lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <faa82449f058e4d57372dc4e7b5ca2dc091cb454.camel@gmail.com>
Date:   Wed, 17 Aug 2022 16:15:19 +1000
From:   Jordan Niethe <jniethe5@...il.com>
To:     Russell Currey <ruscur@...sell.cc>, linuxppc-dev@...ts.ozlabs.org
Cc:     ajd@...ux.ibm.com, anshuman.khandual@....com,
        nicholas@...ux.ibm.com, npiggin@...il.com,
        aneesh.kumar@...ux.ibm.com, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v4 2/2] selftests/powerpc: Add a test for execute-only
 memory

On Wed, 2022-08-17 at 15:06 +1000, Russell Currey wrote:
> From: Nicholas Miehlbradt <nicholas@...ux.ibm.com>
> 
> This selftest is designed to cover execute-only protections
> on the Radix MMU but will also work with Hash.
> 
> The tests are based on those found in pkey_exec_test with modifications
> to use the generic mprotect() instead of the pkey variants.

Would it make sense to rename pkey_exec_test to exec_test and have this test be apart of that?

> 
> Signed-off-by: Nicholas Miehlbradt <nicholas@...ux.ibm.com>
> Signed-off-by: Russell Currey <ruscur@...sell.cc>
> ---
> v4: new
> 
>  tools/testing/selftests/powerpc/mm/Makefile   |   3 +-
>  .../testing/selftests/powerpc/mm/exec_prot.c  | 231 ++++++++++++++++++
>  2 files changed, 233 insertions(+), 1 deletion(-)
>  create mode 100644 tools/testing/selftests/powerpc/mm/exec_prot.c
> 
> diff --git a/tools/testing/selftests/powerpc/mm/Makefile b/tools/testing/selftests/powerpc/mm/Makefile
> index 27dc09d0bfee..19dd0b2ea397 100644
> --- a/tools/testing/selftests/powerpc/mm/Makefile
> +++ b/tools/testing/selftests/powerpc/mm/Makefile
> @@ -3,7 +3,7 @@ noarg:
>  	$(MAKE) -C ../
>  
>  TEST_GEN_PROGS := hugetlb_vs_thp_test subpage_prot prot_sao segv_errors wild_bctr \
> -		  large_vm_fork_separation bad_accesses pkey_exec_prot \
> +		  large_vm_fork_separation bad_accesses exec_prot pkey_exec_prot \
>  		  pkey_siginfo stack_expansion_signal stack_expansion_ldst \
>  		  large_vm_gpr_corruption
>  TEST_PROGS := stress_code_patching.sh
> @@ -22,6 +22,7 @@ $(OUTPUT)/wild_bctr: CFLAGS += -m64
>  $(OUTPUT)/large_vm_fork_separation: CFLAGS += -m64
>  $(OUTPUT)/large_vm_gpr_corruption: CFLAGS += -m64
>  $(OUTPUT)/bad_accesses: CFLAGS += -m64
> +$(OUTPUT)/exec_prot: CFLAGS += -m64
>  $(OUTPUT)/pkey_exec_prot: CFLAGS += -m64
>  $(OUTPUT)/pkey_siginfo: CFLAGS += -m64
>  
> diff --git a/tools/testing/selftests/powerpc/mm/exec_prot.c b/tools/testing/selftests/powerpc/mm/exec_prot.c
> new file mode 100644
> index 000000000000..db75b2225de1
> --- /dev/null
> +++ b/tools/testing/selftests/powerpc/mm/exec_prot.c
> @@ -0,0 +1,231 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright 2022, Nicholas Miehlbradt, IBM Corporation
> + * based on pkey_exec_prot.c
> + *
> + * Test if applying execute protection on pages works as expected.
