Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, 2020-05-22 at 10:36 -0700, Kees Cook wrote: > On Fri, May 22, 2020 at 07:27:11PM +0200, Peter Zijlstra wrote: > > On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > > > > > But yes, I think getting a copy of asm.h would be nice here. I don't > > > think the WRITE_ONCE() is needed in this particular case. Hmm. > > > > Paranoia on my end because I had no clue wth he wanted with his -O0 > > magic gunk. > > Heh, yes, which is why I asked for many more comments. ;) I *think* it > was entirely to control the stack (and ssp) behavior (i.e. don't inline, > don't elide unused stack variables, etc). Yes, that was the reason. Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 07:27:11PM +0200, Peter Zijlstra wrote: > On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > > > But yes, I think getting a copy of asm.h would be nice here. I don't > > think the WRITE_ONCE() is needed in this particular case. Hmm. > > Paranoia on my end because I had no clue wth he wanted with his -O0 > magic gunk. Heh, yes, which is why I asked for many more comments. ;) I *think* it was entirely to control the stack (and ssp) behavior (i.e. don't inline, don't elide unused stack variables, etc). -- Kees Cook
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 10:22:51AM -0700, Kees Cook wrote: > But yes, I think getting a copy of asm.h would be nice here. I don't > think the WRITE_ONCE() is needed in this particular case. Hmm. Paranoia on my end because I had no clue wth he wanted with his -O0 magic gunk.
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, May 22, 2020 at 11:28:48AM +0200, Peter Zijlstra wrote: > Get asm/asm.h into userspace and then write something like: Yeah, selftests is going to start suffering from the same "tools/ header duplication" problem. I've also had cases (see the logic in the Makefile in selftests/x86) where selftests is duplicating existing Kconfig and Makefile logic ("can I build this way?") But yes, I think getting a copy of asm.h would be nice here. I don't think the WRITE_ONCE() is needed in this particular case. Hmm. -- Kees Cook
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Fri, 2020-05-22 at 11:28 +0200, Peter Zijlstra wrote: > On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote: > > > +#pragma GCC push_options > > +#pragma GCC optimize ("O0") > > +void ibt_violation(void) > > +{ > > +#ifdef __i386__ > > + asm volatile("lea 1f, %eax"); > > + asm volatile("jmp *%eax"); > > +#else > > + asm volatile("lea 1f, %rax"); > > + asm volatile("jmp *%rax"); > > +#endif > > + asm volatile("1:"); > > + result[test_id] = -1; > > + test_id++; > > + setcontext(&ucp); > > +} > > + > > +void shstk_violation(void) > > +{ > > +#ifdef __i386__ > > + unsigned long x = 0; > > + > > + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked; > > +#else > > + unsigned long long x = 0; > > + > > + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked; > > +#endif > > +} > > +#pragma GCC pop_options > > This is absolutely atrocious. > > The #pragma like Kees already said just need to go. Also, there's > absolutely no clue what so ever what it attempts to achieve. > > The __i386__ ifdeffery is horrible crap. Splitting an asm with #ifdef > like that is also horrible crap. > > This is not how you write code. > > Get asm/asm.h into userspace and then write something like: > > > void ibt_violation(void) > { > asm volatile("lea 1f, %" _ASM_AX "\n\t" >"jmp *%" _ASM_AX "\n\t" >"1:\n\t" ::: "a"); > > WRITE_ONCE(result[test_id], -1); > WRITE_ONCE(test_id, test_id+1); > > setcontext(&ucp); > } > > void shstk_violation(void) > { > unsigned long x = 0; > > WRITE_ONCE(x[2], stack_hacked); > } Thanks! I will change it. Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote: > +#pragma GCC push_options > +#pragma GCC optimize ("O0") > +void ibt_violation(void) > +{ > +#ifdef __i386__ > + asm volatile("lea 1f, %eax"); > + asm volatile("jmp *%eax"); > +#else > + asm volatile("lea 1f, %rax"); > + asm volatile("jmp *%rax"); > +#endif > + asm volatile("1:"); > + result[test_id] = -1; > + test_id++; > + setcontext(&ucp); > +} > + > +void shstk_violation(void) > +{ > +#ifdef __i386__ > + unsigned long x = 0; > + > + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked; > +#else > + unsigned long long x = 0; > + > + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked; > +#endif > +} > +#pragma GCC pop_options This is absolutely atrocious. The #pragma like Kees already said just need to go. Also, there's absolutely no clue what so ever what it attempts to achieve. The __i386__ ifdeffery is horrible crap. Splitting an asm with #ifdef like that is also horrible crap. This is not how you write code. Get asm/asm.h into userspace and then write something like: void ibt_violation(void) { asm volatile("lea 1f, %" _ASM_AX "\n\t" "jmp *%" _ASM_AX "\n\t" "1:\n\t" ::: "a"); WRITE_ONCE(result[test_id], -1); WRITE_ONCE(test_id, test_id+1); setcontext(&ucp); } void shstk_violation(void) { unsigned long x = 0; WRITE_ONCE(x[2], stack_hacked); }
