xref: /openbmc/linux/drivers/misc/lkdtm/bugs.c (revision dc6a81c3)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This is for all the tests related to logic bugs (e.g. bad dereferences,
4  * bad alignment, bad loops, bad locking, bad scheduling, deep stacks, and
5  * lockups) along with other things that don't fit well into existing LKDTM
6  * test source files.
7  */
8 #include "lkdtm.h"
9 #include <linux/list.h>
10 #include <linux/sched.h>
11 #include <linux/sched/signal.h>
12 #include <linux/sched/task_stack.h>
13 #include <linux/uaccess.h>
14 
15 #ifdef CONFIG_X86_32
16 #include <asm/desc.h>
17 #endif
18 
19 struct lkdtm_list {
20 	struct list_head node;
21 };
22 
23 /*
24  * Make sure our attempts to over run the kernel stack doesn't trigger
25  * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
26  * recurse past the end of THREAD_SIZE by default.
27  */
28 #if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
29 #define REC_STACK_SIZE (_AC(CONFIG_FRAME_WARN, UL) / 2)
30 #else
31 #define REC_STACK_SIZE (THREAD_SIZE / 8)
32 #endif
33 #define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
34 
35 static int recur_count = REC_NUM_DEFAULT;
36 
37 static DEFINE_SPINLOCK(lock_me_up);
38 
39 /*
40  * Make sure compiler does not optimize this function or stack frame away:
41  * - function marked noinline
42  * - stack variables are marked volatile
43  * - stack variables are written (memset()) and read (pr_info())
44  * - function has external effects (pr_info())
45  * */
46 static int noinline recursive_loop(int remaining)
47 {
48 	volatile char buf[REC_STACK_SIZE];
49 
50 	memset((void *)buf, remaining & 0xFF, sizeof(buf));
51 	pr_info("loop %d/%d ...\n", (int)buf[remaining % sizeof(buf)],
52 		recur_count);
53 	if (!remaining)
54 		return 0;
55 	else
56 		return recursive_loop(remaining - 1);
57 }
58 
59 /* If the depth is negative, use the default, otherwise keep parameter. */
60 void __init lkdtm_bugs_init(int *recur_param)
61 {
62 	if (*recur_param < 0)
63 		*recur_param = recur_count;
64 	else
65 		recur_count = *recur_param;
66 }
67 
68 void lkdtm_PANIC(void)
69 {
70 	panic("dumptest");
71 }
72 
73 void lkdtm_BUG(void)
74 {
75 	BUG();
76 }
77 
78 static int warn_counter;
79 
80 void lkdtm_WARNING(void)
81 {
82 	WARN_ON(++warn_counter);
83 }
84 
85 void lkdtm_WARNING_MESSAGE(void)
86 {
87 	WARN(1, "Warning message trigger count: %d\n", ++warn_counter);
88 }
89 
90 void lkdtm_EXCEPTION(void)
91 {
92 	*((volatile int *) 0) = 0;
93 }
94 
95 void lkdtm_LOOP(void)
96 {
97 	for (;;)
98 		;
99 }
100 
101 void lkdtm_EXHAUST_STACK(void)
102 {
103 	pr_info("Calling function with %lu frame size to depth %d ...\n",
104 		REC_STACK_SIZE, recur_count);
105 	recursive_loop(recur_count);
106 	pr_info("FAIL: survived without exhausting stack?!\n");
107 }
108 
109 static noinline void __lkdtm_CORRUPT_STACK(void *stack)
110 {
111 	memset(stack, '\xff', 64);
112 }
113 
114 /* This should trip the stack canary, not corrupt the return address. */
115 noinline void lkdtm_CORRUPT_STACK(void)
116 {
117 	/* Use default char array length that triggers stack protection. */
118 	char data[8] __aligned(sizeof(void *));
119 
120 	__lkdtm_CORRUPT_STACK(&data);
121 
122 	pr_info("Corrupted stack containing char array ...\n");
123 }
124 
125 /* Same as above but will only get a canary with -fstack-protector-strong */
126 noinline void lkdtm_CORRUPT_STACK_STRONG(void)
127 {
128 	union {
129 		unsigned short shorts[4];
130 		unsigned long *ptr;
131 	} data __aligned(sizeof(void *));
132 
133 	__lkdtm_CORRUPT_STACK(&data);
134 
135 	pr_info("Corrupted stack containing union ...\n");
136 }
137 
138 void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)
139 {
140 	static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5};
141 	u32 *p;
142 	u32 val = 0x12345678;
143 
144 	p = (u32 *)(data + 1);
145 	if (*p == 0)
146 		val = 0x87654321;
147 	*p = val;
148 }
149 
150 void lkdtm_SOFTLOCKUP(void)
151 {
152 	preempt_disable();
153 	for (;;)
154 		cpu_relax();
155 }
156 
157 void lkdtm_HARDLOCKUP(void)
158 {
159 	local_irq_disable();
160 	for (;;)
161 		cpu_relax();
162 }
163 
164 void lkdtm_SPINLOCKUP(void)
165 {
166 	/* Must be called twice to trigger. */
