1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * entry_from_vm86.c - tests kernel entries from vm86 mode
4 * Copyright (c) 2014-2015 Andrew Lutomirski
5 *
6 * This exercises a few paths that need to special-case vm86 mode.
7 */
8
9#define _GNU_SOURCE
10
11#include <assert.h>
12#include <stdlib.h>
13#include <sys/syscall.h>
14#include <sys/signal.h>
15#include <sys/ucontext.h>
16#include <unistd.h>
17#include <stdio.h>
18#include <string.h>
19#include <inttypes.h>
20#include <sys/mman.h>
21#include <err.h>
22#include <stddef.h>
23#include <stdbool.h>
24#include <errno.h>
25#include <sys/vm86.h>
26
27static unsigned long load_addr = 0x10000;
28static int nerrs = 0;
29
30static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
31 int flags)
32{
33 struct sigaction sa;
34 memset(&sa, 0, sizeof(sa));
35 sa.sa_sigaction = handler;
36 sa.sa_flags = SA_SIGINFO | flags;
37 sigemptyset(&sa.sa_mask);
38 if (sigaction(sig, &sa, 0))
39 err(1, "sigaction");
40}
41
42static void clearhandler(int sig)
43{
44 struct sigaction sa;
45 memset(&sa, 0, sizeof(sa));
46 sa.sa_handler = SIG_DFL;
47 sigemptyset(&sa.sa_mask);
48 if (sigaction(sig, &sa, 0))
49 err(1, "sigaction");
50}
51
52static sig_atomic_t got_signal;
53
54static void sighandler(int sig, siginfo_t *info, void *ctx_void)
55{
56 ucontext_t *ctx = (ucontext_t*)ctx_void;
57
58 if (ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_VM ||
59 (ctx->uc_mcontext.gregs[REG_CS] & 3) != 3) {
60 printf("[FAIL]\tSignal frame should not reflect vm86 mode\n");
61 nerrs++;
62 }
63
64 const char *signame;
65 if (sig == SIGSEGV)
66 signame = "SIGSEGV";
67 else if (sig == SIGILL)
68 signame = "SIGILL";
69 else
70 signame = "unexpected signal";
71
72 printf("[INFO]\t%s: FLAGS = 0x%lx, CS = 0x%hx\n", signame,
73 (unsigned long)ctx->uc_mcontext.gregs[REG_EFL],
74 (unsigned short)ctx->uc_mcontext.gregs[REG_CS]);
75
76 got_signal = 1;
77}
78
79asm (
80 ".pushsection .rodata\n\t"
81 ".type vmcode_bound, @object\n\t"
82 "vmcode:\n\t"
83 "vmcode_bound:\n\t"
84 ".code16\n\t"
85 "bound %ax, (2048)\n\t"
86 "int3\n\t"
87 "vmcode_sysenter:\n\t"
88 "sysenter\n\t"
89 "vmcode_syscall:\n\t"
90 "syscall\n\t"
91 "vmcode_sti:\n\t"
92 "sti\n\t"
93 "vmcode_int3:\n\t"
94 "int3\n\t"
95 "vmcode_int80:\n\t"
96 "int $0x80\n\t"
97 "vmcode_popf_hlt:\n\t"
98 "push %ax\n\t"
99 "popf\n\t"
100 "hlt\n\t"
101 "vmcode_umip:\n\t"
102 /* addressing via displacements */
103 "smsw (2052)\n\t"
104 "sidt (2054)\n\t"
105 "sgdt (2060)\n\t"
106 /* addressing via registers */
107 "mov $2066, %bx\n\t"
108 "smsw (%bx)\n\t"
109 "mov $2068, %bx\n\t"
110 "sidt (%bx)\n\t"
111 "mov $2074, %bx\n\t"
112 "sgdt (%bx)\n\t"
113 /* register operands, only for smsw */
114 "smsw %ax\n\t"
115 "mov %ax, (2080)\n\t"
116 "int3\n\t"
117 "vmcode_umip_str:\n\t"
118 "str %eax\n\t"
119 "vmcode_umip_sldt:\n\t"
120 "sldt %eax\n\t"
121 "int3\n\t"
122 ".size vmcode, . - vmcode\n\t"
123 "end_vmcode:\n\t"
124 ".code32\n\t"
125 ".popsection"
126 );
127
128extern unsigned char vmcode[], end_vmcode[];
129extern unsigned char vmcode_bound[], vmcode_sysenter[], vmcode_syscall[],
130 vmcode_sti[], vmcode_int3[], vmcode_int80[], vmcode_popf_hlt[],
131 vmcode_umip[], vmcode_umip_str[], vmcode_umip_sldt[];
132
133/* Returns false if the test was skipped. */
134static bool do_test(struct vm86plus_struct *v86, unsigned long eip,
135 unsigned int rettype, unsigned int retarg,
136 const char *text)
137{
138 long ret;
139
140 printf("[RUN]\t%s from vm86 mode\n", text);
141 v86->regs.eip = eip;
142 ret = vm86(VM86_ENTER, v86);
143