> + */
> +
> +#define _GNU_SOURCE
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <signal.h>
> +
> +#include <unistd.h>
> +#include <sys/mman.h>
> +
> +#include "pkeys.h"
> +
> +
> +#define PPC_INST_NOP	0x60000000
> +#define PPC_INST_TRAP	0x7fe00008
> +#define PPC_INST_BLR	0x4e800020
> +
> +static volatile sig_atomic_t fault_code;
> +static volatile sig_atomic_t remaining_faults;
> +static volatile unsigned int *fault_addr;
> +static unsigned long pgsize, numinsns;
> +static unsigned int *insns;
> +static bool pkeys_supported;
> +
> +static bool is_fault_expected(int fault_code)
> +{
> +	if (fault_code == SEGV_ACCERR)
> +		return true;
> +
> +	/* Assume any pkey error is fine since pkey_exec_prot test covers them */
> +	if (fault_code == SEGV_PKUERR && pkeys_supported)
> +		return true;
> +
> +	return false;
> +}
> +
> +static void trap_handler(int signum, siginfo_t *sinfo, void *ctx)
> +{
> +	/* Check if this fault originated from the expected address */
> +	if (sinfo->si_addr != (void *)fault_addr)
> +		sigsafe_err("got a fault for an unexpected address\n");
> +
> +	_exit(1);
> +}
> +
> +static void segv_handler(int signum, siginfo_t *sinfo, void *ctx)
> +{
> +	fault_code = sinfo->si_code;
> +
> +	/* Check if this fault originated from the expected address */
> +	if (sinfo->si_addr != (void *)fault_addr) {
> +		sigsafe_err("got a fault for an unexpected address\n");
> +		_exit(1);
> +	}
> +
> +	/* Check if too many faults have occurred for a single test case */
> +	if (!remaining_faults) {
> +		sigsafe_err("got too many faults for the same address\n");
> +		_exit(1);
> +	}
> +
> +
> +	/* Restore permissions in order to continue */
> +	if (is_fault_expected(fault_code)) {
> +		if (mprotect(insns, pgsize, PROT_READ | PROT_WRITE | PROT_EXEC)) {
> +			sigsafe_err("failed to set access permissions\n");
> +			_exit(1);
> +		}
> +	} else {
> +		sigsafe_err("got a fault with an unexpected code\n");
> +		_exit(1);
> +	}
> +
> +	remaining_faults--;
> +}
> +
> +static int check_exec_fault(int rights)
> +{
> +	/*
> +	 * Jump to the executable region.
> +	 *
> +	 * The first iteration also checks if the overwrite of the
> +	 * first instruction word from a trap to a no-op succeeded.
> +	 */
> +	fault_code = -1;
> +	remaining_faults = 0;
> +	if (!(rights & PROT_EXEC))
> +		remaining_faults = 1;
> +
> +	FAIL_IF(mprotect(insns, pgsize, rights) != 0);
> +	asm volatile("mtctr	%0; bctrl" : : "r"(insns));
> +
> +	FAIL_IF(remaining_faults != 0);
> +	if (!(rights & PROT_EXEC))
> +		FAIL_IF(!is_fault_expected(fault_code));
> +
> +	return 0;
> +}
> +
> +static int test(void)
> +{
> +	struct sigaction segv_act, trap_act;
> +	int i;
> +
> +	/* Skip the test if the CPU doesn't support Radix */
> +	SKIP_IF(!have_hwcap2(PPC_FEATURE2_ARCH_3_00));
> +
> +	/* Check if pkeys are supported */
> +	pkeys_supported = pkeys_unsupported() == 0;
> +
> +	/* Setup SIGSEGV handler */
> +	segv_act.sa_handler = 0;
> +	segv_act.sa_sigaction = segv_handler;
> +	FAIL_IF(sigprocmask(SIG_SETMASK, 0, &segv_act.sa_mask) != 0);
> +	segv_act.sa_flags = SA_SIGINFO;
> +	segv_act.sa_restorer = 0;
> +	FAIL_IF(sigaction(SIGSEGV, &segv_act, NULL) != 0);
> +
> +	/* Setup SIGTRAP handler */
> +	trap_act.sa_handler = 0;
> +	trap_act.sa_sigaction = trap_handler;
> +	FAIL_IF(sigprocmask(SIG_SETMASK, 0, &trap_act.sa_mask) != 0);
> +	trap_act.sa_flags = SA_SIGINFO;
> +	trap_act.sa_restorer = 0;
> +	FAIL_IF(sigaction(SIGTRAP, &trap_act, NULL) != 0);
> +
> +	/* Setup executable region */
> +	pgsize = getpagesize();
> +	numinsns = pgsize / sizeof(unsigned int);
> +	insns = (unsigned int *)mmap(NULL, pgsize, PROT_READ | PROT_WRITE,
> +				      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
> +	FAIL_IF(insns == MAP_FAILED);
> +
> +	/* Write the instruction words */
> +	for (i = 1; i < numinsns - 1; i++)
> +		insns[i] = PPC_INST_NOP;
> +
> +	/*
> +	 * Set the first instruction as an unconditional trap. If
> +	 * the last write to this address succeeds, this should
> +	 * get overwritten by a no-op.
