x86/CET: Add a setcontext test for CET

Message ID 20180725122255.GD13278@gmail.com
State New
Headers show
Series
  • x86/CET: Add a setcontext test for CET
Related show

Commit Message

H.J. Lu July 25, 2018, 12:22 p.m.
Verify that setcontext works with gaps above and below the newly
allocated shadow stack.

OK for master?

H.J.
---
	* sysdeps/x86/Makefile (tests): Add tst-cet-setcontext-1 if
	CET is enabled.
	(CFLAGS-tst-cet-setcontext-1.c): Add -mshstk.
	* sysdeps/x86/tst-cet-setcontext-1.c: New file.
---
 sysdeps/x86/Makefile               |   5 ++
 sysdeps/x86/tst-cet-setcontext-1.c | 119 +++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 sysdeps/x86/tst-cet-setcontext-1.c

-- 
2.17.1

Comments

Carlos O'Donell July 25, 2018, 1:29 p.m. | #1
On 07/25/2018 08:22 AM, H.J. Lu wrote:
> Verify that setcontext works with gaps above and below the newly

> allocated shadow stack.

> 

> OK for master?

> 

> H.J.

> ---

> 	* sysdeps/x86/Makefile (tests): Add tst-cet-setcontext-1 if

> 	CET is enabled.

> 	(CFLAGS-tst-cet-setcontext-1.c): Add -mshstk.

> 	* sysdeps/x86/tst-cet-setcontext-1.c: New file.


OK for 2.28 only if you add a paragraph about exactly how the shadow
stacks are being laid out by the calls and why unmapping ctx3 and ctx4 works
to leave ctx1 with gap above and below.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>


> ---

>  sysdeps/x86/Makefile               |   5 ++

>  sysdeps/x86/tst-cet-setcontext-1.c | 119 +++++++++++++++++++++++++++++

>  2 files changed, 124 insertions(+)

>  create mode 100644 sysdeps/x86/tst-cet-setcontext-1.c

> 

> diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile

> index 672bb19489..761d396108 100644

> --- a/sysdeps/x86/Makefile

> +++ b/sysdeps/x86/Makefile

> @@ -92,4 +92,9 @@ $(objpfx)check-cet.out: $(..)sysdeps/x86/check-cet.awk \

>  	$(evaluate-test)

>  generated += check-cet.out

>  endif

> +

> +ifeq ($(subdir),stdlib)

> +tests += tst-cet-setcontext-1

> +CFLAGS-tst-cet-setcontext-1.c += -mshstk

> +endif


OK, still within the CET enable block.

>  endif

> diff --git a/sysdeps/x86/tst-cet-setcontext-1.c b/sysdeps/x86/tst-cet-setcontext-1.c

> new file mode 100644

> index 0000000000..08b7f6378e

> --- /dev/null

> +++ b/sysdeps/x86/tst-cet-setcontext-1.c

> @@ -0,0 +1,119 @@

> +/* Check getcontext and setcontext on the context from makecontext

> +   with shadow stack.


OK.

> +   Copyright (C) 2018 Free Software Foundation, Inc.

> +   This file is part of the GNU C Library.

> +

> +   The GNU C Library is free software; you can redistribute it and/or

> +   modify it under the terms of the GNU Lesser General Public

> +   License as published by the Free Software Foundation; either

> +   version 2.1 of the License, or (at your option) any later version.

> +

> +   The GNU C Library is distributed in the hope that it will be useful,

> +   but WITHOUT ANY WARRANTY; without even the implied warranty of

> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

> +   Lesser General Public License for more details.

> +

> +   You should have received a copy of the GNU Lesser General Public

> +   License along with the GNU C Library; if not, see

> +   <http://www.gnu.org/licenses/>.  */

> +

> +#include <stdio.h>

> +#include <stdint.h>

> +#include <stdlib.h>

> +#include <ucontext.h>

> +#include <unistd.h>

> +#include <sys/mman.h>

> +#include <stdatomic.h>

> +#include <x86intrin.h>

> +

> +static ucontext_t ctx[5];


OK, 5 contexts.

