1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * iopl.c - Test case for a Linux on Xen 64-bit bug |
4 | * Copyright (c) 2015 Andrew Lutomirski |
5 | */ |
6 | |
7 | #define _GNU_SOURCE |
8 | #include <err.h> |
9 | #include <stdio.h> |
10 | #include <stdint.h> |
11 | #include <signal.h> |
12 | #include <setjmp.h> |
13 | #include <stdlib.h> |
14 | #include <string.h> |
15 | #include <errno.h> |
16 | #include <unistd.h> |
17 | #include <sys/types.h> |
18 | #include <sys/wait.h> |
19 | #include <stdbool.h> |
20 | #include <sched.h> |
21 | #include <sys/io.h> |
22 | |
23 | static int nerrs = 0; |
24 | |
25 | static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), |
26 | int flags) |
27 | { |
28 | struct sigaction sa; |
29 | memset(&sa, 0, sizeof(sa)); |
30 | sa.sa_sigaction = handler; |
31 | sa.sa_flags = SA_SIGINFO | flags; |
32 | sigemptyset(&sa.sa_mask); |
33 | if (sigaction(sig, &sa, 0)) |
34 | err(1, "sigaction" ); |
35 | |
36 | } |
37 | |
38 | static void clearhandler(int sig) |
39 | { |
40 | struct sigaction sa; |
41 | memset(&sa, 0, sizeof(sa)); |
42 | sa.sa_handler = SIG_DFL; |
43 | sigemptyset(&sa.sa_mask); |
44 | if (sigaction(sig, &sa, 0)) |
45 | err(1, "sigaction" ); |
46 | } |
47 | |
48 | static jmp_buf jmpbuf; |
49 | |
50 | static void sigsegv(int sig, siginfo_t *si, void *ctx_void) |
51 | { |
52 | siglongjmp(jmpbuf, 1); |
53 | } |
54 | |
55 | static bool try_outb(unsigned short port) |
56 | { |
57 | sethandler(sig: SIGSEGV, handler: sigsegv, flags: SA_RESETHAND); |
58 | if (sigsetjmp(jmpbuf, 1) != 0) { |
59 | return false; |
60 | } else { |
61 | asm volatile ("outb %%al, %w[port]" |
62 | : : [port] "Nd" (port), "a" (0)); |
63 | return true; |
64 | } |
65 | clearhandler(sig: SIGSEGV); |
66 | } |
67 | |
68 | static void expect_ok_outb(unsigned short port) |
69 | { |
70 | if (!try_outb(port)) { |
71 | printf("[FAIL]\toutb to 0x%02hx failed\n" , port); |
72 | exit(1); |
73 | } |
74 | |
75 | printf("[OK]\toutb to 0x%02hx worked\n" , port); |
76 | } |
77 | |
78 | static void expect_gp_outb(unsigned short port) |
79 | { |
80 | if (try_outb(port)) { |
81 | printf("[FAIL]\toutb to 0x%02hx worked\n" , port); |
82 | nerrs++; |
83 | } |
84 | |
85 | printf("[OK]\toutb to 0x%02hx failed\n" , port); |
86 | } |
87 | |
88 | #define RET_FAULTED 0 |
89 | #define RET_FAIL 1 |
90 | #define RET_EMUL 2 |
91 | |
92 | static int try_cli(void) |
93 | { |
94 | unsigned long flags; |
95 | |
96 | sethandler(sig: SIGSEGV, handler: sigsegv, flags: SA_RESETHAND); |
97 | if (sigsetjmp(jmpbuf, 1) != 0) { |
98 | return RET_FAULTED; |
99 | } else { |
100 | asm volatile("cli; pushf; pop %[flags]" |
101 | : [flags] "=rm" (flags)); |
102 | |
103 | /* X86_FLAGS_IF */ |
104 | if (!(flags & (1 << 9))) |
105 | return RET_FAIL; |
106 | else |
107 | return RET_EMUL; |
108 | } |
109 | clearhandler(sig: SIGSEGV); |
110 | } |
111 | |
112 | static int try_sti(bool irqs_off) |
113 | { |
114 | unsigned long flags; |
115 | |
116 | sethandler(sig: SIGSEGV, handler: sigsegv, flags: SA_RESETHAND); |
117 | if (sigsetjmp(jmpbuf, 1) != 0) { |
118 | return RET_FAULTED; |
119 | } else { |
120 | asm volatile("sti; pushf; pop %[flags]" |
121 | : [flags] "=rm" (flags)); |
122 | |
123 | /* X86_FLAGS_IF */ |
124 | if (irqs_off && (flags & (1 << 9))) |
125 | return RET_FAIL; |
126 | else |
127 | return RET_EMUL; |
128 | } |
129 | clearhandler(sig: SIGSEGV); |
130 | } |
131 | |
132 | static void expect_gp_sti(bool irqs_off) |
133 | { |
134 | int ret = try_sti(irqs_off); |
135 | |
136 | switch (ret) { |
137 | case RET_FAULTED: |
138 | printf("[OK]\tSTI faulted\n" ); |
139 | break; |
140 | case RET_EMUL: |
141 | printf("[OK]\tSTI NOPped\n" ); |
142 | break; |
143 | default: |
144 | printf("[FAIL]\tSTI worked\n" ); |
145 | nerrs++; |
146 | } |
147 | } |
148 | |
