Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, 2020-05-22 at 10:36 -0700, Kees Cook wrote: > On Fri, May 22, 2020 at 07:27:11PM +0200, Peter Zijlstra wrote: > > On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > > > > > But yes, I think getting a copy of asm.h would be nice here. I don't > > > think the WRITE_ONCE() is needed in this particular case. Hmm. > > > > Paranoia on my end because I had no clue wth he wanted with his -O0 > > magic gunk. > > Heh, yes, which is why I asked for many more comments. ;) I *think* it > was entirely to control the stack (and ssp) behavior (i.e. don't inline, > don't elide unused stack variables, etc). Yes, that was the reason. Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 07:27:11PM +0200, Peter Zijlstra wrote: > On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > > > But yes, I think getting a copy of asm.h would be nice here. I don't > > think the WRITE_ONCE() is needed in this particular case. Hmm. > > Paranoia on my end because I had no clue wth he wanted with his -O0 > magic gunk. Heh, yes, which is why I asked for many more comments. ;) I *think* it was entirely to control the stack (and ssp) behavior (i.e. don't inline, don't elide unused stack variables, etc). -- Kees Cook
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > But yes, I think getting a copy of asm.h would be nice here. I don't > think the WRITE_ONCE() is needed in this particular case. Hmm. Paranoia on my end because I had no clue wth he wanted with his -O0 magic gunk.
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 11:28:48AM +0200, Peter Zijlstra wrote:
> Get asm/asm.h into userspace and then write something like:
Yeah, selftests is going to start suffering from the same "tools/ header
duplication" problem. I've also had cases (see the logic in the Makefile
in selftests/x86) where selftests is duplicating existing Kconfig and
Makefile logic ("can I build this way?")
But yes, I think getting a copy of asm.h would be nice here. I don't
think the WRITE_ONCE() is needed in this particular case. Hmm.
--
Kees Cook
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, 2020-05-22 at 11:28 +0200, Peter Zijlstra wrote:
> On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote:
>
> > +#pragma GCC push_options
> > +#pragma GCC optimize ("O0")
> > +void ibt_violation(void)
> > +{
> > +#ifdef __i386__
> > + asm volatile("lea 1f, %eax");
> > + asm volatile("jmp *%eax");
> > +#else
> > + asm volatile("lea 1f, %rax");
> > + asm volatile("jmp *%rax");
> > +#endif
> > + asm volatile("1:");
> > + result[test_id] = -1;
> > + test_id++;
> > + setcontext(&ucp);
> > +}
> > +
> > +void shstk_violation(void)
> > +{
> > +#ifdef __i386__
> > + unsigned long x = 0;
> > +
> > + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked;
> > +#else
> > + unsigned long long x = 0;
> > +
> > + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked;
> > +#endif
> > +}
> > +#pragma GCC pop_options
>
> This is absolutely atrocious.
>
> The #pragma like Kees already said just need to go. Also, there's
> absolutely no clue what so ever what it attempts to achieve.
>
> The __i386__ ifdeffery is horrible crap. Splitting an asm with #ifdef
> like that is also horrible crap.
>
> This is not how you write code.
>
> Get asm/asm.h into userspace and then write something like:
>
>
> void ibt_violation(void)
> {
> asm volatile("lea 1f, %" _ASM_AX "\n\t"
>"jmp *%" _ASM_AX "\n\t"
>"1:\n\t" ::: "a");
>
> WRITE_ONCE(result[test_id], -1);
> WRITE_ONCE(test_id, test_id+1);
>
> setcontext(&ucp);
> }
>
> void shstk_violation(void)
> {
> unsigned long x = 0;
>
> WRITE_ONCE(x[2], stack_hacked);
> }
Thanks! I will change it.
Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote:
> +#pragma GCC push_options
> +#pragma GCC optimize ("O0")
> +void ibt_violation(void)
> +{
> +#ifdef __i386__
> + asm volatile("lea 1f, %eax");
> + asm volatile("jmp *%eax");
> +#else
> + asm volatile("lea 1f, %rax");
> + asm volatile("jmp *%rax");
> +#endif
> + asm volatile("1:");
> + result[test_id] = -1;
> + test_id++;
> + setcontext(&ucp);
> +}
> +
> +void shstk_violation(void)
> +{
> +#ifdef __i386__
> + unsigned long x = 0;
> +
> + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked;
> +#else
> + unsigned long long x = 0;
> +
> + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked;
> +#endif
> +}
> +#pragma GCC pop_options
This is absolutely atrocious.
The #pragma like Kees already said just need to go. Also, there's
absolutely no clue what so ever what it attempts to achieve.
The __i386__ ifdeffery is horrible crap. Splitting an asm with #ifdef
like that is also horrible crap.
This is not how you write code.
Get asm/asm.h into userspace and then write something like:
void ibt_violation(void)
{
asm volatile("lea 1f, %" _ASM_AX "\n\t"
"jmp *%" _ASM_AX "\n\t"
"1:\n\t" ::: "a");
WRITE_ONCE(result[test_id], -1);
WRITE_ONCE(test_id, test_id+1);
setcontext(&ucp);
}
void shstk_violation(void)
{
unsigned long x = 0;
WRITE_ONCE(x[2], stack_hacked);
}
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, 2020-05-21 at 16:02 -0700, Kees Cook wrote:
> On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote:
> > Introduce a quick test to verify shadow stack and IBT are working.
>
> Cool! :)
>
> I'd love to see either more of a commit log or more comments in the test
> code itself. I had to spend a bit of time trying to understand how the
> test was working. (i.e. using ucontext to "reset", using segv handler to
> catch some of them, etc.) I have not yet figured out why you need to
> send USR1/USR2 for two of them instead of direct calls?
Yes, I will work on it.
[...]
> > +
> > +#pragma GCC push_options
> > +#pragma GCC optimize ("O0")
>
> Can you avoid compiler-specific pragmas? (Or verify that Clang also
> behaves correctly here?) Maybe it's better to just build the entire file
> with -O0 in the Makefile?
This file is compiled using -O2 in the makefile. I will see if other ways are
possible.
[...]
> > +
> > +void segv_handler(int signum, siginfo_t *si, void *uc)
> > +{
>
> Does anything in siginfo_t indicate which kind of failure you're
> detecting? It'd be nice to verify test_id matches the failure mode being
> tested.
Yes, there is an si_code for control-protection fault.
I will fix this.
Agree with your other comments.
Thanks,
Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote:
> Introduce a quick test to verify shadow stack and IBT are working.
Cool! :)
I'd love to see either more of a commit log or more comments in the test
code itself. I had to spend a bit of time trying to understand how the
test was working. (i.e. using ucontext to "reset", using segv handler to
catch some of them, etc.) I have not yet figured out why you need to
send USR1/USR2 for two of them instead of direct calls?
More notes below...
>
> Signed-off-by: Yu-cheng Yu
> ---
> tools/testing/selftests/x86/Makefile | 2 +-
> tools/testing/selftests/x86/cet_quick_test.c | 128 +++
> 2 files changed, 129 insertions(+), 1 deletion(-)
> create mode 100644 tools/testing/selftests/x86/cet_quick_test.c
>
> diff --git a/tools/testing/selftests/x86/Makefile
> b/tools/testing/selftests/x86/Makefile
> index f1bf5ab87160..26e68272117a 100644
> --- a/tools/testing/selftests/x86/Makefile
> +++ b/tools/testing/selftests/x86/Makefile
> @@ -14,7 +14,7 @@ CAN_BUILD_CET := $(shell ./check_cc.sh $(CC)
> trivial_program.c -fcf-protection)
> TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt
> test_mremap_vdso \
> check_initial_reg_state sigreturn iopl ioperm \
> protection_keys test_vdso test_vsyscall mov_ss_trap \
> - syscall_arg_fault
> + syscall_arg_fault cet_quick_test
> TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \
> test_FCMOV test_FCOMI test_FISTTP \
> vdso_restorer
> diff --git a/tools/testing/selftests/x86/cet_quick_test.c
> b/tools/testing/selftests/x86/cet_quick_test.c
> new file mode 100644
> index ..e84bbbcfd26f
> --- /dev/null
> +++ b/tools/testing/selftests/x86/cet_quick_test.c
> @@ -0,0 +1,128 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/* Quick tests to verify Shadow Stack and IBT are working */
> +
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +ucontext_t ucp;
> +int result[4] = {-1, -1, -1, -1};
I think you likely want three states: no signal, failed, and okay.