167 	spin_lock(&lock_me_up);
168 	/* Let sparse know we intended to exit holding the lock. */
169 	__release(&lock_me_up);
170 }
171 
172 void lkdtm_HUNG_TASK(void)
173 {
174 	set_current_state(TASK_UNINTERRUPTIBLE);
175 	schedule();
176 }
177 
178 void lkdtm_CORRUPT_LIST_ADD(void)
179 {
180 	/*
181 	 * Initially, an empty list via LIST_HEAD:
182 	 *	test_head.next = &test_head
183 	 *	test_head.prev = &test_head
184 	 */
185 	LIST_HEAD(test_head);
186 	struct lkdtm_list good, bad;
187 	void *target[2] = { };
188 	void *redirection = &target;
189 
190 	pr_info("attempting good list addition\n");
191 
192 	/*
193 	 * Adding to the list performs these actions:
194 	 *	test_head.next->prev = &good.node
195 	 *	good.node.next = test_head.next
196 	 *	good.node.prev = test_head
197 	 *	test_head.next = good.node
198 	 */
199 	list_add(&good.node, &test_head);
200 
201 	pr_info("attempting corrupted list addition\n");
202 	/*
203 	 * In simulating this "write what where" primitive, the "what" is
204 	 * the address of &bad.node, and the "where" is the address held
205 	 * by "redirection".
206 	 */
207 	test_head.next = redirection;
208 	list_add(&bad.node, &test_head);
209 
210 	if (target[0] == NULL && target[1] == NULL)
211 		pr_err("Overwrite did not happen, but no BUG?!\n");
212 	else
213 		pr_err("list_add() corruption not detected!\n");
214 }
215 
216 void lkdtm_CORRUPT_LIST_DEL(void)
217 {
218 	LIST_HEAD(test_head);
219 	struct lkdtm_list item;
220 	void *target[2] = { };
221 	void *redirection = &target;
222 
223 	list_add(&item.node, &test_head);
224 
225 	pr_info("attempting good list removal\n");
226 	list_del(&item.node);
227 
228 	pr_info("attempting corrupted list removal\n");
229 	list_add(&item.node, &test_head);
230 
231 	/* As with the list_add() test above, this corrupts "next". */
232 	item.node.next = redirection;
233 	list_del(&item.node);
234 
235 	if (target[0] == NULL && target[1] == NULL)
236 		pr_err("Overwrite did not happen, but no BUG?!\n");
237 	else
238 		pr_err("list_del() corruption not detected!\n");
239 }
240 
241 /* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */
242 void lkdtm_CORRUPT_USER_DS(void)
243 {
244 	pr_info("setting bad task size limit\n");
245 	set_fs(KERNEL_DS);
246 
247 	/* Make sure we do not keep running with a KERNEL_DS! */
248 	force_sig(SIGKILL);
249 }
250 
251 /* Test that VMAP_STACK is actually allocating with a leading guard page */
252 void lkdtm_STACK_GUARD_PAGE_LEADING(void)
253 {
254 	const unsigned char *stack = task_stack_page(current);
255 	const unsigned char *ptr = stack - 1;
256 	volatile unsigned char byte;
257 
258 	pr_info("attempting bad read from page below current stack\n");
259 
260 	byte = *ptr;
261 
262 	pr_err("FAIL: accessed page before stack!\n");
263 }
264 
265 /* Test that VMAP_STACK is actually allocating with a trailing guard page */
266 void lkdtm_STACK_GUARD_PAGE_TRAILING(void)
267 {
268 	const unsigned char *stack = task_stack_page(current);
269 	const unsigned char *ptr = stack + THREAD_SIZE;
270 	volatile unsigned char byte;
271 
272 	pr_info("attempting bad read from page above current stack\n");
273 
274 	byte = *ptr;
275 
276 	pr_err("FAIL: accessed page after stack!\n");
277 }
278 
279 void lkdtm_UNSET_SMEP(void)
280 {
281 #if IS_ENABLED(CONFIG_X86_64) && !IS_ENABLED(CONFIG_UML)
282 #define MOV_CR4_DEPTH	64
283 	void (*direct_write_cr4)(unsigned long val);
284 	unsigned char *insn;
285 	unsigned long cr4;
286 	int i;
287 
288 	cr4 = native_read_cr4();
289 
290 	if ((cr4 & X86_CR4_SMEP) != X86_CR4_SMEP) {
291 		pr_err("FAIL: SMEP not in use\n");
292 		return;
293 	}
294 	cr4 &= ~(X86_CR4_SMEP);
295 
296 	pr_info("trying to clear SMEP normally\n");
297 	native_write_cr4(cr4);
298 	if (cr4 == native_read_cr4()) {
299 		pr_err("FAIL: pinning SMEP failed!\n");
300 		cr4 |= X86_CR4_SMEP;
301 		pr_info("restoring SMEP\n");
302 		native_write_cr4(cr4);
303 		return;
304 	}
305 	pr_info("ok: SMEP did not get cleared\n");
306 
307 	/*
308 	 * To test the post-write pinning verification we need to call
309 	 * directly into the middle of native_write_cr4() where the
310 	 * cr4 write happens, skipping any pinning. This searches for
311 	 * the cr4 writing instruction.