> +static atomic_int done;

> +

> +static void

> +__attribute__((noinline, noclone))

> +f2 (void)

> +{

> +  printf ("start f2\n");

> +  done++;


Increment done.

> +  if (setcontext (&ctx[2]) != 0)


Go back to ctx[2].

> +    {

> +      printf ("%s: setcontext: %m\n", __FUNCTION__);

> +      exit (EXIT_FAILURE);

> +    }

> +}

> +

> +static void

> +f1 (void)

> +{

> +  printf ("start f1\n");

> +  if (getcontext (&ctx[2]) != 0)

> +    {

> +      printf ("%s: getcontext: %m\n", __FUNCTION__);

> +      exit (EXIT_FAILURE);

> +    }


OK.

> +  if (done)

> +    exit (EXIT_SUCCESS);


Call exit the second time. Having tested a context get/set
within a context that has gaps above and below it.

> +  f2 ();


Calls f2 first time.

> +}

> +

> +static int

> +do_test (void)

> +{

> +  char st1[32768];


OK, large stack block.

> +  puts ("making contexts");

> +  if (getcontext (&ctx[0]) != 0)


OK, create a context, this makes a new shadow stack.

> +    {

> +      printf ("%s: getcontext: %m\n", __FUNCTION__);

> +      exit (EXIT_FAILURE);

> +    }

> +  if (getcontext (&ctx[1]) != 0)


OK, make another one.

> +    {

> +      printf ("%s: getcontext: %m\n", __FUNCTION__);

> +      exit (EXIT_FAILURE);

> +    }

> +

> +  ctx[3].uc_stack.ss_sp = st1;

> +  ctx[3].uc_stack.ss_size = sizeof st1;

> +  ctx[3].uc_link = &ctx[0];

> +  makecontext (&ctx[3], (void (*) (void)) f1, 0);


This is invalid?

ctx[3] must have been initialized by getcontext.

If the point is to force a shadow stack allocation then we should
add a comment here that we are purposely altering an invalid context
to trigger this work.

> +

> +  ctx[1].uc_stack.ss_sp = st1;

> +  ctx[1].uc_stack.ss_size = sizeof st1;

> +  ctx[1].uc_link = &ctx[0];

> +  makecontext (&ctx[1], (void (*) (void)) f1, 0);


OK, adjust stack for ctx[1].

> +

> +  ctx[4].uc_stack.ss_sp = st1;

> +  ctx[4].uc_stack.ss_size = sizeof st1;

> +  ctx[4].uc_link = &ctx[0];

> +  makecontext (&ctx[4], (void (*) (void)) f1, 0);


Also invalid?

At this point we have likely have:

0th - context
3rd - invalid
1st - context (new stack, and f1 function)
4th - invalid

> +

> +  /* Free the unused shadow stacks to create gaps above and below the

> +     shadow stack of CTX1.  */


Needs a big comment explaining the layout and what we are accomplishing here:

> +  if (_get_ssp () != 0)

> +    {

> +      if (ctx[3].__ssp[1] != 0

> +	  && munmap ((void *) (uintptr_t) ctx[3].__ssp[1],

> +		     (size_t) ctx[3].__ssp[2]) != 0)

> +	{

> +	  printf ("%s: munmap: %m\n", __FUNCTION__);

> +	  exit (EXIT_FAILURE);

> +	}

> +

> +      if (ctx[4].__ssp[1] != 0

> +	  && munmap ((void *) (uintptr_t) ctx[4].__ssp[1],

> +		     (size_t) ctx[4].__ssp[2]) != 0)

> +	{

> +	  printf ("%s: munmap: %m\n", __FUNCTION__);

> +	  exit (EXIT_FAILURE);

> +	}

> +    }

> +


0th - context
3rd - invalid (unmapped shadow stack)
1st - context (new stack, and f1 function)
4th - invalid (unmapped shadow stack)

> +  if (setcontext (&ctx[1]) != 0)


OK, jump to f1.

