xref: /openbmc/linux/drivers/misc/lkdtm/stackleak.c (revision 7ae5c03a)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This code tests that the current task stack is properly erased (filled
4  * with STACKLEAK_POISON).
5  *
6  * Authors:
7  *   Alexander Popov <alex.popov@linux.com>
8  *   Tycho Andersen <tycho@tycho.ws>
9  */
10 
11 #include "lkdtm.h"
12 #include <linux/stackleak.h>
13 
14 #if defined(CONFIG_GCC_PLUGIN_STACKLEAK)
15 /*
16  * Check that stackleak tracks the lowest stack pointer and erases the stack
17  * below this as expected.
18  *
19  * To prevent the lowest stack pointer changing during the test, IRQs are
20  * masked and instrumentation of this function is disabled. We assume that the
21  * compiler will create a fixed-size stack frame for this function.
22  *
23  * Any non-inlined function may make further use of the stack, altering the
24  * lowest stack pointer and/or clobbering poison values. To avoid spurious
25  * failures we must avoid printing until the end of the test or have already
26  * encountered a failure condition.
27  */
28 static void noinstr check_stackleak_irqoff(void)
29 {
30 	const unsigned long task_stack_base = (unsigned long)task_stack_page(current);
31 	const unsigned long task_stack_low = stackleak_task_low_bound(current);
32 	const unsigned long task_stack_high = stackleak_task_high_bound(current);
33 	const unsigned long current_sp = current_stack_pointer;
34 	const unsigned long lowest_sp = current->lowest_stack;
35 	unsigned long untracked_high;
36 	unsigned long poison_high, poison_low;
37 	bool test_failed = false;
38 
39 	/*
40 	 * Check that the current and lowest recorded stack pointer values fall
41 	 * within the expected task stack boundaries. These tests should never
42 	 * fail unless the boundaries are incorrect or we're clobbering the
43 	 * STACK_END_MAGIC, and in either casee something is seriously wrong.
44 	 */
45 	if (current_sp < task_stack_low || current_sp >= task_stack_high) {
46 		pr_err("FAIL: current_stack_pointer (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
47 		       current_sp, task_stack_low, task_stack_high - 1);
48 		test_failed = true;
49 		goto out;
50 	}
51 	if (lowest_sp < task_stack_low || lowest_sp >= task_stack_high) {
52 		pr_err("FAIL: current->lowest_stack (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
53 		       lowest_sp, task_stack_low, task_stack_high - 1);
54 		test_failed = true;
55 		goto out;
56 	}
57 
58 	/*
59 	 * Depending on what has run prior to this test, the lowest recorded
60 	 * stack pointer could be above or below the current stack pointer.
61 	 * Start from the lowest of the two.
62 	 *
63 	 * Poison values are naturally-aligned unsigned longs. As the current
64 	 * stack pointer might not be sufficiently aligned, we must align
65 	 * downwards to find the lowest known stack pointer value. This is the
66 	 * high boundary for a portion of the stack which may have been used
67 	 * without being tracked, and has to be scanned for poison.
68 	 */
69 	untracked_high = min(current_sp, lowest_sp);
70 	untracked_high = ALIGN_DOWN(untracked_high, sizeof(unsigned long));
71 
72 	/*
73 	 * Find the top of the poison in the same way as the erasing code.
74 	 */
75 	poison_high = stackleak_find_top_of_poison(task_stack_low, untracked_high);
76 
77 	/*
78 	 * Check whether the poisoned portion of the stack (if any) consists
79 	 * entirely of poison. This verifies the entries that
80 	 * stackleak_find_top_of_poison() should have checked.
81 	 */
82 	poison_low = poison_high;
83 	while (poison_low > task_stack_low) {
84 		poison_low -= sizeof(unsigned long);
85 
86 		if (*(unsigned long *)poison_low == STACKLEAK_POISON)
87 			continue;
88 
89 		pr_err("FAIL: non-poison value %lu bytes below poison boundary: 0x%lx\n",
90 		       poison_high - poison_low, *(unsigned long *)poison_low);
91 		test_failed = true;
92 	}
93 
94 	pr_info("stackleak stack usage:\n"
95 		"  high offset: %lu bytes\n"
96 		"  current:     %lu bytes\n"
97 		"  lowest:      %lu bytes\n"
98 		"  tracked:     %lu bytes\n"
99 		"  untracked:   %lu bytes\n"
100 		"  poisoned:    %lu bytes\n"
101 		"  low offset:  %lu bytes\n",
102 		task_stack_base + THREAD_SIZE - task_stack_high,
103 		task_stack_high - current_sp,
104 		task_stack_high - lowest_sp,
105 		task_stack_high - untracked_high,
106 		untracked_high - poison_high,
107 		poison_high - task_stack_low,
108 		task_stack_low - task_stack_base);
109 
110 out:
111 	if (test_failed) {
112 		pr_err("FAIL: the thread stack is NOT properly erased!\n");
113 	} else {
114 		pr_info("OK: the rest of the thread stack is properly erased\n");
115 	}
116 }
117 
118 static void lkdtm_STACKLEAK_ERASING(void)
119 {
120 	unsigned long flags;
121 
122 	local_irq_save(flags);
123 	check_stackleak_irqoff();
124 	local_irq_restore(flags);
125 }
126 #else /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
127 static void lkdtm_STACKLEAK_ERASING(void)
128 {
129 	if (IS_ENABLED(CONFIG_HAVE_ARCH_STACKLEAK)) {
130 		pr_err("XFAIL: stackleak is not enabled (CONFIG_GCC_PLUGIN_STACKLEAK=n)\n");
131 	} else {
132 		pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)\n");
133 	}
134 }
135 #endif /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
136 
137 static struct crashtype crashtypes[] = {
138 	CRASHTYPE(STACKLEAK_ERASING),
139 };
140 
141 struct crashtype_category stackleak_crashtypes = {
142 	.crashtypes = crashtypes,
143 	.len	    = ARRAY_SIZE(crashtypes),
144 };
145