> +	 */
> +	insns[0] = PPC_INST_TRAP;
> +
> +	/*
> +	 * Later, to jump to the executable region, we use a branch
> +	 * and link instruction (bctrl) which sets the return address
> +	 * automatically in LR. Use that to return back.
> +	 */
> +	insns[numinsns - 1] = PPC_INST_BLR;
> +
> +	/*
> +	 * Pick the first instruction's address from the executable
> +	 * region.
> +	 */
> +	fault_addr = insns;
> +
> +	/*
> +	 * Read an instruction word from the address when the page
> +	 * is execute only. This should generate an access fault.
> +	 */
> +	fault_code = -1;
> +	remaining_faults = 1;
> +	printf("Testing read on --x, should fault...");
> +	FAIL_IF(mprotect(insns, pgsize, PROT_EXEC) != 0);
> +	i = *fault_addr;
> +	FAIL_IF(remaining_faults != 0 || !is_fault_expected(fault_code));
> +	printf("ok!\n");
> +
> +	/*
> +	 * Write an instruction word to the address when the page
> +	 * execute only. This should also generate an access fault.
> +	 */
> +	fault_code = -1;
> +	remaining_faults = 1;
> +	printf("Testing write on --x, should fault...");
> +	FAIL_IF(mprotect(insns, pgsize, PROT_EXEC) != 0);
> +	*fault_addr = PPC_INST_NOP;
> +	FAIL_IF(remaining_faults != 0 || !is_fault_expected(fault_code));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on ---, should fault...");
> +	FAIL_IF(check_exec_fault(PROT_NONE));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on r--, should fault...");
> +	FAIL_IF(check_exec_fault(PROT_READ));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on -w-, should fault...");
> +	FAIL_IF(check_exec_fault(PROT_WRITE));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on rw-, should fault...");
> +	FAIL_IF(check_exec_fault(PROT_READ | PROT_WRITE));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on --x, should succeed...");
> +	FAIL_IF(check_exec_fault(PROT_EXEC));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on r-x, should succeed...");
> +	FAIL_IF(check_exec_fault(PROT_READ | PROT_EXEC));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on -wx, should succeed...");
> +	FAIL_IF(check_exec_fault(PROT_WRITE | PROT_EXEC));
> +	printf("ok!\n");
> +
> +	printf("Testing exec on rwx, should succeed...");
> +	FAIL_IF(check_exec_fault(PROT_READ | PROT_WRITE | PROT_EXEC));
> +	printf("ok!\n");
> +
> +	/* Cleanup */
> +	FAIL_IF(munmap((void *)insns, pgsize));
> +
> +	return 0;
> +}
> +
> +int main(void)
> +{
> +	return test_harness(test, "exec_prot");
> +}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