144 if (ret == -1 && (errno == ENOSYS || errno == EPERM)) {
145 printf("[SKIP]\tvm86 %s\n",
146 errno == ENOSYS ? "not supported" : "not allowed");
147 return false;
148 }
149
150 if (VM86_TYPE(ret) == VM86_INTx) {
151 char trapname[32];
152 int trapno = VM86_ARG(ret);
153 if (trapno == 13)
154 strcpy(trapname, "GP");
155 else if (trapno == 5)
156 strcpy(trapname, "BR");
157 else if (trapno == 14)
158 strcpy(trapname, "PF");
159 else
160 sprintf(trapname, "%d", trapno);
161
162 printf("[INFO]\tExited vm86 mode due to #%s\n", trapname);
163 } else if (VM86_TYPE(ret) == VM86_UNKNOWN) {
164 printf("[INFO]\tExited vm86 mode due to unhandled GP fault\n");
165 } else if (VM86_TYPE(ret) == VM86_TRAP) {
166 printf("[INFO]\tExited vm86 mode due to a trap (arg=%ld)\n",
167 VM86_ARG(ret));
168 } else if (VM86_TYPE(ret) == VM86_SIGNAL) {
169 printf("[INFO]\tExited vm86 mode due to a signal\n");
170 } else if (VM86_TYPE(ret) == VM86_STI) {
171 printf("[INFO]\tExited vm86 mode due to STI\n");
172 } else {
173 printf("[INFO]\tExited vm86 mode due to type %ld, arg %ld\n",
174 VM86_TYPE(ret), VM86_ARG(ret));
175 }
176
177 if (rettype == -1 ||
178 (VM86_TYPE(ret) == rettype && VM86_ARG(ret) == retarg)) {
179 printf("[OK]\tReturned correctly\n");
180 } else {
181 printf("[FAIL]\tIncorrect return reason (started at eip = 0x%lx, ended at eip = 0x%lx)\n", eip, v86->regs.eip);
182 nerrs++;
183 }
184
185 return true;
186}
187
188void do_umip_tests(struct vm86plus_struct *vm86, unsigned char *test_mem)
189{
190 struct table_desc {
191 unsigned short limit;
192 unsigned long base;
193 } __attribute__((packed));
194
195 /* Initialize variables with arbitrary values */
196 struct table_desc gdt1 = { .base = 0x3c3c3c3c, .limit = 0x9999 };
197 struct table_desc gdt2 = { .base = 0x1a1a1a1a, .limit = 0xaeae };
198 struct table_desc idt1 = { .base = 0x7b7b7b7b, .limit = 0xf1f1 };
199 struct table_desc idt2 = { .base = 0x89898989, .limit = 0x1313 };
200 unsigned short msw1 = 0x1414, msw2 = 0x2525, msw3 = 3737;
201
202 /* UMIP -- exit with INT3 unless kernel emulation did not trap #GP */
203 do_test(vm86, vmcode_umip - vmcode, VM86_TRAP, 3, "UMIP tests");
204
205 /* Results from displacement-only addressing */
206 msw1 = *(unsigned short *)(test_mem + 2052);
207 memcpy(&idt1, test_mem + 2054, sizeof(idt1));
208 memcpy(&gdt1, test_mem + 2060, sizeof(gdt1));
209
210 /* Results from register-indirect addressing */
211 msw2 = *(unsigned short *)(test_mem + 2066);
212 memcpy(&idt2, test_mem + 2068, sizeof(idt2));
213 memcpy(&gdt2, test_mem + 2074, sizeof(gdt2));
214
215 /* Results when using register operands */
216 msw3 = *(unsigned short *)(test_mem + 2080);
217
218 printf("[INFO]\tResult from SMSW:[0x%04x]\n", msw1);
219 printf("[INFO]\tResult from SIDT: limit[0x%04x]base[0x%08lx]\n",
220 idt1.limit, idt1.base);
221 printf("[INFO]\tResult from SGDT: limit[0x%04x]base[0x%08lx]\n",
222 gdt1.limit, gdt1.base);
223
224 if (msw1 != msw2 || msw1 != msw3)
225 printf("[FAIL]\tAll the results of SMSW should be the same.\n");
226 else
227 printf("[PASS]\tAll the results from SMSW are identical.\n");
228
229 if (memcmp(&gdt1, &gdt2, sizeof(gdt1)))
230 printf("[FAIL]\tAll the results of SGDT should be the same.\n");
231 else
232 printf("[PASS]\tAll the results from SGDT are identical.\n");
233
234 if (memcmp(&idt1, &idt2, sizeof(idt1)))
235 printf("[FAIL]\tAll the results of SIDT should be the same.\n");
236 else
237 printf("[PASS]\tAll the results from SIDT are identical.\n");
238
239 sethandler(sig: SIGILL, handler: sighandler, flags: 0);
240 do_test(vm86, vmcode_umip_str - vmcode, VM86_SIGNAL, 0,
