| 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
|---|
| 2 | /* |
|---|
| 3 | * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS |
|---|
| 4 | * |
|---|
| 5 | * This does MOV SS from a watchpointed address followed by various |
|---|
| 6 | * types of kernel entries. A MOV SS that hits a watchpoint will queue |
|---|
| 7 | * up a #DB trap but will not actually deliver that trap. The trap |
|---|
| 8 | * will be delivered after the next instruction instead. The CPU's logic |
|---|
| 9 | * seems to be: |
|---|
| 10 | * |
|---|
| 11 | * - Any fault: drop the pending #DB trap. |
|---|
| 12 | * - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then |
|---|
| 13 | * deliver #DB. |
|---|
| 14 | * - ICEBP: enter the kernel but do not deliver the watchpoint trap |
|---|
| 15 | * - breakpoint: only one #DB is delivered (phew!) |
|---|
| 16 | * |
|---|
| 17 | * There are plenty of ways for a kernel to handle this incorrectly. This |
|---|
| 18 | * test tries to exercise all the cases. |
|---|
| 19 | * |
|---|
| 20 | * This should mostly cover CVE-2018-1087 and CVE-2018-8897. |
|---|
| 21 | */ |
|---|
| 22 | #define _GNU_SOURCE |
|---|
| 23 | |
|---|
| 24 | #include <stdlib.h> |
|---|
| 25 | #include <sys/ptrace.h> |
|---|
| 26 | #include <sys/types.h> |
|---|
| 27 | #include <sys/wait.h> |
|---|
| 28 | #include <sys/user.h> |
|---|
| 29 | #include <sys/syscall.h> |
|---|
| 30 | #include <unistd.h> |
|---|
| 31 | #include <errno.h> |
|---|
| 32 | #include <stddef.h> |
|---|
| 33 | #include <stdio.h> |
|---|
| 34 | #include <err.h> |
|---|
| 35 | #include <string.h> |
|---|
| 36 | #include <setjmp.h> |
|---|
| 37 | #include <sys/prctl.h> |
|---|
| 38 | |
|---|
| 39 | #define X86_EFLAGS_RF (1UL << 16) |
|---|
| 40 | |
|---|
| 41 | #if __x86_64__ |
|---|
| 42 | # define REG_IP REG_RIP |
|---|
| 43 | #else |
|---|
| 44 | # define REG_IP REG_EIP |
|---|
| 45 | #endif |
|---|
| 46 | |
|---|
| 47 | unsigned short ss; |
|---|
| 48 | extern unsigned char breakpoint_insn[]; |
|---|
| 49 | sigjmp_buf jmpbuf; |
|---|
| 50 | |
|---|
| 51 | static void enable_watchpoint(void) |
|---|
| 52 | { |
|---|
| 53 | pid_t parent = getpid(); |
|---|
| 54 | int status; |
|---|
| 55 | |
|---|
| 56 | pid_t child = fork(); |
|---|
| 57 | if (child < 0) |
|---|
| 58 | err(1, "fork" ); |
|---|
| 59 | |
|---|
| 60 | if (child) { |
|---|
| 61 | if (waitpid(child, &status, 0) != child) |
|---|
| 62 | err(1, "waitpid for child" ); |
|---|
| 63 | } else { |
|---|
| 64 | unsigned long dr0, dr1, dr7; |
|---|
| 65 | |
|---|
| 66 | dr0 = (unsigned long)&ss; |
|---|
| 67 | dr1 = (unsigned long)breakpoint_insn; |
|---|
| 68 | dr7 = ((1UL << 1) | /* G0 */ |
|---|
| 69 | (3UL << 16) | /* RW0 = read or write */ |
|---|
| 70 | (1UL << 18) | /* LEN0 = 2 bytes */ |
|---|
| 71 | (1UL << 3)); /* G1, RW1 = insn */ |
|---|
| 72 | |
|---|
| 73 | if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0) |
|---|
| 74 | err(1, "PTRACE_ATTACH" ); |
|---|
| 75 | |
|---|
| 76 | if (waitpid(parent, &status, 0) != parent) |
|---|
| 77 | err(1, "waitpid for child" ); |
|---|
| 78 | |
|---|
| 79 | if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0) |
|---|
| 80 | err(1, "PTRACE_POKEUSER DR0" ); |
|---|
| 81 | |
|---|
| 82 | if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0) |
|---|
| 83 | err(1, "PTRACE_POKEUSER DR1" ); |
|---|
| 84 | |
|---|
| 85 | if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0) |
|---|
| 86 | err(1, "PTRACE_POKEUSER DR7" ); |
|---|
| 87 | |
|---|
| 88 | printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n" , dr0, dr1, dr7); |
|---|
| 89 | |
|---|
| 90 | if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0) |
|---|
| 91 | err(1, "PTRACE_DETACH" ); |
|---|
| 92 | |
|---|
| 93 | exit(0); |
|---|
| 94 | } |
|---|
| 95 | } |
|---|
| 96 | |
|---|
| 97 | static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), |
|---|
| 98 | int flags) |
|---|
| 99 | { |
|---|
| 100 | struct sigaction sa; |
