1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This program test's basic kernel shadow stack support. It enables shadow
4  * stack manual via the arch_prctl(), instead of relying on glibc. It's
5  * Makefile doesn't compile with shadow stack support, so it doesn't rely on
6  * any particular glibc. As a result it can't do any operations that require
7  * special glibc shadow stack support (longjmp(), swapcontext(), etc). Just
8  * stick to the basics and hope the compiler doesn't do anything strange.
9  */
10 
11 #define _GNU_SOURCE
12 
13 #include <sys/syscall.h>
14 #include <asm/mman.h>
15 #include <sys/mman.h>
16 #include <sys/stat.h>
17 #include <sys/wait.h>
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <errno.h>
24 #include <stdbool.h>
25 #include <x86intrin.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
28 #include <stdint.h>
29 #include <signal.h>
30 #include <pthread.h>
31 #include <sys/ioctl.h>
32 #include <linux/userfaultfd.h>
33 #include <setjmp.h>
34 #include <sys/ptrace.h>
35 #include <sys/signal.h>
36 #include <linux/elf.h>
37 
38 /*
39  * Define the ABI defines if needed, so people can run the tests
40  * without building the headers.
41  */
42 #ifndef __NR_map_shadow_stack
43 #define __NR_map_shadow_stack	453
44 
45 #define SHADOW_STACK_SET_TOKEN	(1ULL << 0)
46 
47 #define ARCH_SHSTK_ENABLE	0x5001
48 #define ARCH_SHSTK_DISABLE	0x5002
49 #define ARCH_SHSTK_LOCK		0x5003
50 #define ARCH_SHSTK_UNLOCK	0x5004
51 #define ARCH_SHSTK_STATUS	0x5005
52 
53 #define ARCH_SHSTK_SHSTK	(1ULL <<  0)
54 #define ARCH_SHSTK_WRSS		(1ULL <<  1)
55 
56 #define NT_X86_SHSTK	0x204
57 #endif
58 
59 #define SS_SIZE 0x200000
60 #define PAGE_SIZE 0x1000
61 
62 #if (__GNUC__ < 8) || (__GNUC__ == 8 && __GNUC_MINOR__ < 5)
63 int main(int argc, char *argv[])
64 {
65 	printf("[SKIP]\tCompiler does not support CET.\n");
66 	return 0;
67 }
68 #else
69 void write_shstk(unsigned long *addr, unsigned long val)
70 {
71 	asm volatile("wrssq %[val], (%[addr])\n"
72 		     : "=m" (addr)
73 		     : [addr] "r" (addr), [val] "r" (val));
74 }
75 
76 static inline unsigned long __attribute__((always_inline)) get_ssp(void)
77 {
78 	unsigned long ret = 0;
79 
80 	asm volatile("xor %0, %0; rdsspq %0" : "=r" (ret));
81 	return ret;
82 }
83 
84 /*
85  * For use in inline enablement of shadow stack.
86  *
87  * The program can't return from the point where shadow stack gets enabled
88  * because there will be no address on the shadow stack. So it can't use
89  * syscall() for enablement, since it is a function.
90  *
91  * Based on code from nolibc.h. Keep a copy here because this can't pull in all
92  * of nolibc.h.
