1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS
4  *
5  * This does MOV SS from a watchpointed address followed by various
6  * types of kernel entries.  A MOV SS that hits a watchpoint will queue
7  * up a #DB trap but will not actually deliver that trap.  The trap
8  * will be delivered after the next instruction instead.  The CPU's logic
9  * seems to be:
10  *
11  *  - Any fault: drop the pending #DB trap.
12  *  - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then
13  *    deliver #DB.
14  *  - ICEBP: enter the kernel but do not deliver the watchpoint trap
15  *  - breakpoint: only one #DB is delivered (phew!)
16  *
17  * There are plenty of ways for a kernel to handle this incorrectly.  This
18  * test tries to exercise all the cases.
19  *
20  * This should mostly cover CVE-2018-1087 and CVE-2018-8897.
21  */
22 #define _GNU_SOURCE
23 
24 #include <stdlib.h>
25 #include <sys/ptrace.h>
26 #include <sys/types.h>
27 #include <sys/wait.h>
28 #include <sys/user.h>
29 #include <sys/syscall.h>
30 #include <unistd.h>
31 #include <errno.h>
32 #include <stddef.h>
33 #include <stdio.h>
34 #include <err.h>
35 #include <string.h>
36 #include <setjmp.h>
37 #include <sys/prctl.h>
38 
39 #define X86_EFLAGS_RF (1UL << 16)
40 
41 #if __x86_64__
42 # define REG_IP REG_RIP
43 #else
44 # define REG_IP REG_EIP
45 #endif
46 
47 unsigned short ss;
48 extern unsigned char breakpoint_insn[];
49 sigjmp_buf jmpbuf;
50 
enable_watchpoint(void)51 static void enable_watchpoint(void)
52 {
53 	pid_t parent = getpid();
54 	int status;
55 
56 	pid_t child = fork();
57 	if (child < 0)
58 		err(1, "fork");
59 
60 	if (child) {
61 		if (waitpid(child, &status, 0) != child)
62 			err(1, "waitpid for child");
63 	} else {
64 		unsigned long dr0, dr1, dr7;
65 
66 		dr0 = (unsigned long)&ss;
67 		dr1 = (unsigned long)breakpoint_insn;
68 		dr7 = ((1UL << 1) |	/* G0 */
69 		       (3UL << 16) |	/* RW0 = read or write */
70 		       (1UL << 18) |	/* LEN0 = 2 bytes */
71 		       (1UL << 3));	/* G1, RW1 = insn */
72 
73 		if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0)
74 			err(1, "PTRACE_ATTACH");
75 
76 		if (waitpid(parent, &status, 0) != parent)
77 			err(1, "waitpid for child");
78 
79 		if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0)
80 			err(1, "PTRACE_POKEUSER DR0");
81 
82 		if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0)
83 			err(1, "PTRACE_POKEUSER DR1");
84 
85 		if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0)
86 			err(1, "PTRACE_POKEUSER DR7");
87 
88 		printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n", dr0, dr1, dr7);
89 
90 		if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0)
91 			err(1, "PTRACE_DETACH");
92 
93 		exit(0);
94 	}
95 }
96 
sethandler(int sig,void (* handler)(int,siginfo_t *,void *),int flags)97 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
98 		       int flags)
99 {
100 	struct sigaction sa;
101 	memset(&sa, 0, sizeof(sa));
102 	sa.sa_sigaction = handler;
103 	sa.sa_flags = SA_SIGINFO | flags;
104 	sigemptyset(&sa.sa_mask);
105 	if (sigaction(sig, &sa, 0))
106 		err(1, "sigaction");
107 }
108 
109 static char const * const signames[] = {
110 	[SIGSEGV] = "SIGSEGV",
111 	[SIGBUS] = "SIBGUS",
112 	[SIGTRAP] = "SIGTRAP",
113 	[SIGILL] = "SIGILL",
114 };
115 
sigtrap(int sig,siginfo_t * si,void * ctx_void)116 static void sigtrap(int sig, siginfo_t *si, void *ctx_void)
117 {
118 	ucontext_t *ctx = ctx_void;
119 
120 	printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n",
121 	       (unsigned long)ctx->uc_mcontext.gregs[REG_IP],
122 	       !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF));
123 }
124 
handle_and_return(int sig,siginfo_t * si,void * ctx_void)125 static void handle_and_return(int sig, siginfo_t *si, void *ctx_void)
126 {
127 	ucontext_t *ctx = ctx_void;
128 
129 	printf("\tGot %s with RIP=%lx\n", signames[sig],
130 	       (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
131 }
132 
handle_and_longjmp(int sig,siginfo_t * si,void * ctx_void)133 static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void)
134 {
135 	ucontext_t *ctx = ctx_void;
136 
137 	printf("\tGot %s with RIP=%lx\n", signames[sig],
138 	       (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
139 
140 	siglongjmp(jmpbuf, 1);
141 }
142 
main()143 int main()
144 {
145 	unsigned long nr;
146 
147 	asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss));
148 	printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss);
