1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * ldt_gdt.c - Test cases for LDT and GDT access
4  * Copyright (c) 2015 Andrew Lutomirski
5  */
6 
7 #define _GNU_SOURCE
8 #include <err.h>
9 #include <stdio.h>
10 #include <stdint.h>
11 #include <signal.h>
12 #include <setjmp.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <errno.h>
16 #include <unistd.h>
17 #include <sys/syscall.h>
18 #include <asm/ldt.h>
19 #include <sys/types.h>
20 #include <sys/wait.h>
21 #include <stdbool.h>
22 #include <pthread.h>
23 #include <sched.h>
24 #include <linux/futex.h>
25 #include <sys/mman.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
28 
29 #define AR_ACCESSED		(1<<8)
30 
31 #define AR_TYPE_RODATA		(0 * (1<<9))
32 #define AR_TYPE_RWDATA		(1 * (1<<9))
33 #define AR_TYPE_RODATA_EXPDOWN	(2 * (1<<9))
34 #define AR_TYPE_RWDATA_EXPDOWN	(3 * (1<<9))
35 #define AR_TYPE_XOCODE		(4 * (1<<9))
36 #define AR_TYPE_XRCODE		(5 * (1<<9))
37 #define AR_TYPE_XOCODE_CONF	(6 * (1<<9))
38 #define AR_TYPE_XRCODE_CONF	(7 * (1<<9))
39 
40 #define AR_DPL3			(3 * (1<<13))
41 
42 #define AR_S			(1 << 12)
43 #define AR_P			(1 << 15)
44 #define AR_AVL			(1 << 20)
45 #define AR_L			(1 << 21)
46 #define AR_DB			(1 << 22)
47 #define AR_G			(1 << 23)
48 
49 #ifdef __x86_64__
50 # define INT80_CLOBBERS "r8", "r9", "r10", "r11"
51 #else
52 # define INT80_CLOBBERS
53 #endif
54 
55 static int nerrs;
56 
57 /* Points to an array of 1024 ints, each holding its own index. */
58 static const unsigned int *counter_page;
59 static struct user_desc *low_user_desc;
60 static struct user_desc *low_user_desc_clear;  /* Use to delete GDT entry */
61 static int gdt_entry_num;
62 
63 static void check_invalid_segment(uint16_t index, int ldt)
64 {
65 	uint32_t has_limit = 0, has_ar = 0, limit, ar;
66 	uint32_t selector = (index << 3) | (ldt << 2) | 3;
67 
68 	asm ("lsl %[selector], %[limit]\n\t"
69 	     "jnz 1f\n\t"
70 	     "movl $1, %[has_limit]\n\t"
71 	     "1:"
72 	     : [limit] "=r" (limit), [has_limit] "+rm" (has_limit)
73 	     : [selector] "r" (selector));
74 	asm ("larl %[selector], %[ar]\n\t"
75 	     "jnz 1f\n\t"
76 	     "movl $1, %[has_ar]\n\t"
77 	     "1:"
78 	     : [ar] "=r" (ar), [has_ar] "+rm" (has_ar)
79 	     : [selector] "r" (selector));
80 
81 	if (has_limit || has_ar) {
82 		printf("[FAIL]\t%s entry %hu is valid but should be invalid\n",
83 		       (ldt ? "LDT" : "GDT"), index);
84 		nerrs++;
85 	} else {
86 		printf("[OK]\t%s entry %hu is invalid\n",
87 		       (ldt ? "LDT" : "GDT"), index);
88 	}
89 }
90 
91 static void check_valid_segment(uint16_t index, int ldt,
92 				uint32_t expected_ar, uint32_t expected_limit,
93 				bool verbose)
94 {
95 	uint32_t has_limit = 0, has_ar = 0, limit, ar;
96 	uint32_t selector = (index << 3) | (ldt << 2) | 3;
97 
98 	asm ("lsl %[selector], %[limit]\n\t"
99 	     "jnz 1f\n\t"
100 	     "movl $1, %[has_limit]\n\t"
101 	     "1:"
102 	     : [limit] "=r" (limit), [has_limit] "+rm" (has_limit)
103 	     : [selector] "r" (selector));
104 	asm ("larl %[selector], %[ar]\n\t"
105 	     "jnz 1f\n\t"
106 	     "movl $1, %[has_ar]\n\t"
107 	     "1:"
108 	     : [ar] "=r" (ar), [has_ar] "+rm" (has_ar)
109 	     : [selector] "r" (selector));
110 
111 	if (!has_limit || !has_ar) {
112 		printf("[FAIL]\t%s entry %hu is invalid but should be valid\n",
113 		       (ldt ? "LDT" : "GDT"), index);
114 		nerrs++;
115 		return;
116 	}
117 
118 	/* The SDM says "bits 19:16 are undefined".  Thanks. */
119 	ar &= ~0xF0000;
120 
121 	/*
122 	 * NB: Different Linux versions do different things with the
123 	 * accessed bit in set_thread_area().