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, 2020-05-21 at 16:02 -0700, Kees Cook wrote: > On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote: > > Introduce a quick test to verify shadow stack and IBT are working. > > Cool! :) > > I'd love to see either more of a commit log or more comments in the test > code itself. I had to spend a bit of time trying to understand how the > test was working. (i.e. using ucontext to "reset", using segv handler to > catch some of them, etc.) I have not yet figured out why you need to > send USR1/USR2 for two of them instead of direct calls? Yes, I will work on it. [...] > > + > > +#pragma GCC push_options > > +#pragma GCC optimize ("O0") > > Can you avoid compiler-specific pragmas? (Or verify that Clang also > behaves correctly here?) Maybe it's better to just build the entire file > with -O0 in the Makefile? This file is compiled using -O2 in the makefile. I will see if other ways are possible. [...] > > + > > +void segv_handler(int signum, siginfo_t *si, void *uc) > > +{ > > Does anything in siginfo_t indicate which kind of failure you're > detecting? It'd be nice to verify test_id matches the failure mode being > tested. Yes, there is an si_code for control-protection fault. I will fix this. Agree with your other comments. Thanks, Yu-cheng
Re: [RFC PATCH 5/5] selftest/x86: Add CET quick test
On Thu, May 21, 2020 at 02:17:20PM -0700, Yu-cheng Yu wrote: > Introduce a quick test to verify shadow stack and IBT are working. Cool! :) I'd love to see either more of a commit log or more comments in the test code itself. I had to spend a bit of time trying to understand how the test was working. (i.e. using ucontext to "reset", using segv handler to catch some of them, etc.) I have not yet figured out why you need to send USR1/USR2 for two of them instead of direct calls? More notes below... > > Signed-off-by: Yu-cheng Yu > --- > tools/testing/selftests/x86/Makefile | 2 +- > tools/testing/selftests/x86/cet_quick_test.c | 128 +++ > 2 files changed, 129 insertions(+), 1 deletion(-) > create mode 100644 tools/testing/selftests/x86/cet_quick_test.c > > diff --git a/tools/testing/selftests/x86/Makefile > b/tools/testing/selftests/x86/Makefile > index f1bf5ab87160..26e68272117a 100644 > --- a/tools/testing/selftests/x86/Makefile > +++ b/tools/testing/selftests/x86/Makefile > @@ -14,7 +14,7 @@ CAN_BUILD_CET := $(shell ./check_cc.sh $(CC) > trivial_program.c -fcf-protection) > TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt > test_mremap_vdso \ > check_initial_reg_state sigreturn iopl ioperm \ > protection_keys test_vdso test_vsyscall mov_ss_trap \ > - syscall_arg_fault > + syscall_arg_fault cet_quick_test > TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ > test_FCMOV test_FCOMI test_FISTTP \ > vdso_restorer > diff --git a/tools/testing/selftests/x86/cet_quick_test.c > b/tools/testing/selftests/x86/cet_quick_test.c > new file mode 100644 > index ..e84bbbcfd26f > --- /dev/null > +++ b/tools/testing/selftests/x86/cet_quick_test.c > @@ -0,0 +1,128 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* Quick tests to verify Shadow Stack and IBT are working */ > + > +#include > +#include > +#include > +#include > +#include > + > +ucontext_t ucp; > +int result[4] = {-1, -1, -1, -1}; I think you likely want three states: no signal, failed, and okay. Perhaps -1 for "no signal" like you have above, zero for failed, and 1 for okay. > +int test_id; > + > +void stack_hacked(unsigned long x) > +{ > + result[test_id] = -1; So this is set to 0: "I absolutely bypassed the protection". > + test_id++; > + setcontext(&ucp); > +} > + > +#pragma GCC push_options > +#pragma GCC optimize ("O0") Can you avoid compiler-specific pragmas? (Or verify that Clang also behaves correctly here?) Maybe it's better to just build the entire file with -O0 in the Makefile? > +void ibt_violation(void) > +{ > +#ifdef __i386__ > + asm volatile("lea 1f, %eax"); > + asm volatile("jmp *%eax"); > +#else > + asm volatile("lea 1f, %rax"); > + asm volatile("jmp *%rax"); > +#endif > + asm volatile("1:"); > + result[test_id] = -1; Set to 0, and if the segv doesn't see it, we know for sure it failed. > + test_id++; > + setcontext(&ucp); > +} > + > +void shstk_violation(void) > +{ > +#ifdef __i386__ > + unsigned long x = 0; > + > + ((unsigned long *)&x)[2] = (unsigned long)stack_hacked; > +#else > + unsigned long long x = 0; > + > + ((unsigned long long *)&x)[2] = (unsigned long)stack_hacked; > +#endif > +} > +#pragma GCC pop_options > + > +void segv_handler(int signum, siginfo_t *si, void *uc) > +{ Does anything in siginfo_t indicate which kind of failure you're detecting? It'd be nice to verify test_id matches the failure mode being tested. > + result[test_id] = 0; > + test_id++; > + setcontext(&ucp); > +} > + > +void user1_handler(int signum, siginfo_t *si, void *uc) > +{ > + shstk_violation(); > +} > + > +void user2_handler(int signum, siginfo_t *si, void *uc) > +{ > + ibt_violation(); > +} > + > +int main(int argc, char *argv[]) > +{ > + struct sigaction sa; > + int r; > + > + r = sigemptyset(&sa.sa_mask); > + if (r) > + return -1; > + > + sa.sa_flags = SA_SIGINFO; > + > + /* > + * Control protection fault handler > + */ > + sa.sa_sigaction = segv_handler; > + r = sigaction(SIGSEGV, &sa, NULL); > + if (r) > + return -1; > + > + /* > + * Handler to test Shadow stack > + */ > + sa.sa_sigaction = user1_handler; > + r = sigaction(SIGUSR1, &sa, NULL); > + if (r) > + return -1; > + > + /* > + * Handler to test IBT > + */ > + sa.sa_sigaction = user2_handler; > + r = sigaction(SIGUSR2, &sa, NULL); > + if (r) > + return -1; > + > + test_id = 0; > + r = getcontext(&ucp); > + if (r) > + return -1; > + > + if (test_id == 0) > + shstk_violation(); > + else if (test_id == 1) > + ibt_violation(); > + else if (test_id == 2) > + raise(SIGUSR1); >