| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241203-55c76715e16422ddaf8d7edf@orel>
Date: Tue, 3 Dec 2024 13:55:07 +0100
From: Andrew Jones <ajones@...tanamicro.com>
To: Celeste Liu <uwu@...lacanthus.name>
Cc: Oleg Nesterov <oleg@...hat.com>,
Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>, Eric Biederman <ebiederm@...ssion.com>,
Kees Cook <kees@...nel.org>, Shuah Khan <shuah@...nel.org>, Alexandre Ghiti <alex@...ti.fr>,
"Dmitry V. Levin" <ldv@...ace.io>, Andrea Bolognani <abologna@...hat.com>,
Björn Töpel <bjorn@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Ron Economos <re@...z.net>,
Charlie Jenkins <charlie@...osinc.com>, Quan Zhou <zhouquan@...as.ac.cn>,
Felix Yan <felixonmars@...hlinux.org>, Ruizhe Pan <c141028@...il.com>,
Shiqi Zhang <shiqi@...c.iscas.ac.cn>, Guo Ren <guoren@...nel.org>, Yao Zi <ziyao@...root.org>,
Han Gao <gaohan@...as.ac.cn>, linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, stable@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 2/2] riscv: selftests: Add a ptrace test to verify
syscall parameter modification
On Tue, Dec 03, 2024 at 05:30:05PM +0800, Celeste Liu wrote:
> From: Charlie Jenkins <charlie@...osinc.com>
>
> This test checks that orig_a0 allows a syscall argument to be modified,
> and that changing a0 does not change the syscall argument.
>
> Cc: stable@...r.kernel.org
> Co-developed-by: Quan Zhou <zhouquan@...as.ac.cn>
> Signed-off-by: Quan Zhou <zhouquan@...as.ac.cn>
> Co-developed-by: Celeste Liu <uwu@...lacanthus.name>
> Signed-off-by: Celeste Liu <uwu@...lacanthus.name>
> Signed-off-by: Charlie Jenkins <charlie@...osinc.com>
> ---
> tools/testing/selftests/riscv/abi/.gitignore | 1 +
> tools/testing/selftests/riscv/abi/Makefile | 5 +-
> tools/testing/selftests/riscv/abi/ptrace.c | 134 +++++++++++++++++++++++++++
> 3 files changed, 139 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/riscv/abi/.gitignore b/tools/testing/selftests/riscv/abi/.gitignore
> index b38358f91c4d2240ae64892871d9ca98bda1ae58..378c605919a3b3d58eec2701eb7af430cfe315d6 100644
> --- a/tools/testing/selftests/riscv/abi/.gitignore
> +++ b/tools/testing/selftests/riscv/abi/.gitignore
> @@ -1 +1,2 @@
> pointer_masking
> +ptrace
> diff --git a/tools/testing/selftests/riscv/abi/Makefile b/tools/testing/selftests/riscv/abi/Makefile
> index ed82ff9c664e7eb3f760cbab81fb957ff72579c5..3f74d059dfdcbce4d45d8ff618781ccea1419061 100644
> --- a/tools/testing/selftests/riscv/abi/Makefile
> +++ b/tools/testing/selftests/riscv/abi/Makefile
> @@ -2,9 +2,12 @@
>
> CFLAGS += -I$(top_srcdir)/tools/include
>
> -TEST_GEN_PROGS := pointer_masking
> +TEST_GEN_PROGS := pointer_masking ptrace
>
> include ../../lib.mk
>
> $(OUTPUT)/pointer_masking: pointer_masking.c
> $(CC) -static -o$@ $(CFLAGS) $(LDFLAGS) $^
> +
> +$(OUTPUT)/ptrace: ptrace.c
> + $(CC) -static -o$@ $(CFLAGS) $(LDFLAGS) $^
> diff --git a/tools/testing/selftests/riscv/abi/ptrace.c b/tools/testing/selftests/riscv/abi/ptrace.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..d192764b428d1f1c442f3957c6fedeb01a48d556
> --- /dev/null
> +++ b/tools/testing/selftests/riscv/abi/ptrace.c
> @@ -0,0 +1,134 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <unistd.h>
> +#include <fcntl.h>
> +#include <signal.h>
> +#include <errno.h>
> +#include <sys/types.h>
> +#include <sys/ptrace.h>
> +#include <sys/stat.h>
> +#include <sys/user.h>
> +#include <sys/wait.h>
> +#include <sys/uio.h>
> +#include <linux/elf.h>
> +#include <linux/unistd.h>
> +#include <asm/ptrace.h>
> +
> +#include "../../kselftest_harness.h"
> +
> +#define ORIG_A0_MODIFY 0x01
> +#define A0_MODIFY 0x02
> +#define A0_OLD 0x03
> +#define A0_NEW 0x04
Shouldn't A0_OLD and A0_NEW set more bits, since 3 and 4 aren't very
unique (we could have those values by accident)? And should we include
setting bits over 31 for 64-bit targets?