124 	 */
125 	if (ar != expected_ar && ar != (expected_ar | AR_ACCESSED)) {
126 		printf("[FAIL]\t%s entry %hu has AR 0x%08X but expected 0x%08X\n",
127 		       (ldt ? "LDT" : "GDT"), index, ar, expected_ar);
128 		nerrs++;
129 	} else if (limit != expected_limit) {
130 		printf("[FAIL]\t%s entry %hu has limit 0x%08X but expected 0x%08X\n",
131 		       (ldt ? "LDT" : "GDT"), index, limit, expected_limit);
132 		nerrs++;
133 	} else if (verbose) {
134 		printf("[OK]\t%s entry %hu has AR 0x%08X and limit 0x%08X\n",
135 		       (ldt ? "LDT" : "GDT"), index, ar, limit);
136 	}
137 }
138 
139 static bool install_valid_mode(const struct user_desc *d, uint32_t ar,
140 			       bool oldmode, bool ldt)
141 {
142 	struct user_desc desc = *d;
143 	int ret;
144 
145 	if (!ldt) {
146 #ifndef __i386__
147 		/* No point testing set_thread_area in a 64-bit build */
148 		return false;
149 #endif
150 		if (!gdt_entry_num)
151 			return false;
152 		desc.entry_number = gdt_entry_num;
153 
154 		ret = syscall(SYS_set_thread_area, &desc);
155 	} else {
156 		ret = syscall(SYS_modify_ldt, oldmode ? 1 : 0x11,
157 			      &desc, sizeof(desc));
158 
159 		if (ret < -1)
160 			errno = -ret;
161 
162 		if (ret != 0 && errno == ENOSYS) {
163 			printf("[OK]\tmodify_ldt returned -ENOSYS\n");
164 			return false;
165 		}
166 	}
167 
168 	if (ret == 0) {
169 		uint32_t limit = desc.limit;
170 		if (desc.limit_in_pages)
171 			limit = (limit << 12) + 4095;
172 		check_valid_segment(desc.entry_number, ldt, ar, limit, true);
173 		return true;
174 	} else {
175 		if (desc.seg_32bit) {
176 			printf("[FAIL]\tUnexpected %s failure %d\n",
177 			       ldt ? "modify_ldt" : "set_thread_area",
178 			       errno);
179 			nerrs++;
180 			return false;
181 		} else {
182 			printf("[OK]\t%s rejected 16 bit segment\n",
183 			       ldt ? "modify_ldt" : "set_thread_area");
184 			return false;
185 		}
186 	}
187 }
188 
189 static bool install_valid(const struct user_desc *desc, uint32_t ar)
190 {
191 	bool ret = install_valid_mode(desc, ar, false, true);
192 
193 	if (desc->contents <= 1 && desc->seg_32bit &&
194 	    !desc->seg_not_present) {
195 		/* Should work in the GDT, too. */
196 		install_valid_mode(desc, ar, false, false);
197 	}
198 
199 	return ret;
200 }
201 
202 static void install_invalid(const struct user_desc *desc, bool oldmode)
203 {
204 	int ret = syscall(SYS_modify_ldt, oldmode ? 1 : 0x11,
205 			  desc, sizeof(*desc));
206 	if (ret < -1)
207 		errno = -ret;
208 	if (ret == 0) {
209 		check_invalid_segment(desc->entry_number, 1);
210 	} else if (errno == ENOSYS) {
211 		printf("[OK]\tmodify_ldt returned -ENOSYS\n");
212 	} else {
213 		if (desc->seg_32bit) {
214 			printf("[FAIL]\tUnexpected modify_ldt failure %d\n",
215 			       errno);
216 			nerrs++;
217 		} else {
218 			printf("[OK]\tmodify_ldt rejected 16 bit segment\n");
219 		}
220 	}
221 }
222 
223 static int safe_modify_ldt(int func, struct user_desc *ptr,
224 			   unsigned long bytecount)
225 {
226 	int ret = syscall(SYS_modify_ldt, 0x11, ptr, bytecount);
227 	if (ret < -1)
228 		errno = -ret;
229 	return ret;
230 }
231 
232 static void fail_install(struct user_desc *desc)
233 {
234 	if (safe_modify_ldt(0x11, desc, sizeof(*desc)) == 0) {
235 		printf("[FAIL]\tmodify_ldt accepted a bad descriptor\n");
236 		nerrs++;
237 	} else if (errno == ENOSYS) {
238 		printf("[OK]\tmodify_ldt returned -ENOSYS\n");
239 	} else {