> +    {

> +      printf ("%s: setcontext: %m\n", __FUNCTION__);

> +      exit (EXIT_FAILURE);

> +    }

> +  exit (EXIT_FAILURE);

> +}

> +

> +#include <support/test-driver.c>

>

Patch

diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile
index 672bb19489..761d396108 100644
--- a/sysdeps/x86/Makefile
+++ b/sysdeps/x86/Makefile
@@ -92,4 +92,9 @@  $(objpfx)check-cet.out: $(..)sysdeps/x86/check-cet.awk \
 	$(evaluate-test)
 generated += check-cet.out
 endif
+
+ifeq ($(subdir),stdlib)
+tests += tst-cet-setcontext-1
+CFLAGS-tst-cet-setcontext-1.c += -mshstk
+endif
 endif
diff --git a/sysdeps/x86/tst-cet-setcontext-1.c b/sysdeps/x86/tst-cet-setcontext-1.c
new file mode 100644
index 0000000000..08b7f6378e
--- /dev/null
+++ b/sysdeps/x86/tst-cet-setcontext-1.c
@@ -0,0 +1,119 @@ 
+/* Check getcontext and setcontext on the context from makecontext
+   with shadow stack.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <ucontext.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <stdatomic.h>
+#include <x86intrin.h>
+
+static ucontext_t ctx[5];
+static atomic_int done;
+
+static void
+__attribute__((noinline, noclone))
+f2 (void)
+{
+  printf ("start f2\n");
+  done++;
+  if (setcontext (&ctx[2]) != 0)
+    {
+      printf ("%s: setcontext: %m\n", __FUNCTION__);
+      exit (EXIT_FAILURE);
+    }
+}
+
+static void
+f1 (void)
+{
+  printf ("start f1\n");
+  if (getcontext (&ctx[2]) != 0)
+    {
+      printf ("%s: getcontext: %m\n", __FUNCTION__);
+      exit (EXIT_FAILURE);
+    }
+  if (done)
+    exit (EXIT_SUCCESS);
+  f2 ();
+}
+
+static int
+do_test (void)
+{
+  char st1[32768];
+  puts ("making contexts");
+  if (getcontext (&ctx[0]) != 0)
+    {
+      printf ("%s: getcontext: %m\n", __FUNCTION__);
+      exit (EXIT_FAILURE);
+    }
+  if (getcontext (&ctx[1]) != 0)
+    {
+      printf ("%s: getcontext: %m\n", __FUNCTION__);
+      exit (EXIT_FAILURE);
+    }
+
+  ctx[3].uc_stack.ss_sp = st1;
+  ctx[3].uc_stack.ss_size = sizeof st1;
+  ctx[3].uc_link = &ctx[0];
+  makecontext (&ctx[3], (void (*) (void)) f1, 0);
+
+  ctx[1].uc_stack.ss_sp = st1;
+  ctx[1].uc_stack.ss_size = sizeof st1;
+  ctx[1].uc_link = &ctx[0];
+  makecontext (&ctx[1], (void (*) (void)) f1, 0);
+
+  ctx[4].uc_stack.ss_sp = st1;
+  ctx[4].uc_stack.ss_size = sizeof st1;
+  ctx[4].uc_link = &ctx[0];
+  makecontext (&ctx[4], (void (*) (void)) f1, 0);
+
+  /* Free the unused shadow stacks to create gaps above and below the
+     shadow stack of CTX1.  */
+  if (_get_ssp () != 0)
+    {
+      if (ctx[3].__ssp[1] != 0
+	  && munmap ((void *) (uintptr_t) ctx[3].__ssp[1],
+		     (size_t) ctx[3].__ssp[2]) != 0)
+	{
+	  printf ("%s: munmap: %m\n", __FUNCTION__);
+	  exit (EXIT_FAILURE);
+	}
+
+      if (ctx[4].__ssp[1] != 0
+	  && munmap ((void *) (uintptr_t) ctx[4].__ssp[1],
+		     (size_t) ctx[4].__ssp[2]) != 0)
+	{
+	  printf ("%s: munmap: %m\n", __FUNCTION__);
+	  exit (EXIT_FAILURE);
+	}
+    }
+
+  if (setcontext (&ctx[1]) != 0)
+    {
+      printf ("%s: setcontext: %m\n", __FUNCTION__);
+      exit (EXIT_FAILURE);
+    }
+  exit (EXIT_FAILURE);
+}
+
+#include <support/test-driver.c>