lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50a62291-5ae1-47b0-8f64-a42271820789@coelacanthus.name>
Date: Fri, 20 Dec 2024 05:29:45 +0800
From: Celeste Liu <uwu@...lacanthus.name>
To: Charlie Jenkins <charlie@...osinc.com>,
 Andrew Jones <ajones@...tanamicro.com>
Cc: Oleg Nesterov <oleg@...hat.com>, Paul Walmsley
 <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>,
 Albert Ou <aou@...s.berkeley.edu>, Eric Biederman <ebiederm@...ssion.com>,
 Kees Cook <kees@...nel.org>, Shuah Khan <shuah@...nel.org>,
 Alexandre Ghiti <alex@...ti.fr>, "Dmitry V. Levin" <ldv@...ace.io>,
 Andrea Bolognani <abologna@...hat.com>, Björn Töpel
 <bjorn@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
 Ron Economos <re@...z.net>, Quan Zhou <zhouquan@...as.ac.cn>,
 Guo Ren <guoren@...nel.org>, linux-riscv@...ts.infradead.org,
 linux-kernel@...r.kernel.org, linux-mm@...ck.org, stable@...r.kernel.org,
 linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 2/2] riscv: selftests: Add a ptrace test to verify
 syscall parameter modification


On 2024-12-20 02:26, Charlie Jenkins wrote:
> On Tue, Dec 03, 2024 at 01:55:07PM +0100, Andrew Jones wrote:
>> On Tue, Dec 03, 2024 at 05:30:05PM +0800, Celeste Liu wrote:
>>> From: Charlie Jenkins <charlie@...osinc.com>
>>>
>>> This test checks that orig_a0 allows a syscall argument to be modified,
>>> and that changing a0 does not change the syscall argument.
>>>
>>> Cc: stable@...r.kernel.org
>>> Co-developed-by: Quan Zhou <zhouquan@...as.ac.cn>
>>> Signed-off-by: Quan Zhou <zhouquan@...as.ac.cn>
>>> Co-developed-by: Celeste Liu <uwu@...lacanthus.name>
>>> Signed-off-by: Celeste Liu <uwu@...lacanthus.name>
>>> Signed-off-by: Charlie Jenkins <charlie@...osinc.com>
>>> ---
>>>  tools/testing/selftests/riscv/abi/.gitignore |   1 +
>>>  tools/testing/selftests/riscv/abi/Makefile   |   5 +-
>>>  tools/testing/selftests/riscv/abi/ptrace.c   | 134 +++++++++++++++++++++++++++
>>>  3 files changed, 139 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/tools/testing/selftests/riscv/abi/.gitignore b/tools/testing/selftests/riscv/abi/.gitignore
>>> index b38358f91c4d2240ae64892871d9ca98bda1ae58..378c605919a3b3d58eec2701eb7af430cfe315d6 100644
>>> --- a/tools/testing/selftests/riscv/abi/.gitignore
>>> +++ b/tools/testing/selftests/riscv/abi/.gitignore
>>> @@ -1 +1,2 @@
>>>  pointer_masking
>>> +ptrace
>>> diff --git a/tools/testing/selftests/riscv/abi/Makefile b/tools/testing/selftests/riscv/abi/Makefile
>>> index ed82ff9c664e7eb3f760cbab81fb957ff72579c5..3f74d059dfdcbce4d45d8ff618781ccea1419061 100644
>>> --- a/tools/testing/selftests/riscv/abi/Makefile
>>> +++ b/tools/testing/selftests/riscv/abi/Makefile
>>> @@ -2,9 +2,12 @@
>>>  
>>>  CFLAGS += -I$(top_srcdir)/tools/include
>>>  
>>> -TEST_GEN_PROGS := pointer_masking
>>> +TEST_GEN_PROGS := pointer_masking ptrace
>>>  
>>>  include ../../lib.mk
>>>  
>>>  $(OUTPUT)/pointer_masking: pointer_masking.c
>>>  	$(CC) -static -o$@ $(CFLAGS) $(LDFLAGS) $^
>>> +
>>> +$(OUTPUT)/ptrace: ptrace.c
>>> +	$(CC) -static -o$@ $(CFLAGS) $(LDFLAGS) $^
>>> diff --git a/tools/testing/selftests/riscv/abi/ptrace.c b/tools/testing/selftests/riscv/abi/ptrace.c
>>> new file mode 100644
>>> index 0000000000000000000000000000000000000000..d192764b428d1f1c442f3957c6fedeb01a48d556
>>> --- /dev/null
>>> +++ b/tools/testing/selftests/riscv/abi/ptrace.c
>>> @@ -0,0 +1,134 @@
>>> +// SPDX-License-Identifier: GPL-2.0-only
>>> +#include <stdio.h>
>>> +#include <stdlib.h>
>>> +#include <string.h>
>>> +#include <unistd.h>
>>> +#include <fcntl.h>
>>> +#include <signal.h>
>>> +#include <errno.h>
>>> +#include <sys/types.h>
>>> +#include <sys/ptrace.h>
>>> +#include <sys/stat.h>
>>> +#include <sys/user.h>
>>> +#include <sys/wait.h>
>>> +#include <sys/uio.h>
>>> +#include <linux/elf.h>
>>> +#include <linux/unistd.h>
>>> +#include <asm/ptrace.h>
>>> +
>>> +#include "../../kselftest_harness.h"
>>> +
>>> +#define ORIG_A0_MODIFY      0x01
>>> +#define A0_MODIFY           0x02
>>> +#define A0_OLD              0x03
>>> +#define A0_NEW              0x04
>>
>> Shouldn't A0_OLD and A0_NEW set more bits, since 3 and 4 aren't very
>> unique (we could have those values by accident)? And should we include