240 		printf("[OK]\tmodify_ldt failure %d\n", errno);
241 	}
242 }
243 
244 static void do_simple_tests(void)
245 {
246 	struct user_desc desc = {
247 		.entry_number    = 0,
248 		.base_addr       = 0,
249 		.limit           = 10,
250 		.seg_32bit       = 1,
251 		.contents        = 2, /* Code, not conforming */
252 		.read_exec_only  = 0,
253 		.limit_in_pages  = 0,
254 		.seg_not_present = 0,
255 		.useable         = 0
256 	};
257 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB);
258 
259 	desc.limit_in_pages = 1;
260 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
261 		      AR_S | AR_P | AR_DB | AR_G);
262 
263 	check_invalid_segment(1, 1);
264 
265 	desc.entry_number = 2;
266 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
267 		      AR_S | AR_P | AR_DB | AR_G);
268 
269 	check_invalid_segment(1, 1);
270 
271 	desc.base_addr = 0xf0000000;
272 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
273 		      AR_S | AR_P | AR_DB | AR_G);
274 
275 	desc.useable = 1;
276 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
277 		      AR_S | AR_P | AR_DB | AR_G | AR_AVL);
278 
279 	desc.seg_not_present = 1;
280 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
281 		      AR_S | AR_DB | AR_G | AR_AVL);
282 
283 	desc.seg_32bit = 0;
284 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
285 		      AR_S | AR_G | AR_AVL);
286 
287 	desc.seg_32bit = 1;
288 	desc.contents = 0;
289 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA |
290 		      AR_S | AR_DB | AR_G | AR_AVL);
291 
292 	desc.read_exec_only = 1;
293 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA |
294 		      AR_S | AR_DB | AR_G | AR_AVL);
295 
296 	desc.contents = 1;
297 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN |
298 		      AR_S | AR_DB | AR_G | AR_AVL);
299 
300 	desc.read_exec_only = 0;
301 	desc.limit_in_pages = 0;
302 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN |
303 		      AR_S | AR_DB | AR_AVL);
304 
305 	desc.contents = 3;
306 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE_CONF |
307 		      AR_S | AR_DB | AR_AVL);
308 
309 	desc.read_exec_only = 1;
310 	install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE_CONF |
311 		      AR_S | AR_DB | AR_AVL);
312 
313 	desc.read_exec_only = 0;
314 	desc.contents = 2;
315 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
316 		      AR_S | AR_DB | AR_AVL);
317 
318 	desc.read_exec_only = 1;
319 
320 #ifdef __x86_64__
321 	desc.lm = 1;
322 	install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE |
323 		      AR_S | AR_DB | AR_AVL);
324 	desc.lm = 0;
325 #endif
326 
327 	bool entry1_okay = install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE |
328 					 AR_S | AR_DB | AR_AVL);
329 
330 	if (entry1_okay) {
331 		printf("[RUN]\tTest fork\n");
332 		pid_t child = fork();
333 		if (child == 0) {
334 			nerrs = 0;
335 			check_valid_segment(desc.entry_number, 1,
336 					    AR_DPL3 | AR_TYPE_XOCODE |
337 					    AR_S | AR_DB | AR_AVL, desc.limit,
338 					    true);
339 			check_invalid_segment(1, 1);
340 			exit(nerrs ? 1 : 0);
341 		} else {
342 			int status;
343 			if (waitpid(child, &status, 0) != child ||
344 			    !WIFEXITED(status)) {
345 				printf("[FAIL]\tChild died\n");
346 				nerrs++;
347 			} else if (WEXITSTATUS(status) != 0) {
348 				printf("[FAIL]\tChild failed\n");
349 				nerrs++;
350 			} else {
351 				printf("[OK]\tChild succeeded\n");
352 			}
353 		}