149 
150 	if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0)
151 		printf("\tPR_SET_PTRACER_ANY succeeded\n");
152 
153 	printf("\tSet up a watchpoint\n");
154 	sethandler(SIGTRAP, sigtrap, 0);
155 	enable_watchpoint();
156 
157 	printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n");
158 	asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss));
159 
160 	printf("[RUN]\tMOV SS; INT3\n");
161 	asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss));
162 
163 	printf("[RUN]\tMOV SS; INT 3\n");
164 	asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss));
165 
166 	printf("[RUN]\tMOV SS; CS CS INT3\n");
167 	asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss));
168 
169 	printf("[RUN]\tMOV SS; CSx14 INT3\n");
170 	asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss));
171 
172 	printf("[RUN]\tMOV SS; INT 4\n");
173 	sethandler(SIGSEGV, handle_and_return, SA_RESETHAND);
174 	asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss));
175 
176 #ifdef __i386__
177 	printf("[RUN]\tMOV SS; INTO\n");
178 	sethandler(SIGSEGV, handle_and_return, SA_RESETHAND);
179 	nr = -1;
180 	asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into"
181 		      : [tmp] "+r" (nr) : [ss] "m" (ss));
182 #endif
183 
184 	if (sigsetjmp(jmpbuf, 1) == 0) {
185 		printf("[RUN]\tMOV SS; ICEBP\n");
186 
187 		/* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */
188 		sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND);
189 
190 		asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss));
191 	}
192 
193 	if (sigsetjmp(jmpbuf, 1) == 0) {
194 		printf("[RUN]\tMOV SS; CLI\n");
195 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
196 		asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss));
197 	}
198 
199 	if (sigsetjmp(jmpbuf, 1) == 0) {
200 		printf("[RUN]\tMOV SS; #PF\n");
201 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
202 		asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]"
203 			      : [tmp] "=r" (nr) : [ss] "m" (ss));
204 	}
205 
206 	/*
207 	 * INT $1: if #DB has DPL=3 and there isn't special handling,
208 	 * then the kernel will die.
209 	 */
210 	if (sigsetjmp(jmpbuf, 1) == 0) {
211 		printf("[RUN]\tMOV SS; INT 1\n");
212 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
213 		asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss));
214 	}
215 
216 #ifdef __x86_64__
217 	/*
218 	 * In principle, we should test 32-bit SYSCALL as well, but
219 	 * the calling convention is so unpredictable that it's
220 	 * not obviously worth the effort.
221 	 */
222 	if (sigsetjmp(jmpbuf, 1) == 0) {
223 		printf("[RUN]\tMOV SS; SYSCALL\n");
224 		sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND);
225 		nr = SYS_getpid;
226 		/*
227 		 * Toggle the high bit of RSP to make it noncanonical to
228 		 * strengthen this test on non-SMAP systems.
229 		 */
230 		asm volatile ("btc $63, %%rsp\n\t"
231 			      "mov %[ss], %%ss; syscall\n\t"
232 			      "btc $63, %%rsp"
233 			      : "+a" (nr) : [ss] "m" (ss)
234 			      : "rcx"
235 #ifdef __x86_64__
236 				, "r11"
237 #endif
238 			);
239 	}
240 #endif
241 
242 	printf("[RUN]\tMOV SS; breakpointed NOP\n");
243 	asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss));
244 
245 	/*
246 	 * Invoking SYSENTER directly breaks all the rules.  Just handle
247 	 * the SIGSEGV.
248 	 */
249 	if (sigsetjmp(jmpbuf, 1) == 0) {
250 		printf("[RUN]\tMOV SS; SYSENTER\n");
251 		stack_t stack = {
252 			.ss_sp = malloc(sizeof(char) * SIGSTKSZ),
253 			.ss_size = SIGSTKSZ,
254 		};
255 		if (sigaltstack(&stack, NULL) != 0)
256 			err(1, "sigaltstack");
257 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK);
258 		nr = SYS_getpid;
259 		free(stack.ss_sp);
260 		/* Clear EBP first to make sure we segfault cleanly. */
261 		asm volatile ("xorl %%ebp, %%ebp; mov %[ss], %%ss; SYSENTER" : "+a" (nr)
262 			      : [ss] "m" (ss) : "flags", "rcx"
263 #ifdef __x86_64__
264 				, "r11"
265 #endif
266 			);
267 
268 		/* We're unreachable here.  SYSENTER forgets RIP. */
269 	}
270 
271 	if (sigsetjmp(jmpbuf, 1) == 0) {
272 		printf("[RUN]\tMOV SS; INT $0x80\n");
273 		sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND);
274 		nr = 20;	/* compat getpid */
275 		asm volatile ("mov %[ss], %%ss; int $0x80"
276 			      : "+a" (nr) : [ss] "m" (ss)
277 			      : "flags"
278 #ifdef __x86_64__
279 				, "r8", "r9", "r10", "r11"
280 #endif
281 			);
282 	}
283 
284 	printf("[OK]\tI aten't dead\n");
285 	return 0;
286 }
287