|---|
| 101 | memset(&sa, 0, sizeof(sa)); |
|---|
| 102 | sa.sa_sigaction = handler; |
|---|
| 103 | sa.sa_flags = SA_SIGINFO | flags; |
|---|
| 104 | sigemptyset(&sa.sa_mask); |
|---|
| 105 | if (sigaction(sig, &sa, 0)) |
|---|
| 106 | err(1, "sigaction" ); |
|---|
| 107 | } |
|---|
| 108 | |
|---|
| 109 | static char const * const signames[] = { |
|---|
| 110 | [SIGSEGV] = "SIGSEGV" , |
|---|
| 111 | [SIGBUS] = "SIBGUS" , |
|---|
| 112 | [SIGTRAP] = "SIGTRAP" , |
|---|
| 113 | [SIGILL] = "SIGILL" , |
|---|
| 114 | }; |
|---|
| 115 | |
|---|
| 116 | static void sigtrap(int sig, siginfo_t *si, void *ctx_void) |
|---|
| 117 | { |
|---|
| 118 | ucontext_t *ctx = ctx_void; |
|---|
| 119 | |
|---|
| 120 | printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n" , |
|---|
| 121 | (unsigned long)ctx->uc_mcontext.gregs[REG_IP], |
|---|
| 122 | !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF)); |
|---|
| 123 | } |
|---|
| 124 | |
|---|
| 125 | static void handle_and_return(int sig, siginfo_t *si, void *ctx_void) |
|---|
| 126 | { |
|---|
| 127 | ucontext_t *ctx = ctx_void; |
|---|
| 128 | |
|---|
| 129 | printf("\tGot %s with RIP=%lx\n" , signames[sig], |
|---|
| 130 | (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); |
|---|
| 131 | } |
|---|
| 132 | |
|---|
| 133 | static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void) |
|---|
| 134 | { |
|---|
| 135 | ucontext_t *ctx = ctx_void; |
|---|
| 136 | |
|---|
| 137 | printf("\tGot %s with RIP=%lx\n" , signames[sig], |
|---|
| 138 | (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); |
|---|
| 139 | |
|---|
| 140 | siglongjmp(jmpbuf, 1); |
|---|
| 141 | } |
|---|
| 142 | |
|---|
| 143 | int main() |
|---|
| 144 | { |
|---|
| 145 | unsigned long nr; |
|---|
| 146 | |
|---|
| 147 | asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss)); |
|---|
| 148 | printf("\tSS = 0x%hx, &SS = 0x%p\n" , ss, &ss); |
|---|
| 149 | |
|---|
| 150 | if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0) |
|---|
| 151 | printf("\tPR_SET_PTRACER_ANY succeeded\n" ); |
|---|
| 152 | |
|---|
| 153 | printf("\tSet up a watchpoint\n" ); |
|---|
| 154 | sethandler(SIGTRAP, sigtrap, 0); |
|---|
| 155 | enable_watchpoint(); |
|---|
| 156 | |
|---|
| 157 | printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n" ); |
|---|
| 158 | asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss)); |
|---|
| 159 | |
|---|
| 160 | printf("[RUN]\tMOV SS; INT3\n" ); |
|---|
| 161 | asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss)); |
|---|
| 162 | |
|---|
| 163 | printf("[RUN]\tMOV SS; INT 3\n" ); |
|---|
| 164 | asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss)); |
|---|
| 165 | |
|---|
| 166 | printf("[RUN]\tMOV SS; CS CS INT3\n" ); |
|---|
| 167 | asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss)); |
|---|
| 168 | |
|---|
| 169 | printf("[RUN]\tMOV SS; CSx14 INT3\n" ); |
|---|
| 170 | asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss)); |
|---|
| 171 | |
|---|
| 172 | printf("[RUN]\tMOV SS; INT 4\n" ); |
|---|
| 173 | sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); |
|---|
| 174 | asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss)); |
|---|
| 175 | |
|---|
| 176 | #ifdef __i386__ |
|---|
| 177 | printf("[RUN]\tMOV SS; INTO\n" ); |
|---|
| 178 | sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); |
|---|
| 179 | nr = -1; |
|---|
| 180 | asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into" |
|---|
| 181 | : [tmp] "+r" (nr) : [ss] "m" (ss)); |
|---|
| 182 | #endif |
|---|
| 183 | |
|---|
| 184 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 185 | printf("[RUN]\tMOV SS; ICEBP\n" ); |
|---|
| 186 | |
|---|
| 187 | /* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */ |
|---|
| 188 | sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); |
|---|
| 189 | |
|---|
| 190 | asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss)); |
|---|