354 
355 		printf("[RUN]\tTest size\n");
356 		int i;
357 		for (i = 0; i < 8192; i++) {
358 			desc.entry_number = i;
359 			desc.limit = i;
360 			if (safe_modify_ldt(0x11, &desc, sizeof(desc)) != 0) {
361 				printf("[FAIL]\tFailed to install entry %d\n", i);
362 				nerrs++;
363 				break;
364 			}
365 		}
366 		for (int j = 0; j < i; j++) {
367 			check_valid_segment(j, 1, AR_DPL3 | AR_TYPE_XOCODE |
368 					    AR_S | AR_DB | AR_AVL, j, false);
369 		}
370 		printf("[DONE]\tSize test\n");
371 	} else {
372 		printf("[SKIP]\tSkipping fork and size tests because we have no LDT\n");
373 	}
374 
375 	/* Test entry_number too high. */
376 	desc.entry_number = 8192;
377 	fail_install(&desc);
378 
379 	/* Test deletion and actions mistakeable for deletion. */
380 	memset(&desc, 0, sizeof(desc));
381 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P);
382 
383 	desc.seg_not_present = 1;
384 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S);
385 
386 	desc.seg_not_present = 0;
387 	desc.read_exec_only = 1;
388 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P);
389 
390 	desc.read_exec_only = 0;
391 	desc.seg_not_present = 1;
392 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S);
393 
394 	desc.read_exec_only = 1;
395 	desc.limit = 1;
396 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S);
397 
398 	desc.limit = 0;
399 	desc.base_addr = 1;
400 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S);
401 
402 	desc.base_addr = 0;
403 	install_invalid(&desc, false);
404 
405 	desc.seg_not_present = 0;
406 	desc.seg_32bit = 1;
407 	desc.read_exec_only = 0;
408 	desc.limit = 0xfffff;
409 
410 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB);
411 
412 	desc.limit_in_pages = 1;
413 
414 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB | AR_G);
415 	desc.read_exec_only = 1;
416 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P | AR_DB | AR_G);
417 	desc.contents = 1;
418 	desc.read_exec_only = 0;
419 	install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G);
420 	desc.read_exec_only = 1;
421 	install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN | AR_S | AR_P | AR_DB | AR_G);
422 
423 	desc.limit = 0;
424 	install_invalid(&desc, true);
425 }
426 
427 /*
428  * 0: thread is idle
429  * 1: thread armed
430  * 2: thread should clear LDT entry 0
431  * 3: thread should exit
432  */
433 static volatile unsigned int ftx;
434 
435 static void *threadproc(void *ctx)
436 {
437 	cpu_set_t cpuset;
438 	CPU_ZERO(&cpuset);
439 	CPU_SET(1, &cpuset);
440 	if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0)
441 		err(1, "sched_setaffinity to CPU 1");	/* should never fail */
442 
443 	while (1) {
444 		syscall(SYS_futex, &ftx, FUTEX_WAIT, 0, NULL, NULL, 0);
445 		while (ftx != 2) {
446 			if (ftx >= 3)
447 				return NULL;
448 		}
449 
450 		/* clear LDT entry 0 */
451 		const struct user_desc desc = {};
452 		if (syscall(SYS_modify_ldt, 1, &desc, sizeof(desc)) != 0)
453 			err(1, "modify_ldt");
454 
455 		/* If ftx == 2, set it to zero.  If ftx == 100, quit. */
456 		unsigned int x = -2;
457 		asm volatile ("lock xaddl %[x], %[ftx]" :
458 			      [x] "+r" (x), [ftx] "+m" (ftx));
459 		if (x != 2)
460 			return NULL;
461 	}
462 }
463 
464 #ifdef __i386__
465 
466 #ifndef SA_RESTORE
467 #define SA_RESTORER 0x04000000
468 #endif
469 
470 /*
471  * The UAPI header calls this 'struct sigaction', which conflicts with
472  * glibc.  Sigh.