93  */
94 #define ARCH_PRCTL(arg1, arg2)					\
95 ({								\
96 	long _ret;						\
97 	register long _num  asm("eax") = __NR_arch_prctl;	\
98 	register long _arg1 asm("rdi") = (long)(arg1);		\
99 	register long _arg2 asm("rsi") = (long)(arg2);		\
100 								\
101 	asm volatile (						\
102 		"syscall\n"					\
103 		: "=a"(_ret)					\
104 		: "r"(_arg1), "r"(_arg2),			\
105 		  "0"(_num)					\
106 		: "rcx", "r11", "memory", "cc"			\
107 	);							\
108 	_ret;							\
109 })
110 
111 void *create_shstk(void *addr)
112 {
113 	return (void *)syscall(__NR_map_shadow_stack, addr, SS_SIZE, SHADOW_STACK_SET_TOKEN);
114 }
115 
116 void *create_normal_mem(void *addr)
117 {
118 	return mmap(addr, SS_SIZE, PROT_READ | PROT_WRITE,
119 		    MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
120 }
121 
122 void free_shstk(void *shstk)
123 {
124 	munmap(shstk, SS_SIZE);
125 }
126 
127 int reset_shstk(void *shstk)
128 {
129 	return madvise(shstk, SS_SIZE, MADV_DONTNEED);
130 }
131 
132 void try_shstk(unsigned long new_ssp)
133 {
134 	unsigned long ssp;
135 
136 	printf("[INFO]\tnew_ssp = %lx, *new_ssp = %lx\n",
137 	       new_ssp, *((unsigned long *)new_ssp));
138 
139 	ssp = get_ssp();
140 	printf("[INFO]\tchanging ssp from %lx to %lx\n", ssp, new_ssp);
141 
142 	asm volatile("rstorssp (%0)\n":: "r" (new_ssp));
143 	asm volatile("saveprevssp");
144 	printf("[INFO]\tssp is now %lx\n", get_ssp());
145 
146 	/* Switch back to original shadow stack */
147 	ssp -= 8;
148 	asm volatile("rstorssp (%0)\n":: "r" (ssp));
149 	asm volatile("saveprevssp");
150 }
151 
152 int test_shstk_pivot(void)
153 {
154 	void *shstk = create_shstk(0);
155 
156 	if (shstk == MAP_FAILED) {
157 		printf("[FAIL]\tError creating shadow stack: %d\n", errno);
158 		return 1;
159 	}
160 	try_shstk((unsigned long)shstk + SS_SIZE - 8);
161 	free_shstk(shstk);
162 
163 	printf("[OK]\tShadow stack pivot\n");
164 	return 0;
165 }
166 
167 int test_shstk_faults(void)
168 {
169 	unsigned long *shstk = create_shstk(0);
170 
171 	/* Read shadow stack, test if it's zero to not get read optimized out */
172 	if (*shstk != 0)
173 		goto err;
174 
175 	/* Wrss memory that was already read. */
176 	write_shstk(shstk, 1);
177 	if (*shstk != 1)
178 		goto err;
179 
180 	/* Page out memory, so we can wrss it again. */
181 	if (reset_shstk((void *)shstk))
182 		goto err;
183 
184 	write_shstk(shstk, 1);
185 	if (*shstk != 1)
186 		goto err;
187 
188 	printf("[OK]\tShadow stack faults\n");
189 	return 0;
190 
191 err:
192 	return 1;
193 }
194 
195 unsigned long saved_ssp;
196 unsigned long saved_ssp_val;
197 volatile bool segv_triggered;
198 
199 void __attribute__((noinline)) violate_ss(void)
200 {
201 	saved_ssp = get_ssp();
202 	saved_ssp_val = *(unsigned long *)saved_ssp;
203 
204 	/* Corrupt shadow stack */
205 	printf("[INFO]\tCorrupting shadow stack\n");
206 	write_shstk((void *)saved_ssp, 0);
207 }
208 
209 void segv_handler(int signum, siginfo_t *si, void *uc)
210 {
211 	printf("[INFO]\tGenerated shadow stack violation successfully\n");
212 
213 	segv_triggered = true;
214 
215 	/* Fix shadow stack */
216 	write_shstk((void *)saved_ssp, saved_ssp_val);
217 }
218 
219 int test_shstk_violation(void)
220 {
221 	struct sigaction sa = {};
222 
223 	sa.sa_sigaction = segv_handler;
224 	sa.sa_flags = SA_SIGINFO;
225 	if (sigaction(SIGSEGV, &sa, NULL))
226 		return 1;
227 
228 	segv_triggered = false;
229 