149 | /* |
150 | * Returns whether it managed to disable interrupts. |
151 | */ |
152 | static bool test_cli(void) |
153 | { |
154 | int ret = try_cli(); |
155 | |
156 | switch (ret) { |
157 | case RET_FAULTED: |
158 | printf("[OK]\tCLI faulted\n" ); |
159 | break; |
160 | case RET_EMUL: |
161 | printf("[OK]\tCLI NOPped\n" ); |
162 | break; |
163 | default: |
164 | printf("[FAIL]\tCLI worked\n" ); |
165 | nerrs++; |
166 | return true; |
167 | } |
168 | |
169 | return false; |
170 | } |
171 | |
172 | int main(void) |
173 | { |
174 | cpu_set_t cpuset; |
175 | |
176 | CPU_ZERO(&cpuset); |
177 | CPU_SET(0, &cpuset); |
178 | if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) |
179 | err(1, "sched_setaffinity to CPU 0" ); |
180 | |
181 | /* Probe for iopl support. Note that iopl(0) works even as nonroot. */ |
182 | switch(iopl(3)) { |
183 | case 0: |
184 | break; |
185 | case -ENOSYS: |
186 | printf("[OK]\tiopl() nor supported\n" ); |
187 | return 0; |
188 | default: |
189 | printf("[OK]\tiopl(3) failed (%d) -- try running as root\n" , |
190 | errno); |
191 | return 0; |
192 | } |
193 | |
194 | /* Make sure that CLI/STI are blocked even with IOPL level 3 */ |
195 | expect_gp_sti(test_cli()); |
196 | expect_ok_outb(port: 0x80); |
197 | |
198 | /* Establish an I/O bitmap to test the restore */ |
199 | if (ioperm(0x80, 1, 1) != 0) |
200 | err(1, "ioperm(0x80, 1, 1) failed\n" ); |
201 | |
202 | /* Restore our original state prior to starting the fork test. */ |
203 | if (iopl(0) != 0) |
204 | err(1, "iopl(0)" ); |
205 | |
206 | /* |
207 | * Verify that IOPL emulation is disabled and the I/O bitmap still |
208 | * works. |
209 | */ |
210 | expect_ok_outb(port: 0x80); |
211 | expect_gp_outb(port: 0xed); |
212 | /* Drop the I/O bitmap */ |
213 | if (ioperm(0x80, 1, 0) != 0) |
214 | err(1, "ioperm(0x80, 1, 0) failed\n" ); |
215 | |
216 | pid_t child = fork(); |
217 | if (child == -1) |
218 | err(1, "fork" ); |
219 | |
220 | if (child == 0) { |
221 | printf("\tchild: set IOPL to 3\n" ); |
222 | if (iopl(3) != 0) |
223 | err(1, "iopl" ); |
224 | |
225 | printf("[RUN]\tchild: write to 0x80\n" ); |
226 | asm volatile ("outb %%al, $0x80" : : "a" (0)); |
227 | |
228 | return 0; |
229 | } else { |
230 | int status; |
231 | if (waitpid(child, &status, 0) != child || |
232 | !WIFEXITED(status)) { |
233 | printf("[FAIL]\tChild died\n" ); |
234 | nerrs++; |
235 | } else if (WEXITSTATUS(status) != 0) { |
236 | printf("[FAIL]\tChild failed\n" ); |
237 | nerrs++; |
238 | } else { |
239 | printf("[OK]\tChild succeeded\n" ); |
240 | } |
241 | } |
242 | |
243 | printf("[RUN]\tparent: write to 0x80 (should fail)\n" ); |
244 | |
245 | expect_gp_outb(port: 0x80); |
246 | expect_gp_sti(test_cli()); |
247 | |
248 | /* Test the capability checks. */ |
249 | printf("\tiopl(3)\n" ); |
250 | if (iopl(3) != 0) |
251 | err(1, "iopl(3)" ); |
252 | |
253 | printf("\tDrop privileges\n" ); |
254 | if (setresuid(1, 1, 1) != 0) { |
255 | printf("[WARN]\tDropping privileges failed\n" ); |
256 | goto done; |
257 | } |
258 | |
259 | printf("[RUN]\tiopl(3) unprivileged but with IOPL==3\n" ); |
260 | if (iopl(3) != 0) { |
261 | printf("[FAIL]\tiopl(3) should work if iopl is already 3 even if unprivileged\n" ); |
262 | nerrs++; |
263 | } |
264 | |
265 | printf("[RUN]\tiopl(0) unprivileged\n" ); |
266 | if (iopl(0) != 0) { |
267 | printf("[FAIL]\tiopl(0) should work if iopl is already 3 even if unprivileged\n" ); |
268 | nerrs++; |
269 | } |
270 | |
271 | printf("[RUN]\tiopl(3) unprivileged\n" ); |
272 | if (iopl(3) == 0) { |
273 | printf("[FAIL]\tiopl(3) should fail if when unprivileged if iopl==0\n" ); |
274 | nerrs++; |
275 | } else { |
276 | printf("[OK]\tFailed as expected\n" ); |
277 | } |
278 | |
279 | done: |
280 | return nerrs ? 1 : 0; |
281 | } |
282 | |