1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * This code tests that the current task stack is properly erased (filled 4 * with STACKLEAK_POISON). 5 * 6 * Authors: 7 * Alexander Popov <alex.popov@linux.com> 8 * Tycho Andersen <tycho@tycho.ws> 9 */ 10 11 #include "lkdtm.h" 12 #include <linux/stackleak.h> 13 14 #if defined(CONFIG_GCC_PLUGIN_STACKLEAK) 15 /* 16 * Check that stackleak tracks the lowest stack pointer and erases the stack 17 * below this as expected. 18 * 19 * To prevent the lowest stack pointer changing during the test, IRQs are 20 * masked and instrumentation of this function is disabled. We assume that the 21 * compiler will create a fixed-size stack frame for this function. 22 * 23 * Any non-inlined function may make further use of the stack, altering the 24 * lowest stack pointer and/or clobbering poison values. To avoid spurious 25 * failures we must avoid printing until the end of the test or have already 26 * encountered a failure condition. 27 */ 28 static void noinstr check_stackleak_irqoff(void) 29 { 30 const unsigned long task_stack_base = (unsigned long)task_stack_page(current); 31 const unsigned long task_stack_low = stackleak_task_low_bound(current); 32 const unsigned long task_stack_high = stackleak_task_high_bound(current); 33 const unsigned long current_sp = current_stack_pointer; 34 const unsigned long lowest_sp = current->lowest_stack; 35 unsigned long untracked_high; 36 unsigned long poison_high, poison_low; 37 bool test_failed = false; 38 39 /* 40 * Check that the current and lowest recorded stack pointer values fall 41 * within the expected task stack boundaries. These tests should never 42 * fail unless the boundaries are incorrect or we're clobbering the 43 * STACK_END_MAGIC, and in either casee something is seriously wrong. 44 */ 45 if (current_sp < task_stack_low || current_sp >= task_stack_high) { 46 pr_err("FAIL: current_stack_pointer (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n", 47 current_sp, task_stack_low, task_stack_high - 1); 48 test_failed = true; 49 goto out; 50 } 51 if (lowest_sp < task_stack_low || lowest_sp >= task_stack_high) { 52 pr_err("FAIL: current->lowest_stack (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n", 53 lowest_sp, task_stack_low, task_stack_high - 1); 54 test_failed = true; 55 goto out; 56 } 57 58 /* 59 * Depending on what has run prior to this test, the lowest recorded 60 * stack pointer could be above or below the current stack pointer. 61 * Start from the lowest of the two. 62 * 63 * Poison values are naturally-aligned unsigned longs. As the current 64 * stack pointer might not be sufficiently aligned, we must align 65 * downwards to find the lowest known stack pointer value. This is the 66 * high boundary for a portion of the stack which may have been used 67 * without being tracked, and has to be scanned for poison. 68 */ 69 untracked_high = min(current_sp, lowest_sp); 70 untracked_high = ALIGN_DOWN(untracked_high, sizeof(unsigned long)); 71 72 /* 73 * Find the top of the poison in the same way as the erasing code. 74 */ 75 poison_high = stackleak_find_top_of_poison(task_stack_low, untracked_high); 76 77 /* 78 * Check whether the poisoned portion of the stack (if any) consists 79 * entirely of poison. This verifies the entries that 80 * stackleak_find_top_of_poison() should have checked. 81 */ 82 poison_low = poison_high; 83 while (poison_low > task_stack_low) { 84 poison_low -= sizeof(unsigned long); 85 86 if (*(unsigned long *)poison_low == STACKLEAK_POISON) 87 continue; 88 89 pr_err("FAIL: non-poison value %lu bytes below poison boundary: 0x%lx\n", 90 poison_high - poison_low, *(unsigned long *)poison_low); 91 test_failed = true; 92 } 93 94 pr_info("stackleak stack usage:\n" 95 " high offset: %lu bytes\n" 96 " current: %lu bytes\n" 97 " lowest: %lu bytes\n" 98 " tracked: %lu bytes\n" 99 " untracked: %lu bytes\n" 100 " poisoned: %lu bytes\n" 101 " low offset: %lu bytes\n", 102 task_stack_base + THREAD_SIZE - task_stack_high, 103 task_stack_high - current_sp, 104 task_stack_high - lowest_sp, 105 task_stack_high - untracked_high, 106 untracked_high - poison_high, 107 poison_high - task_stack_low, 108 task_stack_low - task_stack_base); 109 110 out: 111 if (test_failed) { 112 pr_err("FAIL: the thread stack is NOT properly erased!\n"); 113 } else { 114 pr_info("OK: the rest of the thread stack is properly erased\n"); 115 } 116 } 117 118 static void lkdtm_STACKLEAK_ERASING(void) 119 { 120 unsigned long flags; 121 122 local_irq_save(flags); 123 check_stackleak_irqoff(); 124 local_irq_restore(flags); 125 } 126 #else /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */ 127 static void lkdtm_STACKLEAK_ERASING(void) 128 { 129 if (IS_ENABLED(CONFIG_HAVE_ARCH_STACKLEAK)) { 130 pr_err("XFAIL: stackleak is not enabled (CONFIG_GCC_PLUGIN_STACKLEAK=n)\n"); 131 } else { 132 pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)\n"); 133 } 134 } 135 #endif /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */ 136 137 static struct crashtype crashtypes[] = { 138 CRASHTYPE(STACKLEAK_ERASING), 139 }; 140 141 struct crashtype_category stackleak_crashtypes = { 142 .crashtypes = crashtypes, 143 .len = ARRAY_SIZE(crashtypes), 144 }; 145