230 	/* Make sure segv_triggered is set before violate_ss() */
231 	asm volatile("" : : : "memory");
232 
233 	violate_ss();
234 
235 	signal(SIGSEGV, SIG_DFL);
236 
237 	printf("[OK]\tShadow stack violation test\n");
238 
239 	return !segv_triggered;
240 }
241 
242 /* Gup test state */
243 #define MAGIC_VAL 0x12345678
244 bool is_shstk_access;
245 void *shstk_ptr;
246 int fd;
247 
248 void reset_test_shstk(void *addr)
249 {
250 	if (shstk_ptr)
251 		free_shstk(shstk_ptr);
252 	shstk_ptr = create_shstk(addr);
253 }
254 
255 void test_access_fix_handler(int signum, siginfo_t *si, void *uc)
256 {
257 	printf("[INFO]\tViolation from %s\n", is_shstk_access ? "shstk access" : "normal write");
258 
259 	segv_triggered = true;
260 
261 	/* Fix shadow stack */
262 	if (is_shstk_access) {
263 		reset_test_shstk(shstk_ptr);
264 		return;
265 	}
266 
267 	free_shstk(shstk_ptr);
268 	create_normal_mem(shstk_ptr);
269 }
270 
271 bool test_shstk_access(void *ptr)
272 {
273 	is_shstk_access = true;
274 	segv_triggered = false;
275 	write_shstk(ptr, MAGIC_VAL);
276 
277 	asm volatile("" : : : "memory");
278 
279 	return segv_triggered;
280 }
281 
282 bool test_write_access(void *ptr)
283 {
284 	is_shstk_access = false;
285 	segv_triggered = false;
286 	*(unsigned long *)ptr = MAGIC_VAL;
287 
288 	asm volatile("" : : : "memory");
289 
290 	return segv_triggered;
291 }
292 
293 bool gup_write(void *ptr)
294 {
295 	unsigned long val;
296 
297 	lseek(fd, (unsigned long)ptr, SEEK_SET);
298 	if (write(fd, &val, sizeof(val)) < 0)
299 		return 1;
300 
301 	return 0;
302 }
303 
304 bool gup_read(void *ptr)
305 {
306 	unsigned long val;
307 
308 	lseek(fd, (unsigned long)ptr, SEEK_SET);
309 	if (read(fd, &val, sizeof(val)) < 0)
310 		return 1;
311 
312 	return 0;
313 }
314 
315 int test_gup(void)
316 {
317 	struct sigaction sa = {};
318 	int status;
319 	pid_t pid;
320 
321 	sa.sa_sigaction = test_access_fix_handler;
322 	sa.sa_flags = SA_SIGINFO;
323 	if (sigaction(SIGSEGV, &sa, NULL))
324 		return 1;
325 
326 	segv_triggered = false;
327 
328 	fd = open("/proc/self/mem", O_RDWR);
329 	if (fd == -1)
330 		return 1;
331 
332 	reset_test_shstk(0);
333 	if (gup_read(shstk_ptr))
334 		return 1;
335 	if (test_shstk_access(shstk_ptr))
336 		return 1;
337 	printf("[INFO]\tGup read -> shstk access success\n");
338 
339 	reset_test_shstk(0);
340 	if (gup_write(shstk_ptr))
341 		return 1;
342 	if (test_shstk_access(shstk_ptr))
343 		return 1;
344 	printf("[INFO]\tGup write -> shstk access success\n");
345 
346 	reset_test_shstk(0);
347 	if (gup_read(shstk_ptr))
348 		return 1;
349 	if (!test_write_access(shstk_ptr))
350 		return 1;
351 	printf("[INFO]\tGup read -> write access success\n");
352 
353 	reset_test_shstk(0);
354 	if (gup_write(shstk_ptr))
355 		return 1;
356 	if (!test_write_access(shstk_ptr))
357 		return 1;
358 	printf("[INFO]\tGup write -> write access success\n");
359 
360 	close(fd);
361 
362 	/* COW/gup test */
363 	reset_test_shstk(0);
364 	pid = fork();
365 	if (!pid) {
366 		fd = open("/proc/self/mem", O_RDWR);
367 		if (fd == -1)
368 			exit(1);
369 
370 		if (gup_write(shstk_ptr)) {
371 			close(fd);
372 			exit(1);
373 		}
374 		close(fd);
375 		exit(0);
376 	}
377 	waitpid(pid, &status, 0);
378 	if (WEXITSTATUS(status)) {
379 		printf("[FAIL]\tWrite in child failed\n");
380 		return 1;
381 	}
382 	if (*(unsigned long *)shstk_ptr == MAGIC_VAL) {