473  */
474 struct fake_ksigaction {
475 	void *handler;  /* the real type is nasty */
476 	unsigned long sa_flags;
477 	void (*sa_restorer)(void);
478 	unsigned char sigset[8];
479 };
480 
481 static void fix_sa_restorer(int sig)
482 {
483 	struct fake_ksigaction ksa;
484 
485 	if (syscall(SYS_rt_sigaction, sig, NULL, &ksa, 8) == 0) {
486 		/*
487 		 * glibc has a nasty bug: it sometimes writes garbage to
488 		 * sa_restorer.  This interacts quite badly with anything
489 		 * that fiddles with SS because it can trigger legacy
490 		 * stack switching.  Patch it up.  See:
491 		 *
492 		 * https://sourceware.org/bugzilla/show_bug.cgi?id=21269
493 		 */
494 		if (!(ksa.sa_flags & SA_RESTORER) && ksa.sa_restorer) {
495 			ksa.sa_restorer = NULL;
496 			if (syscall(SYS_rt_sigaction, sig, &ksa, NULL,
497 				    sizeof(ksa.sigset)) != 0)
498 				err(1, "rt_sigaction");
499 		}
500 	}
501 }
502 #else
503 static void fix_sa_restorer(int sig)
504 {
505 	/* 64-bit glibc works fine. */
506 }
507 #endif
508 
509 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
510 		       int flags)
511 {
512 	struct sigaction sa;
513 	memset(&sa, 0, sizeof(sa));
514 	sa.sa_sigaction = handler;
515 	sa.sa_flags = SA_SIGINFO | flags;
516 	sigemptyset(&sa.sa_mask);
517 	if (sigaction(sig, &sa, 0))
518 		err(1, "sigaction");
519 
520 	fix_sa_restorer(sig);
521 }
522 
523 static jmp_buf jmpbuf;
524 
525 static void sigsegv(int sig, siginfo_t *info, void *ctx_void)
526 {
527 	siglongjmp(jmpbuf, 1);
528 }
529 
530 static void do_multicpu_tests(void)
531 {
532 	cpu_set_t cpuset;
533 	pthread_t thread;
534 	int failures = 0, iters = 5, i;
535 	unsigned short orig_ss;
536 
537 	CPU_ZERO(&cpuset);
538 	CPU_SET(1, &cpuset);
539 	if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) {
540 		printf("[SKIP]\tCannot set affinity to CPU 1\n");
541 		return;
542 	}
543 
544 	CPU_ZERO(&cpuset);
545 	CPU_SET(0, &cpuset);
546 	if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) {
547 		printf("[SKIP]\tCannot set affinity to CPU 0\n");
548 		return;
549 	}
550 
551 	sethandler(SIGSEGV, sigsegv, 0);
552 #ifdef __i386__
553 	/* True 32-bit kernels send SIGILL instead of SIGSEGV on IRET faults. */
554 	sethandler(SIGILL, sigsegv, 0);
555 #endif
556 
557 	printf("[RUN]\tCross-CPU LDT invalidation\n");
558 
559 	if (pthread_create(&thread, 0, threadproc, 0) != 0)
560 		err(1, "pthread_create");
561 
562 	asm volatile ("mov %%ss, %0" : "=rm" (orig_ss));
563 
564 	for (i = 0; i < 5; i++) {
565 		if (sigsetjmp(jmpbuf, 1) != 0)
566 			continue;
567 
568 		/* Make sure the thread is ready after the last test. */
569 		while (ftx != 0)
570 			;
571 
572 		struct user_desc desc = {
573 			.entry_number    = 0,
574 			.base_addr       = 0,
575 			.limit           = 0xfffff,
576 			.seg_32bit       = 1,
577 			.contents        = 0, /* Data */
578 			.read_exec_only  = 0,
579 			.limit_in_pages  = 1,
580 			.seg_not_present = 0,
581 			.useable         = 0
582 		};
583 
584 		if (safe_modify_ldt(0x11, &desc, sizeof(desc)) != 0) {
585 			if (errno != ENOSYS)
586 				err(1, "modify_ldt");
587 			printf("[SKIP]\tmodify_ldt unavailable\n");
588 			break;
589 		}
590 
591 		/* Arm the thread. */
592 		ftx = 1;
593 		syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0);
594 
595 		asm volatile ("mov %0, %%ss" : : "r" (0x7));
596 
597 		/* Go! */
598 		ftx = 2;
599 
600 		while (ftx != 0)
601 			;
602 
603 		/*
604 		 * On success, modify_ldt will segfault us synchronously,
605 		 * and we'll escape via siglongjmp.
