| /* |
| * sigreturn.c - tests that x86 avoids Intel SYSRET pitfalls |
| * Copyright (c) 2014-2016 Andrew Lutomirski |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms and conditions of the GNU General Public License, |
| * version 2, as published by the Free Software Foundation. |
| * |
| * This program is distributed in the hope it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| * General Public License for more details. |
| */ |
| |
| #define _GNU_SOURCE |
| |
| #include <stdlib.h> |
| #include <unistd.h> |
| #include <stdio.h> |
| #include <string.h> |
| #include <inttypes.h> |
| #include <sys/signal.h> |
| #include <sys/ucontext.h> |
| #include <sys/syscall.h> |
| #include <err.h> |
| #include <stddef.h> |
| #include <stdbool.h> |
| #include <setjmp.h> |
| #include <sys/user.h> |
| #include <sys/mman.h> |
| #include <assert.h> |
| |
| |
| asm ( |
| ".pushsection \".text\", \"ax\"\n\t" |
| ".balign 4096\n\t" |
| "test_page: .globl test_page\n\t" |
| ".fill 4094,1,0xcc\n\t" |
| "test_syscall_insn:\n\t" |
| "syscall\n\t" |
| ".ifne . - test_page - 4096\n\t" |
| ".error \"test page is not one page long\"\n\t" |
| ".endif\n\t" |
| ".popsection" |
| ); |
| |
| extern const char test_page[]; |
| static void const *current_test_page_addr = test_page; |
| |
| static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), |
| int flags) |
| { |
| struct sigaction sa; |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_sigaction = handler; |
| sa.sa_flags = SA_SIGINFO | flags; |
| sigemptyset(&sa.sa_mask); |
| if (sigaction(sig, &sa, 0)) |
| err(1, "sigaction"); |
| } |
| |
| static void clearhandler(int sig) |
| { |
| struct sigaction sa; |
| memset(&sa, 0, sizeof(sa)); |
| sa.sa_handler = SIG_DFL; |
| sigemptyset(&sa.sa_mask); |
| if (sigaction(sig, &sa, 0)) |
| err(1, "sigaction"); |
| } |
| |
| /* State used by our signal handlers. */ |
| static gregset_t initial_regs; |
| |
| static volatile unsigned long rip; |
| |
| static void sigsegv_for_sigreturn_test(int sig, siginfo_t *info, void *ctx_void) |
| { |
| ucontext_t *ctx = (ucontext_t*)ctx_void; |
| |
| if (rip != ctx->uc_mcontext.gregs[REG_RIP]) { |
| printf("[FAIL]\tRequested RIP=0x%lx but got RIP=0x%lx\n", |
| rip, (unsigned long)ctx->uc_mcontext.gregs[REG_RIP]); |
| fflush(stdout); |
| _exit(1); |
| } |
| |
| memcpy(&ctx->uc_mcontext.gregs, &initial_regs, sizeof(gregset_t)); |
| |
| printf("[OK]\tGot SIGSEGV at RIP=0x%lx\n", rip); |
| } |
| |
| static void sigusr1(int sig, siginfo_t *info, void *ctx_void) |
| { |
| ucontext_t *ctx = (ucontext_t*)ctx_void; |
| |
| memcpy(&initial_regs, &ctx->uc_mcontext.gregs, sizeof(gregset_t)); |
| |
| /* Set IP and CX to match so that SYSRET can happen. */ |
| ctx->uc_mcontext.gregs[REG_RIP] = rip; |
| ctx->uc_mcontext.gregs[REG_RCX] = rip; |
| |
| /* R11 and EFLAGS should already match. */ |
| assert(ctx->uc_mcontext.gregs[REG_EFL] == |
| ctx->uc_mcontext.gregs[REG_R11]); |
| |
| sethandler(SIGSEGV, sigsegv_for_sigreturn_test, SA_RESETHAND); |
| |
| return; |
| } |
| |
| static void test_sigreturn_to(unsigned long ip) |
| { |
| rip = ip; |
| printf("[RUN]\tsigreturn to 0x%lx\n", ip); |
| raise(SIGUSR1); |
| } |
| |
| static jmp_buf jmpbuf; |
| |
| static void sigsegv_for_fallthrough(int sig, siginfo_t *info, void *ctx_void) |
| { |
| ucontext_t *ctx = (ucontext_t*)ctx_void; |
| |
| if (rip != ctx->uc_mcontext.gregs[REG_RIP]) { |
| printf("[FAIL]\tExpected SIGSEGV at 0x%lx but got RIP=0x%lx\n", |
| rip, (unsigned long)ctx->uc_mcontext.gregs[REG_RIP]); |
| fflush(stdout); |
| _exit(1); |
| } |
| |
| siglongjmp(jmpbuf, 1); |
| } |
| |
| static void test_syscall_fallthrough_to(unsigned long ip) |
| { |
| void *new_address = (void *)(ip - 4096); |
| void *ret; |
| |
| printf("[RUN]\tTrying a SYSCALL that falls through to 0x%lx\n", ip); |
| |
| ret = mremap((void *)current_test_page_addr, 4096, 4096, |
| MREMAP_MAYMOVE | MREMAP_FIXED, new_address); |
| if (ret == MAP_FAILED) { |
| if (ip <= (1UL << 47) - PAGE_SIZE) { |
| err(1, "mremap to %p", new_address); |
| } else { |
| printf("[OK]\tmremap to %p failed\n", new_address); |
| return; |
| } |
| } |
| |
| if (ret != new_address) |
| errx(1, "mremap malfunctioned: asked for %p but got %p\n", |
| new_address, ret); |
| |
| current_test_page_addr = new_address; |
| rip = ip; |
| |
| if (sigsetjmp(jmpbuf, 1) == 0) { |
| asm volatile ("call *%[syscall_insn]" :: "a" (SYS_getpid), |
| [syscall_insn] "rm" (ip - 2)); |
| errx(1, "[FAIL]\tSyscall trampoline returned"); |
| } |
| |
| printf("[OK]\tWe survived\n"); |
| } |
| |
| int main() |
| { |
| /* |
| * When the kernel returns from a slow-path syscall, it will |
| * detect whether SYSRET is appropriate. If it incorrectly |
| * thinks that SYSRET is appropriate when RIP is noncanonical, |
| * it'll crash on Intel CPUs. |
| */ |
| sethandler(SIGUSR1, sigusr1, 0); |
| for (int i = 47; i < 64; i++) |
| test_sigreturn_to(1UL<<i); |
| |
| clearhandler(SIGUSR1); |
| |
| sethandler(SIGSEGV, sigsegv_for_fallthrough, 0); |
| |
| /* One extra test to check that we didn't screw up the mremap logic. */ |
| test_syscall_fallthrough_to((1UL << 47) - 2*PAGE_SIZE); |
| |
| /* These are the interesting cases. */ |
| for (int i = 47; i < 64; i++) { |
| test_syscall_fallthrough_to((1UL<<i) - PAGE_SIZE); |
| test_syscall_fallthrough_to(1UL<<i); |
| } |
| |
| return 0; |
| } |