> +
> +#define perr_and_exit(fmt, ...) \
> + ({ \
> + char buf[256]; \
> + snprintf(buf, sizeof(buf), "%s:%d:" fmt ": %m\n", \
> + __func__, __LINE__, ##__VA_ARGS__); \
> + perror(buf); \
> + exit(-1); \
> + })
Can we use e.g. ksft_exit_fail_perror() instead? I'd prefer we try to
consolidate testing/selftests/riscv/* tests on a common format for
errors and exit codes and we're already using other kselftest stuff.
> +
> +static inline void resume_and_wait_tracee(pid_t pid, int flag)
> +{
> + int status;
> +
> + if (ptrace(flag, pid, 0, 0))
> + perr_and_exit("failed to resume the tracee %d\n", pid);
> +
> + if (waitpid(pid, &status, 0) != pid)
> + perr_and_exit("failed to wait for the tracee %d\n", pid);
> +}
> +
> +static void ptrace_test(int opt, int *result)
> +{
> + int status;
> + pid_t pid;
> + struct user_regs_struct regs;
> + struct iovec iov = {
> + .iov_base = ®s,
> + .iov_len = sizeof(regs),
> + };
> +
> + unsigned long orig_a0;
> + struct iovec a0_iov = {
> + .iov_base = &orig_a0,
> + .iov_len = sizeof(orig_a0),
> + };
> +
> + pid = fork();
> + if (pid == 0) {
> + /* Mark oneself being traced */
> + long val = ptrace(PTRACE_TRACEME, 0, 0, 0);
> +
> + if (val)
> + perr_and_exit("failed to request for tracer to trace me: %ld\n", val);
> +
> + kill(getpid(), SIGSTOP);
> +
> + /* Perform exit syscall that will be intercepted */
> + exit(A0_OLD);
> + }
> +
> + if (pid < 0)
> + exit(1);
This unexpected error condition deserves a message, so I'd use
ksft_exit_fail_perror() here.
> +
> + if (waitpid(pid, &status, 0) != pid)
> + perr_and_exit("failed to wait for the tracee %d\n", pid);
> +
> + /* Stop at the entry point of the syscall */
> + resume_and_wait_tracee(pid, PTRACE_SYSCALL);
> +
> + /* Check tracee regs before the syscall */
> + if (ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov))
> + perr_and_exit("failed to get tracee registers\n");
> + if (ptrace(PTRACE_GETREGSET, pid, NT_RISCV_ORIG_A0, &a0_iov))
> + perr_and_exit("failed to get tracee registers\n");
> + if (orig_a0 != A0_OLD)
> + perr_and_exit("unexpected orig_a0: 0x%lx\n", orig_a0);
> +
> + /* Modify a0/orig_a0 for the syscall */
> + switch (opt) {
> + case A0_MODIFY:
> + regs.a0 = A0_NEW;
> + break;
> + case ORIG_A0_MODIFY:
> + orig_a0 = A0_NEW;
> + break;
> + }
> +
> + if (ptrace(PTRACE_SETREGSET, pid, NT_RISCV_ORIG_A0, &a0_iov))
> + perr_and_exit("failed to set tracee registers\n");
> +
> + /* Resume the tracee */
> + ptrace(PTRACE_CONT, pid, 0, 0);
> + if (waitpid(pid, &status, 0) != pid)
> + perr_and_exit("failed to wait for the tracee\n");
> +
> + *result = WEXITSTATUS(status);
> +}
> +
> +TEST(ptrace_modify_a0)
> +{
> + int result;
> +
> + ptrace_test(A0_MODIFY, &result);
> +
> + /* The modification of a0 cannot affect the first argument of the syscall */
> + EXPECT_EQ(A0_OLD, result);
What about checking that we actually set regs.a0 to A0_NEW? We'd need
A0_NEW to be more unique than 4, though.
> +}
> +
> +TEST(ptrace_modify_orig_a0)
> +{
> + int result;
> +
> + ptrace_test(ORIG_A0_MODIFY, &result);
> +
> + /* Only modify orig_a0 to change the first argument of the syscall */
If we run ptrace_modify_a0 first then we've already set regs.a0 to A0_NEW
and can't check with this test that we don't set it to A0_NEW. We should
probably have two different test values, one for regs.a0 and one for
orig_a0 and ensure on both tests that we aren't writing both.
> + EXPECT_EQ(A0_NEW, result);
> +}
> +
> +TEST_HARNESS_MAIN
>
> --
> 2.47.0
>
Thanks,
drew
Powered by blists - more mailing lists