18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ci/*
38c2ecf20Sopenharmony_ci * syscall_arg_fault.c - tests faults 32-bit fast syscall stack args
48c2ecf20Sopenharmony_ci * Copyright (c) 2015 Andrew Lutomirski
58c2ecf20Sopenharmony_ci */
68c2ecf20Sopenharmony_ci
78c2ecf20Sopenharmony_ci#define _GNU_SOURCE
88c2ecf20Sopenharmony_ci
98c2ecf20Sopenharmony_ci#include <stdlib.h>
108c2ecf20Sopenharmony_ci#include <stdio.h>
118c2ecf20Sopenharmony_ci#include <string.h>
128c2ecf20Sopenharmony_ci#include <sys/signal.h>
138c2ecf20Sopenharmony_ci#include <sys/ucontext.h>
148c2ecf20Sopenharmony_ci#include <err.h>
158c2ecf20Sopenharmony_ci#include <setjmp.h>
168c2ecf20Sopenharmony_ci#include <errno.h>
178c2ecf20Sopenharmony_ci
188c2ecf20Sopenharmony_ci#include "helpers.h"
198c2ecf20Sopenharmony_ci
208c2ecf20Sopenharmony_ci/* Our sigaltstack scratch space. */
218c2ecf20Sopenharmony_cistatic unsigned char altstack_data[SIGSTKSZ];
228c2ecf20Sopenharmony_ci
238c2ecf20Sopenharmony_cistatic void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
248c2ecf20Sopenharmony_ci		       int flags)
258c2ecf20Sopenharmony_ci{
268c2ecf20Sopenharmony_ci	struct sigaction sa;
278c2ecf20Sopenharmony_ci	memset(&sa, 0, sizeof(sa));
288c2ecf20Sopenharmony_ci	sa.sa_sigaction = handler;
298c2ecf20Sopenharmony_ci	sa.sa_flags = SA_SIGINFO | flags;
308c2ecf20Sopenharmony_ci	sigemptyset(&sa.sa_mask);
318c2ecf20Sopenharmony_ci	if (sigaction(sig, &sa, 0))
328c2ecf20Sopenharmony_ci		err(1, "sigaction");
338c2ecf20Sopenharmony_ci}
348c2ecf20Sopenharmony_ci
358c2ecf20Sopenharmony_cistatic volatile sig_atomic_t sig_traps;
368c2ecf20Sopenharmony_cistatic sigjmp_buf jmpbuf;
378c2ecf20Sopenharmony_ci
388c2ecf20Sopenharmony_cistatic volatile sig_atomic_t n_errs;
398c2ecf20Sopenharmony_ci
408c2ecf20Sopenharmony_ci#ifdef __x86_64__
418c2ecf20Sopenharmony_ci#define REG_AX REG_RAX
428c2ecf20Sopenharmony_ci#define REG_IP REG_RIP
438c2ecf20Sopenharmony_ci#else
448c2ecf20Sopenharmony_ci#define REG_AX REG_EAX
458c2ecf20Sopenharmony_ci#define REG_IP REG_EIP
468c2ecf20Sopenharmony_ci#endif
478c2ecf20Sopenharmony_ci
488c2ecf20Sopenharmony_cistatic void sigsegv_or_sigbus(int sig, siginfo_t *info, void *ctx_void)
498c2ecf20Sopenharmony_ci{
508c2ecf20Sopenharmony_ci	ucontext_t *ctx = (ucontext_t*)ctx_void;
518c2ecf20Sopenharmony_ci	long ax = (long)ctx->uc_mcontext.gregs[REG_AX];
528c2ecf20Sopenharmony_ci
538c2ecf20Sopenharmony_ci	if (ax != -EFAULT && ax != -ENOSYS) {
548c2ecf20Sopenharmony_ci		printf("[FAIL]\tAX had the wrong value: 0x%lx\n",
558c2ecf20Sopenharmony_ci		       (unsigned long)ax);
568c2ecf20Sopenharmony_ci		printf("\tIP = 0x%lx\n", (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
578c2ecf20Sopenharmony_ci		n_errs++;
588c2ecf20Sopenharmony_ci	} else {
598c2ecf20Sopenharmony_ci		printf("[OK]\tSeems okay\n");
608c2ecf20Sopenharmony_ci	}
618c2ecf20Sopenharmony_ci
628c2ecf20Sopenharmony_ci	siglongjmp(jmpbuf, 1);
638c2ecf20Sopenharmony_ci}
648c2ecf20Sopenharmony_ci
658c2ecf20Sopenharmony_cistatic volatile sig_atomic_t sigtrap_consecutive_syscalls;
668c2ecf20Sopenharmony_ci
678c2ecf20Sopenharmony_cistatic void sigtrap(int sig, siginfo_t *info, void *ctx_void)
688c2ecf20Sopenharmony_ci{
698c2ecf20Sopenharmony_ci	/*
708c2ecf20Sopenharmony_ci	 * KVM has some bugs that can cause us to stop making progress.