606 		 */
607 
608 		failures++;
609 		asm volatile ("mov %0, %%ss" : : "rm" (orig_ss));
610 	};
611 
612 	ftx = 100;  /* Kill the thread. */
613 	syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0);
614 
615 	if (pthread_join(thread, NULL) != 0)
616 		err(1, "pthread_join");
617 
618 	if (failures) {
619 		printf("[FAIL]\t%d of %d iterations failed\n", failures, iters);
620 		nerrs++;
621 	} else {
622 		printf("[OK]\tAll %d iterations succeeded\n", iters);
623 	}
624 }
625 
626 static int finish_exec_test(void)
627 {
628 	/*
629 	 * Older kernel versions did inherit the LDT on exec() which is
630 	 * wrong because exec() starts from a clean state.
631 	 */
632 	check_invalid_segment(0, 1);
633 
634 	return nerrs ? 1 : 0;
635 }
636 
637 static void do_exec_test(void)
638 {
639 	printf("[RUN]\tTest exec\n");
640 
641 	struct user_desc desc = {
642 		.entry_number    = 0,
643 		.base_addr       = 0,
644 		.limit           = 42,
645 		.seg_32bit       = 1,
646 		.contents        = 2, /* Code, not conforming */
647 		.read_exec_only  = 0,
648 		.limit_in_pages  = 0,
649 		.seg_not_present = 0,
650 		.useable         = 0
651 	};
652 	install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB);
653 
654 	pid_t child = fork();
655 	if (child == 0) {
656 		execl("/proc/self/exe", "ldt_gdt_test_exec", NULL);
657 		printf("[FAIL]\tCould not exec self\n");
658 		exit(1);	/* exec failed */
659 	} else {
660 		int status;
661 		if (waitpid(child, &status, 0) != child ||
662 		    !WIFEXITED(status)) {
663 			printf("[FAIL]\tChild died\n");
664 			nerrs++;
665 		} else if (WEXITSTATUS(status) != 0) {
666 			printf("[FAIL]\tChild failed\n");
667 			nerrs++;
668 		} else {
669 			printf("[OK]\tChild succeeded\n");
670 		}
671 	}
672 }
673 
674 static void setup_counter_page(void)
675 {
676 	unsigned int *page = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
677 			 MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
678 	if (page == MAP_FAILED)
679 		err(1, "mmap");
680 
681 	for (int i = 0; i < 1024; i++)
682 		page[i] = i;
683 	counter_page = page;
684 }
685 
686 static int invoke_set_thread_area(void)
687 {
688 	int ret;
689 	asm volatile ("int $0x80"
690 		      : "=a" (ret), "+m" (low_user_desc) :
691 			"a" (243), "b" (low_user_desc)
692 		      : INT80_CLOBBERS);
693 	return ret;
694 }
695 
696 static void setup_low_user_desc(void)
697 {
698 	low_user_desc = mmap(NULL, 2 * sizeof(struct user_desc),
699 			     PROT_READ | PROT_WRITE,
700 			     MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
701 	if (low_user_desc == MAP_FAILED)
702 		err(1, "mmap");
703 
704 	low_user_desc->entry_number	= -1;
705 	low_user_desc->base_addr	= (unsigned long)&counter_page[1];
706 	low_user_desc->limit		= 0xfffff;
707 	low_user_desc->seg_32bit	= 1;
708 	low_user_desc->contents		= 0; /* Data, grow-up*/
709 	low_user_desc->read_exec_only	= 0;
710 	low_user_desc->limit_in_pages	= 1;
711 	low_user_desc->seg_not_present	= 0;
712 	low_user_desc->useable		= 0;