Perhaps -1 for "no signal" like you have above, zero for failed, and 1
for okay.
> +int test_id;
> +
> +void stack_hacked(unsigned long x)
> +{
> + result[test_id] = -1;
So this is set to 0: "I absolutely bypassed the protection".
> + test_id++;
> + setcontext(&ucp);
> +}
> +
> +#pragma GCC push_options
> +#pragma GCC optimize ("O0")
Can you avoid compiler-specific pragmas? (Or verify that Clang also
behaves correctly here?) Maybe it's better to just build the entire file
with -O0 in the Makefile?
> +void ibt_violation(void)
> +{
> +#ifdef __i386__
> + asm volatile("lea 1f, %eax");
> + asm volatile("jmp *%eax");
> +#else
> + asm volatile("lea 1f, %rax");
> + asm volatile("jmp *%rax");
> +#endif
> + asm volatile("1:");
> + result[test_id] = -1;
Set to 0, and if the segv doesn't see it, we know for sure it failed.
> + test_id++;
> + setcontext(&ucp);
> +}
> +
> +void shstk_violation(void)
> +{
> +#ifdef __i386__
> + unsigned long x = 0;
> +
> + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked;
> +#else
> + unsigned long long x = 0;
> +
> + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked;
> +#endif
> +}
> +#pragma GCC pop_options
> +
> +void segv_handler(int signum, siginfo_t *si, void *uc)
> +{
Does anything in siginfo_t indicate which kind of failure you're
detecting? It'd be nice to verify test_id matches the failure mode being
tested.
> + result[test_id] = 0;
> + test_id++;
> + setcontext(&ucp);
> +}
> +
> +void user1_handler(int signum, siginfo_t *si, void *uc)
> +{
> + shstk_violation();
> +}
> +
> +void user2_handler(int signum, siginfo_t *si, void *uc)
> +{
> + ibt_violation();
> +}
> +
> +int main(int argc, char *argv[])
> +{
> + struct sigaction sa;
> + int r;
> +
> + r = sigemptyset(&sa.sa_mask);
> + if (r)
> + return -1;
> +
> + sa.sa_flags = SA_SIGINFO;
> +
> + /*
> + * Control protection fault handler
> + */
> + sa.sa_sigaction = segv_handler;
> + r = sigaction(SIGSEGV, &sa, NULL);
> + if (r)
> + return -1;
> +
> + /*
> + * Handler to test Shadow stack
> + */
> + sa.sa_sigaction = user1_handler;
> + r = sigaction(SIGUSR1, &sa, NULL);
> + if (r)
> + return -1;
> +
> + /*
> + * Handler to test IBT
> + */
> + sa.sa_sigaction = user2_handler;
> + r = sigaction(SIGUSR2, &sa, NULL);
> + if (r)
> + return -1;
> +
> + test_id = 0;
> + r = getcontext(&ucp);
> + if (r)
> + return -1;
> +
> + if (test_id == 0)
> + shstk_violation();
> + else if (test_id == 1)
> + ibt_violation();
> + else if (test_id == 2)
> + raise(SIGUSR1);
>