383 		printf("[FAIL]\tWrite in child wrote through to shared memory\n");
384 		return 1;
385 	}
386 
387 	printf("[INFO]\tCow gup write -> write access success\n");
388 
389 	free_shstk(shstk_ptr);
390 
391 	signal(SIGSEGV, SIG_DFL);
392 
393 	printf("[OK]\tShadow gup test\n");
394 
395 	return 0;
396 }
397 
398 int test_mprotect(void)
399 {
400 	struct sigaction sa = {};
401 
402 	sa.sa_sigaction = test_access_fix_handler;
403 	sa.sa_flags = SA_SIGINFO;
404 	if (sigaction(SIGSEGV, &sa, NULL))
405 		return 1;
406 
407 	segv_triggered = false;
408 
409 	/* mprotect a shadow stack as read only */
410 	reset_test_shstk(0);
411 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
412 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
413 		return 1;
414 	}
415 
416 	/* try to wrss it and fail */
417 	if (!test_shstk_access(shstk_ptr)) {
418 		printf("[FAIL]\tShadow stack access to read-only memory succeeded\n");
419 		return 1;
420 	}
421 
422 	/*
423 	 * The shadow stack was reset above to resolve the fault, make the new one
424 	 * read-only.
425 	 */
426 	if (mprotect(shstk_ptr, SS_SIZE, PROT_READ) < 0) {
427 		printf("[FAIL]\tmprotect(PROT_READ) failed\n");
428 		return 1;
429 	}
430 
431 	/* then back to writable */
432 	if (mprotect(shstk_ptr, SS_SIZE, PROT_WRITE | PROT_READ) < 0) {
433 		printf("[FAIL]\tmprotect(PROT_WRITE) failed\n");
434 		return 1;
435 	}
436 
437 	/* then wrss to it and succeed */
438 	if (test_shstk_access(shstk_ptr)) {
439 		printf("[FAIL]\tShadow stack access to mprotect() writable memory failed\n");
440 		return 1;
441 	}
442 
443 	free_shstk(shstk_ptr);
444 
445 	signal(SIGSEGV, SIG_DFL);
446 
447 	printf("[OK]\tmprotect() test\n");
448 
449 	return 0;
450 }
451 
452 char zero[4096];
453 
454 static void *uffd_thread(void *arg)
455 {
456 	struct uffdio_copy req;
457 	int uffd = *(int *)arg;
458 	struct uffd_msg msg;
459 	int ret;
460 
461 	while (1) {
462 		ret = read(uffd, &msg, sizeof(msg));
463 		if (ret > 0)
464 			break;
465 		else if (errno == EAGAIN)
466 			continue;
467 		return (void *)1;
468 	}
469 
470 	req.dst = msg.arg.pagefault.address;
471 	req.src = (__u64)zero;
472 	req.len = 4096;
473 	req.mode = 0;
474 
475 	if (ioctl(uffd, UFFDIO_COPY, &req))
476 		return (void *)1;
477 
478 	return (void *)0;
479 }
480 
481 int test_userfaultfd(void)
482 {
483 	struct uffdio_register uffdio_register;
484 	struct uffdio_api uffdio_api;
485 	struct sigaction sa = {};
486 	pthread_t thread;
487 	void *res;
488 	int uffd;
489 
490 	sa.sa_sigaction = test_access_fix_handler;
491 	sa.sa_flags = SA_SIGINFO;
492 	if (sigaction(SIGSEGV, &sa, NULL))
493 		return 1;
494 
495 	uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
496 	if (uffd < 0) {
497 		printf("[SKIP]\tUserfaultfd unavailable.\n");
498 		return 0;
499 	}
500 
501 	reset_test_shstk(0);
502 
503 	uffdio_api.api = UFFD_API;
504 	uffdio_api.features = 0;
505 	if (ioctl(uffd, UFFDIO_API, &uffdio_api))
506 		goto err;
507 
508 	uffdio_register.range.start = (__u64)shstk_ptr;
509 	uffdio_register.range.len = 4096;
510 	uffdio_register.mode = UFFDIO_REGISTER_MODE_MISSING;
511 	if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register))
512 		goto err;
513 
514 	if (pthread_create(&thread, NULL, &uffd_thread, &uffd))
515 		goto err;
516 
517 	reset_shstk(shstk_ptr);
518 	test_shstk_access(shstk_ptr);
519 
520 	if (pthread_join(thread, &res))
521 		goto err;
522 
523 	if (test_shstk_access(shstk_ptr))