>> setting bits over 31 for 64-bit targets?
>>
>>> +
>>> +#define perr_and_exit(fmt, ...)						\
>>> +	({								\
>>> +		char buf[256];						\
>>> +		snprintf(buf, sizeof(buf), "%s:%d:" fmt ": %m\n",	\
>>> +			__func__, __LINE__, ##__VA_ARGS__);		\
>>> +		perror(buf);						\
>>> +		exit(-1);						\
>>> +	})
>>
>> Can we use e.g. ksft_exit_fail_perror() instead? I'd prefer we try to
>> consolidate testing/selftests/riscv/* tests on a common format for
>> errors and exit codes and we're already using other kselftest stuff.
>>
>>> +
>>> +static inline void resume_and_wait_tracee(pid_t pid, int flag)
>>> +{
>>> +	int status;
>>> +
>>> +	if (ptrace(flag, pid, 0, 0))
>>> +		perr_and_exit("failed to resume the tracee %d\n", pid);
>>> +
>>> +	if (waitpid(pid, &status, 0) != pid)
>>> +		perr_and_exit("failed to wait for the tracee %d\n", pid);
>>> +}
>>> +
>>> +static void ptrace_test(int opt, int *result)
>>> +{
>>> +	int status;
>>> +	pid_t pid;
>>> +	struct user_regs_struct regs;
>>> +	struct iovec iov = {
>>> +		.iov_base = &regs,
>>> +		.iov_len = sizeof(regs),
>>> +	};
>>> +
>>> +	unsigned long orig_a0;
>>> +	struct iovec a0_iov = {
>>> +		.iov_base = &orig_a0,
>>> +		.iov_len = sizeof(orig_a0),
>>> +	};
>>> +
>>> +	pid = fork();
>>> +	if (pid == 0) {
>>> +		/* Mark oneself being traced */
>>> +		long val = ptrace(PTRACE_TRACEME, 0, 0, 0);
>>> +
>>> +		if (val)
>>> +			perr_and_exit("failed to request for tracer to trace me: %ld\n", val);
>>> +
>>> +		kill(getpid(), SIGSTOP);
>>> +
>>> +		/* Perform exit syscall that will be intercepted */
>>> +		exit(A0_OLD);
>>> +	}
>>> +
>>> +	if (pid < 0)
>>> +		exit(1);
>>
>> This unexpected error condition deserves a message, so I'd use
>> ksft_exit_fail_perror() here.
>>
>>> +
>>> +	if (waitpid(pid, &status, 0) != pid)
>>> +		perr_and_exit("failed to wait for the tracee %d\n", pid);
>>> +
>>> +	/* Stop at the entry point of the syscall */
>>> +	resume_and_wait_tracee(pid, PTRACE_SYSCALL);
>>> +
>>> +	/* Check tracee regs before the syscall */
>>> +	if (ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov))
>>> +		perr_and_exit("failed to get tracee registers\n");
>>> +	if (ptrace(PTRACE_GETREGSET, pid, NT_RISCV_ORIG_A0, &a0_iov))
>>> +		perr_and_exit("failed to get tracee registers\n");
>>> +	if (orig_a0 != A0_OLD)
>>> +		perr_and_exit("unexpected orig_a0: 0x%lx\n", orig_a0);
>>> +
>>> +	/* Modify a0/orig_a0 for the syscall */
>>> +	switch (opt) {
>>> +	case A0_MODIFY:
>>> +		regs.a0 = A0_NEW;
>>> +		break;
>>> +	case ORIG_A0_MODIFY:
>>> +		orig_a0 = A0_NEW;
>>> +		break;
>>> +	}
>>> +
>>> +	if (ptrace(PTRACE_SETREGSET, pid, NT_RISCV_ORIG_A0, &a0_iov))
>>> +		perr_and_exit("failed to set tracee registers\n");
>>> +
>>> +	/* Resume the tracee */
>>> +	ptrace(PTRACE_CONT, pid, 0, 0);
>>> +	if (waitpid(pid, &status, 0) != pid)
>>> +		perr_and_exit("failed to wait for the tracee\n");
>>> +
>>> +	*result = WEXITSTATUS(status);
>>> +}
>>> +
>>> +TEST(ptrace_modify_a0)
>>> +{
>>> +	int result;
>>> +
>>> +	ptrace_test(A0_MODIFY, &result);
>>> +
>>> +	/* The modification of a0 cannot affect the first argument of the syscall */
>>> +	EXPECT_EQ(A0_OLD, result);
>>
>> What about checking that we actually set regs.a0 to A0_NEW? We'd need
>> A0_NEW to be more unique than 4, though.
>>
>>> +}
>>> +
>>> +TEST(ptrace_modify_orig_a0)
>>> +{
>>> +	int result;
>>> +
>>> +	ptrace_test(ORIG_A0_MODIFY, &result);
>>> +
>>> +	/* Only modify orig_a0 to change the first argument of the syscall */
>>
>> If we run ptrace_modify_a0 first then we've already set regs.a0 to A0_NEW
>> and can't check with this test that we don't set it to A0_NEW. We should
>> probably have two different test values, one for regs.a0 and one for
>> orig_a0 and ensure on both tests that we aren't writing both.
>>
> 
> Celeste, do you want to fix this up or are you waiting for me to?

Sorry for delay. I was busy with household affairs in the past few weeks.
v3 will be sent tomorrow or the day after tomorrow.

I am deeply sorry for this.

> 
> - Charlie
> 
>>> +	EXPECT_EQ(A0_NEW, result);
>>> +}
>>> +
>>> +TEST_HARNESS_MAIN
>>>
>>> -- 
>>> 2.47.0
>>>
>>
>> Thanks,
>> drew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