713 
714 	if (invoke_set_thread_area() == 0) {
715 		gdt_entry_num = low_user_desc->entry_number;
716 		printf("[NOTE]\tset_thread_area is available; will use GDT index %d\n", gdt_entry_num);
717 	} else {
718 		printf("[NOTE]\tset_thread_area is unavailable\n");
719 	}
720 
721 	low_user_desc_clear = low_user_desc + 1;
722 	low_user_desc_clear->entry_number = gdt_entry_num;
723 	low_user_desc_clear->read_exec_only = 1;
724 	low_user_desc_clear->seg_not_present = 1;
725 }
726 
727 static void test_gdt_invalidation(void)
728 {
729 	if (!gdt_entry_num)
730 		return;	/* 64-bit only system -- we can't use set_thread_area */
731 
732 	unsigned short prev_sel;
733 	unsigned short sel;
734 	unsigned int eax;
735 	const char *result;
736 #ifdef __x86_64__
737 	unsigned long saved_base;
738 	unsigned long new_base;
739 #endif
740 
741 	/* Test DS */
742 	invoke_set_thread_area();
743 	eax = 243;
744 	sel = (gdt_entry_num << 3) | 3;
745 	asm volatile ("movw %%ds, %[prev_sel]\n\t"
746 		      "movw %[sel], %%ds\n\t"
747 #ifdef __i386__
748 		      "pushl %%ebx\n\t"
749 #endif
750 		      "movl %[arg1], %%ebx\n\t"
751 		      "int $0x80\n\t"	/* Should invalidate ds */
752 #ifdef __i386__
753 		      "popl %%ebx\n\t"
754 #endif
755 		      "movw %%ds, %[sel]\n\t"
756 		      "movw %[prev_sel], %%ds"
757 		      : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
758 			"+a" (eax)
759 		      : "m" (low_user_desc_clear),
760 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
761 		      : INT80_CLOBBERS);
762 
763 	if (sel != 0) {
764 		result = "FAIL";
765 		nerrs++;
766 	} else {
767 		result = "OK";
768 	}
769 	printf("[%s]\tInvalidate DS with set_thread_area: new DS = 0x%hx\n",
770 	       result, sel);
771 
772 	/* Test ES */
773 	invoke_set_thread_area();
774 	eax = 243;
775 	sel = (gdt_entry_num << 3) | 3;
776 	asm volatile ("movw %%es, %[prev_sel]\n\t"
777 		      "movw %[sel], %%es\n\t"
778 #ifdef __i386__
779 		      "pushl %%ebx\n\t"
780 #endif
781 		      "movl %[arg1], %%ebx\n\t"
782 		      "int $0x80\n\t"	/* Should invalidate es */
783 #ifdef __i386__
784 		      "popl %%ebx\n\t"
785 #endif
786 		      "movw %%es, %[sel]\n\t"
787 		      "movw %[prev_sel], %%es"
788 		      : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
789 			"+a" (eax)
790 		      : "m" (low_user_desc_clear),
791 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
792 		      : INT80_CLOBBERS);
793 
794 	if (sel != 0) {
795 		result = "FAIL";
796 		nerrs++;
797 	} else {
798 		result = "OK";
799 	}
800 	printf("[%s]\tInvalidate ES with set_thread_area: new ES = 0x%hx\n",
801 	       result, sel);
802 
803 	/* Test FS */
804 	invoke_set_thread_area();
805 	eax = 243;
806 	sel = (gdt_entry_num << 3) | 3;
807 #ifdef __x86_64__
808 	syscall(SYS_arch_prctl, ARCH_GET_FS, &saved_base);
809 #endif
810 	asm volatile ("movw %%fs, %[prev_sel]\n\t"
811 		      "movw %[sel], %%fs\n\t"
812 #ifdef __i386__
813 		      "pushl %%ebx\n\t"
814 #endif
815 		      "movl %[arg1], %%ebx\n\t"