524 		goto err;
525 
526 	free_shstk(shstk_ptr);
527 
528 	signal(SIGSEGV, SIG_DFL);
529 
530 	if (!res)
531 		printf("[OK]\tUserfaultfd test\n");
532 	return !!res;
533 err:
534 	free_shstk(shstk_ptr);
535 	close(uffd);
536 	signal(SIGSEGV, SIG_DFL);
537 	return 1;
538 }
539 
540 /* Simple linked list for keeping track of mappings in test_guard_gap() */
541 struct node {
542 	struct node *next;
543 	void *mapping;
544 };
545 
546 /*
547  * This tests whether mmap will place other mappings in a shadow stack's guard
548  * gap. The steps are:
549  *   1. Finds an empty place by mapping and unmapping something.
550  *   2. Map a shadow stack in the middle of the known empty area.
551  *   3. Map a bunch of PAGE_SIZE mappings. These will use the search down
552  *      direction, filling any gaps until it encounters the shadow stack's
553  *      guard gap.
554  *   4. When a mapping lands below the shadow stack from step 2, then all
555  *      of the above gaps are filled. The search down algorithm will have
556  *      looked at the shadow stack gaps.
557  *   5. See if it landed in the gap.
558  */
559 int test_guard_gap(void)
560 {
561 	void *free_area, *shstk, *test_map = (void *)0xFFFFFFFFFFFFFFFF;
562 	struct node *head = NULL, *cur;
563 
564 	free_area = mmap(0, SS_SIZE * 3, PROT_READ | PROT_WRITE,
565 			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
566 	munmap(free_area, SS_SIZE * 3);
567 
568 	shstk = create_shstk(free_area + SS_SIZE);
569 	if (shstk == MAP_FAILED)
570 		return 1;
571 
572 	while (test_map > shstk) {
573 		test_map = mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE,
574 				MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
575 		if (test_map == MAP_FAILED)
576 			return 1;
577 		cur = malloc(sizeof(*cur));
578 		cur->mapping = test_map;
579 
580 		cur->next = head;
581 		head = cur;
582 	}
583 
584 	while (head) {
585 		cur = head;
586 		head = cur->next;
587 		munmap(cur->mapping, PAGE_SIZE);
588 		free(cur);
589 	}
590 
591 	free_shstk(shstk);
592 
593 	if (shstk - test_map - PAGE_SIZE != PAGE_SIZE)
594 		return 1;
595 
596 	printf("[OK]\tGuard gap test\n");
597 
598 	return 0;
599 }
600 
601 /*
602  * Too complicated to pull it out of the 32 bit header, but also get the
603  * 64 bit one needed above. Just define a copy here.
604  */
605 #define __NR_compat_sigaction 67
606 
607 /*
608  * Call 32 bit signal handler to get 32 bit signals ABI. Make sure
609  * to push the registers that will get clobbered.
610  */
611 int sigaction32(int signum, const struct sigaction *restrict act,
612 		struct sigaction *restrict oldact)
613 {
614 	register long syscall_reg asm("eax") = __NR_compat_sigaction;
615 	register long signum_reg asm("ebx") = signum;
616 	register long act_reg asm("ecx") = (long)act;
617 	register long oldact_reg asm("edx") = (long)oldact;
618 	int ret = 0;
619 
620 	asm volatile ("int $0x80;"
621 		      : "=a"(ret), "=m"(oldact)
622 		      : "r"(syscall_reg), "r"(signum_reg), "r"(act_reg),
623 			"r"(oldact_reg)
624 		      : "r8", "r9", "r10", "r11"
625 		     );
626 
627 	return ret;
628 }
629 
630 sigjmp_buf jmp_buffer;
631 
632 void segv_gp_handler(int signum, siginfo_t *si, void *uc)
633 {
634 	segv_triggered = true;
635 
636 	/*
637 	 * To work with old glibc, this can't rely on siglongjmp working with
638 	 * shadow stack enabled, so disable shadow stack before siglongjmp().
