[inst->nr_extra].b;
  465. kfree(inst->extra);
  466. kfree(inst->buf);
  467. kfree(inst);
  468. pr_err("FAIL: survived access of invalid pointer member offset!\n");
  469. if (!IS_ENABLED(CONFIG_CC_HAS_COUNTED_BY_PTR))
  470. pr_warn("This is expected since this %s was built with a compiler that does not support __counted_by_ptr\n",
  471. lkdtm_kernel_info);
  472. else if (IS_ENABLED(CONFIG_UBSAN_BOUNDS))
  473. pr_expected_config(CONFIG_UBSAN_TRAP);
  474. else
  475. pr_expected_config(CONFIG_UBSAN_BOUNDS);
  476. }
  477. static void lkdtm_CORRUPT_LIST_ADD(void)
  478. {
  479. /*
  480. * Initially, an empty list via LIST_HEAD:
  481. * test_head.next = &test_head
  482. * test_head.prev = &test_head
  483. */
  484. LIST_HEAD(test_head);
  485. struct lkdtm_list good, bad;
  486. void *target[2] = { };
  487. void *redirection = &target;
  488. pr_info("attempting good list addition\n");
  489. /*
  490. * Adding to the list performs these actions:
  491. * test_head.next->prev = &good.node
  492. * good.node.next = test_head.next
  493. * good.node.prev = test_head
  494. * test_head.next = good.node
  495. */
  496. list_add(&good.node, &test_head);
  497. pr_info("attempting corrupted list addition\n");
  498. /*
  499. * In simulating this "write what where" primitive, the "what" is
  500. * the address of &bad.node, and the "where" is the address held
  501. * by "redirection".
  502. */
  503. test_head.next = redirection;
  504. list_add(&bad.node, &test_head);
  505. if (target[0] == NULL && target[1] == NULL)
  506. pr_err("Overwrite did not happen, but no BUG?!\n");
  507. else {
  508. pr_err("list_add() corruption not detected!\n");
  509. pr_expected_config(CONFIG_LIST_HARDENED);
  510. }
  511. }
  512. static void lkdtm_CORRUPT_LIST_DEL(void)
  513. {
  514. LIST_HEAD(test_head);
  515. struct lkdtm_list item;
  516. void *target[2] = { };
  517. void *redirection = &target;
  518. list_add(&item.node, &test_head);
  519. pr_info("attempting good list removal\n");
  520. list_del(&item.node);
  521. pr_info("attempting corrupted list removal\n");
  522. list_add(&item.node, &test_head);
  523. /* As with the list_add() test above, this corrupts "next". */
  524. item.node.next = redirection;
  525. list_del(&item.node);
  526. if (target[0] == NULL && target[1] == NULL)
  527. pr_err("Overwrite did not happen, but no BUG?!\n");
  528. else {
  529. pr_err("list_del() corruption not detected!\n");
  530. pr_expected_config(CONFIG_LIST_HARDENED);
  531. }
  532. }
  533. /* Test that VMAP_STACK is actually allocating with a leading guard page */
  534. static void lkdtm_STACK_GUARD_PAGE_LEADING(void)
  535. {
  536. const unsigned char *stack = task_stack_page(current);
  537. const unsigned char *ptr = stack - 1;
  538. volatile unsigned char byte;
  539. pr_info("attempting bad read from page below current stack\n");
  540. byte = *ptr;
  541. pr_err("FAIL: accessed page before stack! (byte: %x)\n", byte);
  542. }
  543. /* Test that VMAP_STACK is actually allocating with a trailing guard page */
  544. static void lkdtm_STACK_GUARD_PAGE_TRAILING(void)
  545. {
  546. const unsigned char *stack = task_stack_page(current);
  547. const unsigned char *ptr = stack + THREAD_SIZE;