| 191 | } |
|---|
| 192 | |
|---|
| 193 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 194 | printf("[RUN]\tMOV SS; CLI\n" ); |
|---|
| 195 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); |
|---|
| 196 | asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss)); |
|---|
| 197 | } |
|---|
| 198 | |
|---|
| 199 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 200 | printf("[RUN]\tMOV SS; #PF\n" ); |
|---|
| 201 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); |
|---|
| 202 | asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]" |
|---|
| 203 | : [tmp] "=r" (nr) : [ss] "m" (ss)); |
|---|
| 204 | } |
|---|
| 205 | |
|---|
| 206 | /* |
|---|
| 207 | * INT $1: if #DB has DPL=3 and there isn't special handling, |
|---|
| 208 | * then the kernel will die. |
|---|
| 209 | */ |
|---|
| 210 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 211 | printf("[RUN]\tMOV SS; INT 1\n" ); |
|---|
| 212 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); |
|---|
| 213 | asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss)); |
|---|
| 214 | } |
|---|
| 215 | |
|---|
| 216 | #ifdef __x86_64__ |
|---|
| 217 | /* |
|---|
| 218 | * In principle, we should test 32-bit SYSCALL as well, but |
|---|
| 219 | * the calling convention is so unpredictable that it's |
|---|
| 220 | * not obviously worth the effort. |
|---|
| 221 | */ |
|---|
| 222 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 223 | printf("[RUN]\tMOV SS; SYSCALL\n" ); |
|---|
| 224 | sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); |
|---|
| 225 | nr = SYS_getpid; |
|---|
| 226 | /* |
|---|
| 227 | * Toggle the high bit of RSP to make it noncanonical to |
|---|
| 228 | * strengthen this test on non-SMAP systems. |
|---|
| 229 | */ |
|---|
| 230 | asm volatile ("btc $63, %%rsp\n\t" |
|---|
| 231 | "mov %[ss], %%ss; syscall\n\t" |
|---|
| 232 | "btc $63, %%rsp" |
|---|
| 233 | : "+a" (nr) : [ss] "m" (ss) |
|---|
| 234 | : "rcx" |
|---|
| 235 | #ifdef __x86_64__ |
|---|
| 236 | , "r11" |
|---|
| 237 | #endif |
|---|
| 238 | ); |
|---|
| 239 | } |
|---|
| 240 | #endif |
|---|
| 241 | |
|---|
| 242 | printf("[RUN]\tMOV SS; breakpointed NOP\n" ); |
|---|
| 243 | asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss)); |
|---|
| 244 | |
|---|
| 245 | /* |
|---|
| 246 | * Invoking SYSENTER directly breaks all the rules. Just handle |
|---|
| 247 | * the SIGSEGV. |
|---|
| 248 | */ |
|---|
| 249 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 250 | printf("[RUN]\tMOV SS; SYSENTER\n" ); |
|---|
| 251 | stack_t stack = { |
|---|
| 252 | .ss_sp = malloc(sizeof(char) * SIGSTKSZ), |
|---|
| 253 | .ss_size = SIGSTKSZ, |
|---|
| 254 | }; |
|---|
| 255 | if (sigaltstack(&stack, NULL) != 0) |
|---|
| 256 | err(1, "sigaltstack" ); |
|---|
| 257 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK); |
|---|
| 258 | nr = SYS_getpid; |
|---|
| 259 | free(stack.ss_sp); |
|---|
| 260 | /* Clear EBP first to make sure we segfault cleanly. */ |
|---|
| 261 | asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr) |
|---|
| 262 | : [ss] "m" (ss) : "flags" , "rcx" |
|---|
| 263 | #ifdef __x86_64__ |
|---|
| 264 | , "r11" |
|---|
| 265 | #endif |
|---|
| 266 | ); |
|---|
| 267 | |
|---|
| 268 | /* We're unreachable here. SYSENTER forgets RIP. */ |
|---|
| 269 | } |
|---|
| 270 | |
|---|
| 271 | if (sigsetjmp(jmpbuf, 1) == 0) { |
|---|
| 272 | printf("[RUN]\tMOV SS; INT $0x80\n" ); |
|---|
| 273 | sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); |
|---|
| 274 | nr = 20; /* compat getpid */ |
|---|
| 275 | asm volatile ("mov %[ss], %%ss; int $0x80" |
|---|
| 276 | : "+a" (nr) : [ss] "m" (ss) |
|---|
| 277 | : "flags" |
|---|
| 278 | #ifdef __x86_64__ |
|---|
| 279 | , "r8" , "r9" , "r10" , "r11" |
|---|
| 280 | #endif |
|---|
| 281 | ); |
|---|
| 282 | } |
|---|
| 283 | |
|---|
| 284 | printf("[OK]\tI aten't dead\n" ); |
|---|
| 285 | return 0; |
|---|
| 286 | } |
|---|
| 287 | |
|---|