639 	 */
640 	ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK);
641 	siglongjmp(jmp_buffer, -1);
642 }
643 
644 /*
645  * Transition to 32 bit mode and check that a #GP triggers a segfault.
646  */
647 int test_32bit(void)
648 {
649 	struct sigaction sa = {};
650 	struct sigaction *sa32;
651 
652 	/* Create sigaction in 32 bit address range */
653 	sa32 = mmap(0, 4096, PROT_READ | PROT_WRITE,
654 		    MAP_32BIT | MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
655 	sa32->sa_flags = SA_SIGINFO;
656 
657 	sa.sa_sigaction = segv_gp_handler;
658 	sa.sa_flags = SA_SIGINFO;
659 	if (sigaction(SIGSEGV, &sa, NULL))
660 		return 1;
661 
662 
663 	segv_triggered = false;
664 
665 	/* Make sure segv_triggered is set before triggering the #GP */
666 	asm volatile("" : : : "memory");
667 
668 	/*
669 	 * Set handler to somewhere in 32 bit address space
670 	 */
671 	sa32->sa_handler = (void *)sa32;
672 	if (sigaction32(SIGUSR1, sa32, NULL))
673 		return 1;
674 
675 	if (!sigsetjmp(jmp_buffer, 1))
676 		raise(SIGUSR1);
677 
678 	if (segv_triggered)
679 		printf("[OK]\t32 bit test\n");
680 
681 	return !segv_triggered;
682 }
683 
684 void segv_handler_ptrace(int signum, siginfo_t *si, void *uc)
685 {
686 	/* The SSP adjustment caused a segfault. */
687 	exit(0);
688 }
689 
690 int test_ptrace(void)
691 {
692 	unsigned long saved_ssp, ssp = 0;
693 	struct sigaction sa= {};
694 	struct iovec iov;
695 	int status;
696 	int pid;
697 
698 	iov.iov_base = &ssp;
699 	iov.iov_len = sizeof(ssp);
700 
701 	pid = fork();
702 	if (!pid) {
703 		ssp = get_ssp();
704 
705 		sa.sa_sigaction = segv_handler_ptrace;
706 		sa.sa_flags = SA_SIGINFO;
707 		if (sigaction(SIGSEGV, &sa, NULL))
708 			return 1;
709 
710 		ptrace(PTRACE_TRACEME, NULL, NULL, NULL);
711 		/*
712 		 * The parent will tweak the SSP and return from this function
713 		 * will #CP.
