This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] x86/CET: Add a setcontext test for CET
- From: Carlos O'Donell <carlos at redhat dot com>
- To: "H.J. Lu" <hjl dot tools at gmail dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Wed, 25 Jul 2018 09:29:45 -0400
- Subject: Re: [PATCH] x86/CET: Add a setcontext test for CET
- References: <20180725122255.GD13278@gmail.com>
On 07/25/2018 08:22 AM, H.J. Lu wrote:
> Verify that setcontext works with gaps above and below the newly
> allocated shadow stack.
>
> OK for master?
>
> H.J.
> ---
> * sysdeps/x86/Makefile (tests): Add tst-cet-setcontext-1 if
> CET is enabled.
> (CFLAGS-tst-cet-setcontext-1.c): Add -mshstk.
> * sysdeps/x86/tst-cet-setcontext-1.c: New file.
OK for 2.28 only if you add a paragraph about exactly how the shadow
stacks are being laid out by the calls and why unmapping ctx3 and ctx4 works
to leave ctx1 with gap above and below.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> ---
> sysdeps/x86/Makefile | 5 ++
> sysdeps/x86/tst-cet-setcontext-1.c | 119 +++++++++++++++++++++++++++++
> 2 files changed, 124 insertions(+)
> create mode 100644 sysdeps/x86/tst-cet-setcontext-1.c
>
> diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile
> index 672bb19489..761d396108 100644
> --- a/sysdeps/x86/Makefile
> +++ b/sysdeps/x86/Makefile
> @@ -92,4 +92,9 @@ $(objpfx)check-cet.out: $(..)sysdeps/x86/check-cet.awk \
> $(evaluate-test)
> generated += check-cet.out
> endif
> +
> +ifeq ($(subdir),stdlib)
> +tests += tst-cet-setcontext-1
> +CFLAGS-tst-cet-setcontext-1.c += -mshstk
> +endif
OK, still within the CET enable block.
> endif
> diff --git a/sysdeps/x86/tst-cet-setcontext-1.c b/sysdeps/x86/tst-cet-setcontext-1.c
> new file mode 100644
> index 0000000000..08b7f6378e
> --- /dev/null
> +++ b/sysdeps/x86/tst-cet-setcontext-1.c
> @@ -0,0 +1,119 @@
> +/* Check getcontext and setcontext on the context from makecontext
> + with shadow stack.
OK.
> + Copyright (C) 2018 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <stdlib.h>
> +#include <ucontext.h>
> +#include <unistd.h>
> +#include <sys/mman.h>
> +#include <stdatomic.h>
> +#include <x86intrin.h>
> +
> +static ucontext_t ctx[5];
OK, 5 contexts.
> +static atomic_int done;
> +
> +static void
> +__attribute__((noinline, noclone))
> +f2 (void)
> +{
> + printf ("start f2\n");
> + done++;
Increment done.
> + if (setcontext (&ctx[2]) != 0)
Go back to ctx[2].
> + {
> + printf ("%s: setcontext: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> +}
> +
> +static void
> +f1 (void)
> +{
> + printf ("start f1\n");
> + if (getcontext (&ctx[2]) != 0)
> + {
> + printf ("%s: getcontext: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
OK.
> + if (done)
> + exit (EXIT_SUCCESS);
Call exit the second time. Having tested a context get/set
within a context that has gaps above and below it.
> + f2 ();
Calls f2 first time.
> +}
> +
> +static int
> +do_test (void)
> +{
> + char st1[32768];
OK, large stack block.
> + puts ("making contexts");
> + if (getcontext (&ctx[0]) != 0)
OK, create a context, this makes a new shadow stack.
> + {
> + printf ("%s: getcontext: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> + if (getcontext (&ctx[1]) != 0)
OK, make another one.
> + {
> + printf ("%s: getcontext: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> +
> + ctx[3].uc_stack.ss_sp = st1;
> + ctx[3].uc_stack.ss_size = sizeof st1;
> + ctx[3].uc_link = &ctx[0];
> + makecontext (&ctx[3], (void (*) (void)) f1, 0);
This is invalid?
ctx[3] must have been initialized by getcontext.
If the point is to force a shadow stack allocation then we should
add a comment here that we are purposely altering an invalid context
to trigger this work.
> +
> + ctx[1].uc_stack.ss_sp = st1;
> + ctx[1].uc_stack.ss_size = sizeof st1;
> + ctx[1].uc_link = &ctx[0];
> + makecontext (&ctx[1], (void (*) (void)) f1, 0);
OK, adjust stack for ctx[1].
> +
> + ctx[4].uc_stack.ss_sp = st1;
> + ctx[4].uc_stack.ss_size = sizeof st1;
> + ctx[4].uc_link = &ctx[0];
> + makecontext (&ctx[4], (void (*) (void)) f1, 0);
Also invalid?
At this point we have likely have:
0th - context
3rd - invalid
1st - context (new stack, and f1 function)
4th - invalid
> +
> + /* Free the unused shadow stacks to create gaps above and below the
> + shadow stack of CTX1. */
Needs a big comment explaining the layout and what we are accomplishing here:
> + if (_get_ssp () != 0)
> + {
> + if (ctx[3].__ssp[1] != 0
> + && munmap ((void *) (uintptr_t) ctx[3].__ssp[1],
> + (size_t) ctx[3].__ssp[2]) != 0)
> + {
> + printf ("%s: munmap: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> +
> + if (ctx[4].__ssp[1] != 0
> + && munmap ((void *) (uintptr_t) ctx[4].__ssp[1],
> + (size_t) ctx[4].__ssp[2]) != 0)
> + {
> + printf ("%s: munmap: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> + }
> +
0th - context
3rd - invalid (unmapped shadow stack)
1st - context (new stack, and f1 function)
4th - invalid (unmapped shadow stack)
> + if (setcontext (&ctx[1]) != 0)
OK, jump to f1.
> + {
> + printf ("%s: setcontext: %m\n", __FUNCTION__);
> + exit (EXIT_FAILURE);
> + }
> + exit (EXIT_FAILURE);
> +}
> +
> +#include <support/test-driver.c>
>