312 	 */
313 	insn = (unsigned char *)native_write_cr4;
314 	for (i = 0; i < MOV_CR4_DEPTH; i++) {
315 		/* mov %rdi, %cr4 */
316 		if (insn[i] == 0x0f && insn[i+1] == 0x22 && insn[i+2] == 0xe7)
317 			break;
318 		/* mov %rdi,%rax; mov %rax, %cr4 */
319 		if (insn[i]   == 0x48 && insn[i+1] == 0x89 &&
320 		    insn[i+2] == 0xf8 && insn[i+3] == 0x0f &&
321 		    insn[i+4] == 0x22 && insn[i+5] == 0xe0)
322 			break;
323 	}
324 	if (i >= MOV_CR4_DEPTH) {
325 		pr_info("ok: cannot locate cr4 writing call gadget\n");
326 		return;
327 	}
328 	direct_write_cr4 = (void *)(insn + i);
329 
330 	pr_info("trying to clear SMEP with call gadget\n");
331 	direct_write_cr4(cr4);
332 	if (native_read_cr4() & X86_CR4_SMEP) {
333 		pr_info("ok: SMEP removal was reverted\n");
334 	} else {
335 		pr_err("FAIL: cleared SMEP not detected!\n");
336 		cr4 |= X86_CR4_SMEP;
337 		pr_info("restoring SMEP\n");
338 		native_write_cr4(cr4);
339 	}
340 #else
341 	pr_err("XFAIL: this test is x86_64-only\n");
342 #endif
343 }
344 
345 void lkdtm_DOUBLE_FAULT(void)
346 {
347 #ifdef CONFIG_X86_32
348 	/*
349 	 * Trigger #DF by setting the stack limit to zero.  This clobbers
350 	 * a GDT TLS slot, which is okay because the current task will die
351 	 * anyway due to the double fault.
352 	 */
353 	struct desc_struct d = {
354 		.type = 3,	/* expand-up, writable, accessed data */
355 		.p = 1,		/* present */
356 		.d = 1,		/* 32-bit */
357 		.g = 0,		/* limit in bytes */
358 		.s = 1,		/* not system */
359 	};
360 
361 	local_irq_disable();
362 	write_gdt_entry(get_cpu_gdt_rw(smp_processor_id()),
363 			GDT_ENTRY_TLS_MIN, &d, DESCTYPE_S);
364 
365 	/*
366 	 * Put our zero-limit segment in SS and then trigger a fault.  The
367 	 * 4-byte access to (%esp) will fault with #SS, and the attempt to
368 	 * deliver the fault will recursively cause #SS and result in #DF.
369 	 * This whole process happens while NMIs and MCEs are blocked by the
370 	 * MOV SS window.  This is nice because an NMI with an invalid SS
371 	 * would also double-fault, resulting in the NMI or MCE being lost.
372 	 */
373 	asm volatile ("movw %0, %%ss; addl $0, (%%esp)" ::
374 		      "r" ((unsigned short)(GDT_ENTRY_TLS_MIN << 3)));
375 
376 	pr_err("FAIL: tried to double fault but didn't die\n");
377 #else
378 	pr_err("XFAIL: this test is ia32-only\n");
379 #endif
380 }
381