241 "STR instruction");
242 clearhandler(sig: SIGILL);
243
244 sethandler(sig: SIGILL, handler: sighandler, flags: 0);
245 do_test(vm86, vmcode_umip_sldt - vmcode, VM86_SIGNAL, 0,
246 "SLDT instruction");
247 clearhandler(sig: SIGILL);
248}
249
250int main(void)
251{
252 struct vm86plus_struct v86;
253 unsigned char *addr = mmap((void *)load_addr, 4096,
254 PROT_READ | PROT_WRITE | PROT_EXEC,
255 MAP_ANONYMOUS | MAP_PRIVATE, -1,0);
256 if (addr != (unsigned char *)load_addr)
257 err(1, "mmap");
258
259 memcpy(addr, vmcode, end_vmcode - vmcode);
260 addr[2048] = 2;
261 addr[2050] = 3;
262
263 memset(&v86, 0, sizeof(v86));
264
265 v86.regs.cs = load_addr / 16;
266 v86.regs.ss = load_addr / 16;
267 v86.regs.ds = load_addr / 16;
268 v86.regs.es = load_addr / 16;
269
270 /* Use the end of the page as our stack. */
271 v86.regs.esp = 4096;
272
273 assert((v86.regs.cs & 3) == 0); /* Looks like RPL = 0 */
274
275 /* #BR -- should deliver SIG??? */
276 do_test(&v86, vmcode_bound - vmcode, VM86_INTx, 5, "#BR");
277
278 /*
279 * SYSENTER -- should cause #GP or #UD depending on CPU.
280 * Expected return type -1 means that we shouldn't validate
281 * the vm86 return value. This will avoid problems on non-SEP
282 * CPUs.
283 */
284 sethandler(SIGILL, sighandler, 0);
285 do_test(&v86, vmcode_sysenter - vmcode, -1, 0, "SYSENTER");
286 clearhandler(SIGILL);
287
288 /*
289 * SYSCALL would be a disaster in VM86 mode. Fortunately,
290 * there is no kernel that both enables SYSCALL and sets
291 * EFER.SCE, so it's #UD on all systems. But vm86 is
292 * buggy (or has a "feature"), so the SIGILL will actually
293 * be delivered.
294 */
295 sethandler(SIGILL, sighandler, 0);
296 do_test(&v86, vmcode_syscall - vmcode, VM86_SIGNAL, 0, "SYSCALL");
297 clearhandler(SIGILL);
298
299 /* STI with VIP set */
300 v86.regs.eflags |= X86_EFLAGS_VIP;
301 v86.regs.eflags &= ~X86_EFLAGS_IF;
302 do_test(&v86, vmcode_sti - vmcode, VM86_STI, 0, "STI with VIP set");
303
304 /* POPF with VIP set but IF clear: should not trap */
305 v86.regs.eflags = X86_EFLAGS_VIP;
306 v86.regs.eax = 0;
307 do_test(&v86, vmcode_popf_hlt - vmcode, VM86_UNKNOWN, 0, "POPF with VIP set and IF clear");
308
309 /* POPF with VIP set and IF set: should trap */
310 v86.regs.eflags = X86_EFLAGS_VIP;
311 v86.regs.eax = X86_EFLAGS_IF;
312 do_test(&v86, vmcode_popf_hlt - vmcode, VM86_STI, 0, "POPF with VIP and IF set");
313
314 /* POPF with VIP clear and IF set: should not trap */
315 v86.regs.eflags = 0;
316 v86.regs.eax = X86_EFLAGS_IF;
317 do_test(&v86, vmcode_popf_hlt - vmcode, VM86_UNKNOWN, 0, "POPF with VIP clear and IF set");
318
319 v86.regs.eflags = 0;
320
321 /* INT3 -- should cause #BP */
322 do_test(&v86, vmcode_int3 - vmcode, VM86_TRAP, 3, "INT3");
323
324 /* INT80 -- should exit with "INTx 0x80" */
325 v86.regs.eax = (unsigned int)-1;
326 do_test(&v86, vmcode_int80 - vmcode, VM86_INTx, 0x80, "int80");
327
328 /* UMIP -- should exit with INTx 0x80 unless UMIP was not disabled */
329 do_umip_tests(vm86: &v86, test_mem: addr);
330
331 /* Execute a null pointer */
332 v86.regs.cs = 0;
333 v86.regs.ss = 0;
334 sethandler(SIGSEGV, sighandler, 0);
335 got_signal = 0;
336 if (do_test(&v86, 0, VM86_SIGNAL, 0, "Execute null pointer") &&
337 !got_signal) {
338 printf("[FAIL]\tDid not receive SIGSEGV\n");
339 nerrs++;
340 }
341 clearhandler(SIGSEGV);
342
343 /* Make sure nothing explodes if we fork. */
344 if (fork() == 0)
345 return 0;
346
347 return (nerrs == 0 ? 0 : 1);
348}
349

source code of linux/tools/testing/selftests/x86/entry_from_vm86.c