  548. volatile unsigned char byte;
  549. pr_info("attempting bad read from page above current stack\n");
  550. byte = *ptr;
  551. pr_err("FAIL: accessed page after stack! (byte: %x)\n", byte);
  552. }
  553. static void lkdtm_UNSET_SMEP(void)
  554. {
  555. #if IS_ENABLED(CONFIG_X86_64) && !IS_ENABLED(CONFIG_UML)
  556. #define MOV_CR4_DEPTH 64
  557. void (*direct_write_cr4)(unsigned long val);
  558. unsigned char *insn;
  559. unsigned long cr4;
  560. int i;
  561. cr4 = native_read_cr4();
  562. if ((cr4 & X86_CR4_SMEP) != X86_CR4_SMEP) {
  563. pr_err("FAIL: SMEP not in use\n");
  564. return;
  565. }
  566. cr4 &= ~(X86_CR4_SMEP);
  567. pr_info("trying to clear SMEP normally\n");
  568. native_write_cr4(cr4);
  569. if (cr4 == native_read_cr4()) {
  570. pr_err("FAIL: pinning SMEP failed!\n");
  571. cr4 |= X86_CR4_SMEP;
  572. pr_info("restoring SMEP\n");
  573. native_write_cr4(cr4);
  574. return;
  575. }
  576. pr_info("ok: SMEP did not get cleared\n");
  577. /*
  578. * To test the post-write pinning verification we need to call
  579. * directly into the middle of native_write_cr4() where the
  580. * cr4 write happens, skipping any pinning. This searches for
  581. * the cr4 writing instruction.
  582. */
  583. insn = (unsigned char *)native_write_cr4;
  584. OPTIMIZER_HIDE_VAR(insn);
  585. for (i = 0; i < MOV_CR4_DEPTH; i++) {
  586. /* mov %rdi, %cr4 */
  587. if (insn[i] == 0x0f && insn[i+1] == 0x22 && insn[i+2] == 0xe7)
  588. break;
  589. /* mov %rdi,%rax; mov %rax, %cr4 */
  590. if (insn[i] == 0x48 && insn[i+1] == 0x89 &&
  591. insn[i+2] == 0xf8 && insn[i+3] == 0x0f &&
  592. insn[i+4] == 0x22 && insn[i+5] == 0xe0)
  593. break;
  594. }
  595. if (i >= MOV_CR4_DEPTH) {
  596. pr_info("ok: cannot locate cr4 writing call gadget\n");
  597. return;
  598. }
  599. direct_write_cr4 = (void *)(insn + i);
  600. pr_info("trying to clear SMEP with call gadget\n");
  601. direct_write_cr4(cr4);
  602. if (native_read_cr4() & X86_CR4_SMEP) {
  603. pr_info("ok: SMEP removal was reverted\n");
  604. } else {
  605. pr_err("FAIL: cleared SMEP not detected!\n");
  606. cr4 |= X86_CR4_SMEP;
  607. pr_info("restoring SMEP\n");
  608. native_write_cr4(cr4);
  609. }
  610. #else
  611. pr_err("XFAIL: this test is x86_64-only\n");
  612. #endif
  613. }
  614. static void lkdtm_DOUBLE_FAULT(void)
  615. {
  616. #if IS_ENABLED(CONFIG_X86_32) && !IS_ENABLED(CONFIG_UML)
  617. /*
  618. * Trigger #DF by setting the stack limit to zero. This clobbers
  619. * a GDT TLS slot, which is okay because the current task will die
  620. * anyway due to the double fault.
  621. */
  622. struct desc_struct d = {
  623. .type = 3, /* expand-up, writable, accessed data */
  624. .p = 1, /* present */
  625. .d = 1, /* 32-bit */
  626. .g = 0, /* limit in bytes */
  627. .s = 1, /* not system */
  628. };
  629. local_irq_disable();
  630. write_gdt_entry(get_cpu_gdt_rw(smp_processor_id()),
  631. GDT_ENTRY_TLS_MIN, &d, DESCTYPE_S);
  632. /*
  633. * Put our zero-limit segment in SS and then trigger a fault. The
  634. * 4-byte access to (%esp) will fault with #SS, and the attempt to
  635. * deliver the fault will recursively cause #SS and result in #DF.