718c2ecf20Sopenharmony_ci	 * detect them and complain, but don't infinite loop or fail the
728c2ecf20Sopenharmony_ci	 * test.
738c2ecf20Sopenharmony_ci	 */
748c2ecf20Sopenharmony_ci
758c2ecf20Sopenharmony_ci	ucontext_t *ctx = (ucontext_t*)ctx_void;
768c2ecf20Sopenharmony_ci	unsigned short *ip = (unsigned short *)ctx->uc_mcontext.gregs[REG_IP];
778c2ecf20Sopenharmony_ci
788c2ecf20Sopenharmony_ci	if (*ip == 0x340f || *ip == 0x050f) {
798c2ecf20Sopenharmony_ci		/* The trap was on SYSCALL or SYSENTER */
808c2ecf20Sopenharmony_ci		sigtrap_consecutive_syscalls++;
818c2ecf20Sopenharmony_ci		if (sigtrap_consecutive_syscalls > 3) {
828c2ecf20Sopenharmony_ci			printf("[WARN]\tGot stuck single-stepping -- you probably have a KVM bug\n");
838c2ecf20Sopenharmony_ci			siglongjmp(jmpbuf, 1);
848c2ecf20Sopenharmony_ci		}
858c2ecf20Sopenharmony_ci	} else {
868c2ecf20Sopenharmony_ci		sigtrap_consecutive_syscalls = 0;
878c2ecf20Sopenharmony_ci	}
888c2ecf20Sopenharmony_ci}
898c2ecf20Sopenharmony_ci
908c2ecf20Sopenharmony_cistatic void sigill(int sig, siginfo_t *info, void *ctx_void)
918c2ecf20Sopenharmony_ci{
928c2ecf20Sopenharmony_ci	ucontext_t *ctx = (ucontext_t*)ctx_void;
938c2ecf20Sopenharmony_ci	unsigned short *ip = (unsigned short *)ctx->uc_mcontext.gregs[REG_IP];
948c2ecf20Sopenharmony_ci
958c2ecf20Sopenharmony_ci	if (*ip == 0x0b0f) {
968c2ecf20Sopenharmony_ci		/* one of the ud2 instructions faulted */
978c2ecf20Sopenharmony_ci		printf("[OK]\tSYSCALL returned normally\n");
988c2ecf20Sopenharmony_ci	} else {
998c2ecf20Sopenharmony_ci		printf("[SKIP]\tIllegal instruction\n");
1008c2ecf20Sopenharmony_ci	}
1018c2ecf20Sopenharmony_ci	siglongjmp(jmpbuf, 1);
1028c2ecf20Sopenharmony_ci}
1038c2ecf20Sopenharmony_ci
1048c2ecf20Sopenharmony_ciint main()
1058c2ecf20Sopenharmony_ci{
1068c2ecf20Sopenharmony_ci	stack_t stack = {
1078c2ecf20Sopenharmony_ci		.ss_sp = altstack_data,
1088c2ecf20Sopenharmony_ci		.ss_size = SIGSTKSZ,
1098c2ecf20Sopenharmony_ci	};
1108c2ecf20Sopenharmony_ci	if (sigaltstack(&stack, NULL) != 0)
1118c2ecf20Sopenharmony_ci		err(1, "sigaltstack");
1128c2ecf20Sopenharmony_ci
1138c2ecf20Sopenharmony_ci	sethandler(SIGSEGV, sigsegv_or_sigbus, SA_ONSTACK);
1148c2ecf20Sopenharmony_ci	/*
1158c2ecf20Sopenharmony_ci	 * The actual exception can vary.  On Atom CPUs, we get #SS
1168c2ecf20Sopenharmony_ci	 * instead of #PF when the vDSO fails to access the stack when
1178c2ecf20Sopenharmony_ci	 * ESP is too close to 2^32, and #SS causes SIGBUS.
