lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250522025658.1780923-1-zhaomzhao@126.com>
Date: Thu, 22 May 2025 10:56:58 +0800
From: Zhao Mengmeng <zhaomzhao@....com>
To: kees@...nel.org,
	arnd@...db.de,
	gregkh@...uxfoundation.org
Cc: zhaomengmeng@...inos.cn,
	linux-kernel@...r.kernel.org
Subject: [PATCH] lkdtm: Add DOUBLE_FAULT support for x86_64

From: Zhao Mengmeng <zhaomengmeng@...inos.cn>

Add DOUBLE_FAULT support for x86_64 by setting rsp to NULL and
then trigger int3. It is useful for testing the double fault handling
on x86_64.

Test it on qemu x86_64 vm with linux-next-20250516,
x86_64_defconfig, with cmd:

insmod lkdtm.ko cpoint_type=DOUBLE_FAULT cpoint_name=DIRECT

The console log is:

[  137.722286] traps: PANIC: double fault, error_code: 0x0
[  137.722295] Oops: double fault: 0000 [#1] SMP PTI
[  137.722299] CPU: 0 UID: 0 PID: 200 Comm: insmod Not tainted 6.15.0-rc6-next-20250516 #1 PREEMPT(voluntary)
[  137.722301] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[  137.722302] RIP: 0010:lkdtm_DOUBLE_FAULT+0xc/0x20 [lkdtm]
[  137.722309] Code: 1e fa 48 c7 c7 10 8c 20 c0 e9 e0 00 31 c1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa fa 48 c7 c4 00 00 00 00 <cc> 48 c7 c7 40 8c 20 c0 e9 b7 00 31 c1 00
[  137.722316] RSP: 0018:0000000000000000 EFLAGS: 00010086
[  137.722317] RAX: ffffffffc0000650 RBX: ffffffffc02021c0 RCX: ffffffff82252400
[  137.722331] RDX: ffffffffc0202030 RSI: ffffffffc0202390 RDI: ffffffffc0202390
[  137.722332] RBP: ffffffffc0201500 R08: 4555515f49534353 R09: 51525f4555455551
[  137.722332] R10: ffffffff814f325d R11: 5952544e455f5445 R12: ffffffffc0202390
[  137.722333] R13: ffff888004349330 R14: ffff888005536400 R15: ffff888003e53148
[  137.722335] FS:  00007f07f29d6380(0000) GS:ffff8880fa70a000(0000) knlGS:0000000000000000
[  137.722336] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  137.722337] CR2: fffffffffffffff8 CR3: 00000000044d6000 CR4: 00000000000006f0
[  137.722338] Call Trace:
[  137.722338] Modules linked in: lkdtm(+)
[  137.722341] ---[ end trace 0000000000000000 ]---
[  137.722341] RIP: 0010:lkdtm_DOUBLE_FAULT+0xc/0x20 [lkdtm]
[  137.722345] Code: 1e fa 48 c7 c7 10 8c 20 c0 e9 e0 00 31 c1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa fa 48 c7 c4 00 00 00 00 <cc> 48 c7 c7 40 8c 20 c0 e9 b7 00 31 c1 00
[  137.722346] RSP: 0018:0000000000000000 EFLAGS: 00010086
[  137.722347] RAX: ffffffffc0000650 RBX: ffffffffc02021c0 RCX: ffffffff82252400
[  137.722347] RDX: ffffffffc0202030 RSI: ffffffffc0202390 RDI: ffffffffc0202390
[  137.722348] RBP: ffffffffc0201500 R08: 4555515f49534353 R09: 51525f4555455551
[  137.722348] R10: ffffffff814f325d R11: 5952544e455f5445 R12: ffffffffc0202390
[  137.722349] R13: ffff888004349330 R14: ffff888005536400 R15: ffff888003e53148
[  137.722350] FS:  00007f07f29d6380(0000) GS:ffff8880fa70a000(0000) knlGS:0000000000000000
[  137.722351] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  137.722351] CR2: fffffffffffffff8 CR3: 00000000044d6000 CR4: 00000000000006f0
[  137.722352] Kernel panic - not syncing: Fatal exception in interrupt
[  137.722457] Kernel Offset: disabled
[  137.745911] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Signed-off-by: Zhao Mengmeng <zhaomengmeng@...inos.cn>
---
 drivers/misc/lkdtm/bugs.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index 376047beea3d..d462c77fc1a2 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -647,9 +647,21 @@ static void lkdtm_DOUBLE_FAULT(void)
 	asm volatile ("movw %0, %%ss; addl $0, (%%esp)" ::
 		      "r" ((unsigned short)(GDT_ENTRY_TLS_MIN << 3)));
 
-	pr_err("FAIL: tried to double fault but didn't die\n");
+	pr_err("FAIL: tried to double fault on x86_32 but didn't die\n");
+#elif IS_ENABLED(CONFIG_X86_64) && !IS_ENABLED(CONFIG_UML)
+	local_irq_disable();
+	/*
+	 * Trigger #DF on x86_64:
+	 * 1. Set RSP to an invalid address (e.g., NULL).
+	 * 2. Execute an instruction that causes a fault (e.g., 'int3' for #BP).
+	 * 3. The CPU attempts to deliver the #BP. This involves pushing an
+	 *    exception frame onto the stack pointed to by RSP.
+	 * 4. Since RSP is invalid, the push operation itself faults (e.g., #PF).
+	 */
+	asm volatile ("movq $0, %%rsp; int3" :: );
+	pr_err("FAIL: tried to double fault on x86_64 but didn't die\n");
 #else
-	pr_err("XFAIL: this test is ia32-only\n");
+	pr_err("XFAIL: this test is x86_64 and x86_32 only\n");
 #endif
 }
 
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