714 		 */
715 		raise(SIGTRAP);
716 
717 		exit(1);
718 	}
719 
720 	while (waitpid(pid, &status, 0) != -1 && WSTOPSIG(status) != SIGTRAP);
721 
722 	if (ptrace(PTRACE_GETREGSET, pid, NT_X86_SHSTK, &iov)) {
723 		printf("[INFO]\tFailed to PTRACE_GETREGS\n");
724 		goto out_kill;
725 	}
726 
727 	if (!ssp) {
728 		printf("[INFO]\tPtrace child SSP was 0\n");
729 		goto out_kill;
730 	}
731 
732 	saved_ssp = ssp;
733 
734 	iov.iov_len = 0;
735 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
736 		printf("[INFO]\tToo small size accepted via PTRACE_SETREGS\n");
737 		goto out_kill;
738 	}
739 
740 	iov.iov_len = sizeof(ssp) + 1;
741 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
742 		printf("[INFO]\tToo large size accepted via PTRACE_SETREGS\n");
743 		goto out_kill;
744 	}
745 
746 	ssp += 1;
747 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
748 		printf("[INFO]\tUnaligned SSP written via PTRACE_SETREGS\n");
749 		goto out_kill;
750 	}
751 
752 	ssp = 0xFFFFFFFFFFFF0000;
753 	if (!ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
754 		printf("[INFO]\tKernel range SSP written via PTRACE_SETREGS\n");
755 		goto out_kill;
756 	}
757 
758 	/*
759 	 * Tweak the SSP so the child with #CP when it resumes and returns
760 	 * from raise()
761 	 */
762 	ssp = saved_ssp + 8;
763 	iov.iov_len = sizeof(ssp);
764 	if (ptrace(PTRACE_SETREGSET, pid, NT_X86_SHSTK, &iov)) {
765 		printf("[INFO]\tFailed to PTRACE_SETREGS\n");
766 		goto out_kill;
767 	}
768 
769 	if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) {
770 		printf("[INFO]\tFailed to PTRACE_DETACH\n");
771 		goto out_kill;
772 	}
773 
774 	waitpid(pid, &status, 0);
775 	if (WEXITSTATUS(status))
776 		return 1;
777 
778 	printf("[OK]\tPtrace test\n");
779 	return 0;
780 
781 out_kill:
782 	kill(pid, SIGKILL);
783 	return 1;
784 }
785 
786 int main(int argc, char *argv[])
787 {
788 	int ret = 0;
789 
790 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
791 		printf("[SKIP]\tCould not enable Shadow stack\n");
792 		return 1;
793 	}
794 
795 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
796 		ret = 1;
797 		printf("[FAIL]\tDisabling shadow stack failed\n");
798 	}
799 
800 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK)) {
801 		printf("[SKIP]\tCould not re-enable Shadow stack\n");
802 		return 1;
803 	}
804 
805 	if (ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_WRSS)) {
806 		printf("[SKIP]\tCould not enable WRSS\n");
807 		ret = 1;
808 		goto out;
809 	}
810 
811 	/* Should have succeeded if here, but this is a test, so double check. */
812 	if (!get_ssp()) {
813 		printf("[FAIL]\tShadow stack disabled\n");
814 		return 1;
815 	}
816 
817 	if (test_shstk_pivot()) {
818 		ret = 1;
819 		printf("[FAIL]\tShadow stack pivot\n");
820 		goto out;
821 	}
822 
823 	if (test_shstk_faults()) {
824 		ret = 1;
825 		printf("[FAIL]\tShadow stack fault test\n");
826 		goto out;
827 	}
828 
829 	if (test_shstk_violation()) {
830 		ret = 1;
831 		printf("[FAIL]\tShadow stack violation test\n");
832 		goto out;
833 	}
834 
835 	if (test_gup()) {
836 		ret = 1;
837 		printf("[FAIL]\tShadow shadow stack gup\n");
838 		goto out;
839 	}
840 
841 	if (test_mprotect()) {
842 		ret = 1;
843 		printf("[FAIL]\tShadow shadow mprotect test\n");
844 		goto out;
845 	}
846 
847 	if (test_userfaultfd()) {
848 		ret = 1;
849 		printf("[FAIL]\tUserfaultfd test\n");
850 		goto out;
851 	}
852 
853 	if (test_guard_gap()) {
854 		ret = 1;
855 		printf("[FAIL]\tGuard gap test\n");
856 		goto out;
857 	}
858 
859 	if (test_ptrace()) {
860 		ret = 1;
861 		printf("[FAIL]\tptrace test\n");
862 	}
863 
864 	if (test_32bit()) {
865 		ret = 1;
866 		printf("[FAIL]\t32 bit test\n");
867 		goto out;
868 	}
869 
870 	return ret;
871 
872 out:
873 	/*
874 	 * Disable shadow stack before the function returns, or there will be a
875 	 * shadow stack violation.
876 	 */
877 	if (ARCH_PRCTL(ARCH_SHSTK_DISABLE, ARCH_SHSTK_SHSTK)) {
878 		ret = 1;
879 		printf("[FAIL]\tDisabling shadow stack failed\n");
880 	}
881 
882 	return ret;
883 }
884 #endif
885