1188c2ecf20Sopenharmony_ci	 */
1198c2ecf20Sopenharmony_ci	sethandler(SIGBUS, sigsegv_or_sigbus, SA_ONSTACK);
1208c2ecf20Sopenharmony_ci	sethandler(SIGILL, sigill, SA_ONSTACK);
1218c2ecf20Sopenharmony_ci
1228c2ecf20Sopenharmony_ci	/*
1238c2ecf20Sopenharmony_ci	 * Exercise another nasty special case.  The 32-bit SYSCALL
1248c2ecf20Sopenharmony_ci	 * and SYSENTER instructions (even in compat mode) each
1258c2ecf20Sopenharmony_ci	 * clobber one register.  A Linux system call has a syscall
1268c2ecf20Sopenharmony_ci	 * number and six arguments, and the user stack pointer
1278c2ecf20Sopenharmony_ci	 * needs to live in some register on return.  That means
1288c2ecf20Sopenharmony_ci	 * that we need eight registers, but SYSCALL and SYSENTER
1298c2ecf20Sopenharmony_ci	 * only preserve seven registers.  As a result, one argument
1308c2ecf20Sopenharmony_ci	 * ends up on the stack.  The stack is user memory, which
1318c2ecf20Sopenharmony_ci	 * means that the kernel can fail to read it.
1328c2ecf20Sopenharmony_ci	 *
1338c2ecf20Sopenharmony_ci	 * The 32-bit fast system calls don't have a defined ABI:
1348c2ecf20Sopenharmony_ci	 * we're supposed to invoke them through the vDSO.  So we'll
1358c2ecf20Sopenharmony_ci	 * fudge it: we set all regs to invalid pointer values and
1368c2ecf20Sopenharmony_ci	 * invoke the entry instruction.  The return will fail no
1378c2ecf20Sopenharmony_ci	 * matter what, and we completely lose our program state,
1388c2ecf20Sopenharmony_ci	 * but we can fix it up with a signal handler.
1398c2ecf20Sopenharmony_ci	 */
1408c2ecf20Sopenharmony_ci
1418c2ecf20Sopenharmony_ci	printf("[RUN]\tSYSENTER with invalid state\n");
1428c2ecf20Sopenharmony_ci	if (sigsetjmp(jmpbuf, 1) == 0) {
1438c2ecf20Sopenharmony_ci		asm volatile (
1448c2ecf20Sopenharmony_ci			"movl $-1, %%eax\n\t"
1458c2ecf20Sopenharmony_ci			"movl $-1, %%ebx\n\t"
1468c2ecf20Sopenharmony_ci			"movl $-1, %%ecx\n\t"
1478c2ecf20Sopenharmony_ci			"movl $-1, %%edx\n\t"
1488c2ecf20Sopenharmony_ci			"movl $-1, %%esi\n\t"
1498c2ecf20Sopenharmony_ci			"movl $-1, %%edi\n\t"
1508c2ecf20Sopenharmony_ci			"movl $-1, %%ebp\n\t"
1518c2ecf20Sopenharmony_ci			"movl $-1, %%esp\n\t"
1528c2ecf20Sopenharmony_ci			"sysenter"
1538c2ecf20Sopenharmony_ci			: : : "memory", "flags");
1548c2ecf20Sopenharmony_ci	}
1558c2ecf20Sopenharmony_ci
1568c2ecf20Sopenharmony_ci	printf("[RUN]\tSYSCALL with invalid state\n");
1578c2ecf20Sopenharmony_ci	if (sigsetjmp(jmpbuf, 1) == 0) {
1588c2ecf20Sopenharmony_ci		asm volatile (
1598c2ecf20Sopenharmony_ci			"movl $-1, %%eax\n\t"
1608c2ecf20Sopenharmony_ci			"movl $-1, %%ebx\n\t"
1618c2ecf20Sopenharmony_ci			"movl $-1, %%ecx\n\t"
1628c2ecf20Sopenharmony_ci			"movl $-1, %%edx\n\t"
1638c2ecf20Sopenharmony_ci			"movl $-1, %%esi\n\t"
1648c2ecf20Sopenharmony_ci			"movl $-1, %%edi\n\t"
1658c2ecf20Sopenharmony_ci			"movl $-1, %%ebp\n\t"
1668c2ecf20Sopenharmony_ci			"movl $-1, %%esp\n\t"