816 		      "int $0x80\n\t"	/* Should invalidate fs */
817 #ifdef __i386__
818 		      "popl %%ebx\n\t"
819 #endif
820 		      "movw %%fs, %[sel]\n\t"
821 		      : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
822 			"+a" (eax)
823 		      : "m" (low_user_desc_clear),
824 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
825 		      : INT80_CLOBBERS);
826 
827 #ifdef __x86_64__
828 	syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
829 #endif
830 
831 	/* Restore FS/BASE for glibc */
832 	asm volatile ("movw %[prev_sel], %%fs" : : [prev_sel] "rm" (prev_sel));
833 #ifdef __x86_64__
834 	if (saved_base)
835 		syscall(SYS_arch_prctl, ARCH_SET_FS, saved_base);
836 #endif
837 
838 	if (sel != 0) {
839 		result = "FAIL";
840 		nerrs++;
841 	} else {
842 		result = "OK";
843 	}
844 	printf("[%s]\tInvalidate FS with set_thread_area: new FS = 0x%hx\n",
845 	       result, sel);
846 
847 #ifdef __x86_64__
848 	if (sel == 0 && new_base != 0) {
849 		nerrs++;
850 		printf("[FAIL]\tNew FSBASE was 0x%lx\n", new_base);
851 	} else {
852 		printf("[OK]\tNew FSBASE was zero\n");
853 	}
854 #endif
855 
856 	/* Test GS */
857 	invoke_set_thread_area();
858 	eax = 243;
859 	sel = (gdt_entry_num << 3) | 3;
860 #ifdef __x86_64__
861 	syscall(SYS_arch_prctl, ARCH_GET_GS, &saved_base);
862 #endif
863 	asm volatile ("movw %%gs, %[prev_sel]\n\t"
864 		      "movw %[sel], %%gs\n\t"
865 #ifdef __i386__
866 		      "pushl %%ebx\n\t"
867 #endif
868 		      "movl %[arg1], %%ebx\n\t"
869 		      "int $0x80\n\t"	/* Should invalidate gs */
870 #ifdef __i386__
871 		      "popl %%ebx\n\t"
872 #endif
873 		      "movw %%gs, %[sel]\n\t"
874 		      : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
875 			"+a" (eax)
876 		      : "m" (low_user_desc_clear),
877 			[arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
878 		      : INT80_CLOBBERS);
879 
880 #ifdef __x86_64__
881 	syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
882 #endif
883 
884 	/* Restore GS/BASE for glibc */
885 	asm volatile ("movw %[prev_sel], %%gs" : : [prev_sel] "rm" (prev_sel));
886 #ifdef __x86_64__
887 	if (saved_base)
888 		syscall(SYS_arch_prctl, ARCH_SET_GS, saved_base);
889 #endif
890 
891 	if (sel != 0) {
892 		result = "FAIL";
893 		nerrs++;
894 	} else {
895 		result = "OK";
896 	}
897 	printf("[%s]\tInvalidate GS with set_thread_area: new GS = 0x%hx\n",
898 	       result, sel);
899 
900 #ifdef __x86_64__
901 	if (sel == 0 && new_base != 0) {
902 		nerrs++;
903 		printf("[FAIL]\tNew GSBASE was 0x%lx\n", new_base);
904 	} else {
905 		printf("[OK]\tNew GSBASE was zero\n");
906 	}
907 #endif
908 }
909 
910 int main(int argc, char **argv)
911 {
912 	if (argc == 1 && !strcmp(argv[0], "ldt_gdt_test_exec"))
913 		return finish_exec_test();
914 
915 	setup_counter_page();
916 	setup_low_user_desc();
917 
918 	do_simple_tests();
919 
920 	do_multicpu_tests();
921 
922 	do_exec_test();
923 
924 	test_gdt_invalidation();
925 
926 	return nerrs ? 1 : 0;
927 }
928