  636. * This whole process happens while NMIs and MCEs are blocked by the
  637. * MOV SS window. This is nice because an NMI with an invalid SS
  638. * would also double-fault, resulting in the NMI or MCE being lost.
  639. */
  640. asm volatile ("movw %0, %%ss; addl $0, (%%esp)" ::
  641. "r" ((unsigned short)(GDT_ENTRY_TLS_MIN << 3)));
  642. pr_err("FAIL: tried to double fault but didn't die\n");
  643. #else
  644. pr_err("XFAIL: this test is ia32-only\n");
  645. #endif
  646. }
  647. #ifdef CONFIG_ARM64
  648. static noinline void change_pac_parameters(void)
  649. {
  650. if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {
  651. /* Reset the keys of current task */
  652. ptrauth_thread_init_kernel(current);
  653. ptrauth_thread_switch_kernel(current);
  654. }
  655. }
  656. #endif
  657. static noinline void lkdtm_CORRUPT_PAC(void)
  658. {
  659. #ifdef CONFIG_ARM64
  660. #define CORRUPT_PAC_ITERATE 10
  661. int i;
  662. if (!IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL))
  663. pr_err("FAIL: kernel not built with CONFIG_ARM64_PTR_AUTH_KERNEL\n");
  664. if (!system_supports_address_auth()) {
  665. pr_err("FAIL: CPU lacks pointer authentication feature\n");
  666. return;
  667. }
  668. pr_info("changing PAC parameters to force function return failure...\n");
  669. /*
  670. * PAC is a hash value computed from input keys, return address and
  671. * stack pointer. As pac has fewer bits so there is a chance of
  672. * collision, so iterate few times to reduce the collision probability.
  673. */
  674. for (i = 0; i < CORRUPT_PAC_ITERATE; i++)
  675. change_pac_parameters();
  676. pr_err("FAIL: survived PAC changes! Kernel may be unstable from here\n");
  677. #else
  678. pr_err("XFAIL: this test is arm64-only\n");
  679. #endif
  680. }
  681. static struct crashtype crashtypes[] = {
  682. CRASHTYPE(PANIC),
  683. CRASHTYPE(PANIC_STOP_IRQOFF),
  684. CRASHTYPE(PANIC_IN_HARDIRQ),
  685. CRASHTYPE(BUG),
  686. CRASHTYPE(BUG_IN_HARDIRQ),
  687. CRASHTYPE(WARNING),
  688. CRASHTYPE(WARNING_MESSAGE),
  689. CRASHTYPE(EXCEPTION),
  690. CRASHTYPE(LOOP),
  691. CRASHTYPE(EXHAUST_STACK),
  692. CRASHTYPE(CORRUPT_STACK),
  693. CRASHTYPE(CORRUPT_STACK_STRONG),
  694. CRASHTYPE(REPORT_STACK),
  695. CRASHTYPE(REPORT_STACK_CANARY),
  696. CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
  697. CRASHTYPE(SOFTLOCKUP),
  698. CRASHTYPE(HARDLOCKUP),
  699. CRASHTYPE(SMP_CALL_LOCKUP),
  700. CRASHTYPE(SPINLOCKUP),
  701. CRASHTYPE(HUNG_TASK),
  702. CRASHTYPE(OVERFLOW_SIGNED),
  703. CRASHTYPE(OVERFLOW_UNSIGNED),
  704. CRASHTYPE(ARRAY_BOUNDS),
  705. CRASHTYPE(FAM_BOUNDS),
  706. CRASHTYPE(PTR_BOUNDS),
  707. CRASHTYPE(CORRUPT_LIST_ADD),
  708. CRASHTYPE(CORRUPT_LIST_DEL),
  709. CRASHTYPE(STACK_GUARD_PAGE_LEADING),
  710. CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
  711. CRASHTYPE(UNSET_SMEP),
  712. CRASHTYPE(DOUBLE_FAULT),
  713. CRASHTYPE(CORRUPT_PAC),
  714. };
  715. struct crashtype_category bugs_crashtypes = {
  716. .crashtypes = crashtypes,
  717. .len = ARRAY_SIZE(crashtypes),
  718. };