1678c2ecf20Sopenharmony_ci			"syscall\n\t"
1688c2ecf20Sopenharmony_ci			"ud2"		/* make sure we recover cleanly */
1698c2ecf20Sopenharmony_ci			: : : "memory", "flags");
1708c2ecf20Sopenharmony_ci	}
1718c2ecf20Sopenharmony_ci
1728c2ecf20Sopenharmony_ci	printf("[RUN]\tSYSENTER with TF and invalid state\n");
1738c2ecf20Sopenharmony_ci	sethandler(SIGTRAP, sigtrap, SA_ONSTACK);
1748c2ecf20Sopenharmony_ci
1758c2ecf20Sopenharmony_ci	if (sigsetjmp(jmpbuf, 1) == 0) {
1768c2ecf20Sopenharmony_ci		sigtrap_consecutive_syscalls = 0;
1778c2ecf20Sopenharmony_ci		set_eflags(get_eflags() | X86_EFLAGS_TF);
1788c2ecf20Sopenharmony_ci		asm volatile (
1798c2ecf20Sopenharmony_ci			"movl $-1, %%eax\n\t"
1808c2ecf20Sopenharmony_ci			"movl $-1, %%ebx\n\t"
1818c2ecf20Sopenharmony_ci			"movl $-1, %%ecx\n\t"
1828c2ecf20Sopenharmony_ci			"movl $-1, %%edx\n\t"
1838c2ecf20Sopenharmony_ci			"movl $-1, %%esi\n\t"
1848c2ecf20Sopenharmony_ci			"movl $-1, %%edi\n\t"
1858c2ecf20Sopenharmony_ci			"movl $-1, %%ebp\n\t"
1868c2ecf20Sopenharmony_ci			"movl $-1, %%esp\n\t"
1878c2ecf20Sopenharmony_ci			"sysenter"
1888c2ecf20Sopenharmony_ci			: : : "memory", "flags");
1898c2ecf20Sopenharmony_ci	}
1908c2ecf20Sopenharmony_ci	set_eflags(get_eflags() & ~X86_EFLAGS_TF);
1918c2ecf20Sopenharmony_ci
1928c2ecf20Sopenharmony_ci	printf("[RUN]\tSYSCALL with TF and invalid state\n");
1938c2ecf20Sopenharmony_ci	if (sigsetjmp(jmpbuf, 1) == 0) {
1948c2ecf20Sopenharmony_ci		sigtrap_consecutive_syscalls = 0;
1958c2ecf20Sopenharmony_ci		set_eflags(get_eflags() | X86_EFLAGS_TF);
1968c2ecf20Sopenharmony_ci		asm volatile (
1978c2ecf20Sopenharmony_ci			"movl $-1, %%eax\n\t"
1988c2ecf20Sopenharmony_ci			"movl $-1, %%ebx\n\t"
1998c2ecf20Sopenharmony_ci			"movl $-1, %%ecx\n\t"
2008c2ecf20Sopenharmony_ci			"movl $-1, %%edx\n\t"
2018c2ecf20Sopenharmony_ci			"movl $-1, %%esi\n\t"
2028c2ecf20Sopenharmony_ci			"movl $-1, %%edi\n\t"
2038c2ecf20Sopenharmony_ci			"movl $-1, %%ebp\n\t"
2048c2ecf20Sopenharmony_ci			"movl $-1, %%esp\n\t"
2058c2ecf20Sopenharmony_ci			"syscall\n\t"
2068c2ecf20Sopenharmony_ci			"ud2"		/* make sure we recover cleanly */
2078c2ecf20Sopenharmony_ci			: : : "memory", "flags");
2088c2ecf20Sopenharmony_ci	}
2098c2ecf20Sopenharmony_ci	set_eflags(get_eflags() & ~X86_EFLAGS_TF);
2108c2ecf20Sopenharmony_ci
2118c2ecf20Sopenharmony_ci#ifdef __x86_64__
2128c2ecf20Sopenharmony_ci	printf("[RUN]\tSYSENTER with TF, invalid state, and GSBASE < 0\n");
2138c2ecf20Sopenharmony_ci
2148c2ecf20Sopenharmony_ci	if (sigsetjmp(jmpbuf, 1) == 0) {
2158c2ecf20Sopenharmony_ci		sigtrap_consecutive_syscalls = 0;
2168c2ecf20Sopenharmony_ci
2178c2ecf20Sopenharmony_ci		asm volatile ("wrgsbase %%rax\n\t"
2188c2ecf20Sopenharmony_ci			      :: "a" (0xffffffffffff0000UL));
2198c2ecf20Sopenharmony_ci
2208c2ecf20Sopenharmony_ci		set_eflags(get_eflags() | X86_EFLAGS_TF);
2218c2ecf20Sopenharmony_ci		asm volatile (
2228c2ecf20Sopenharmony_ci			"movl $-1, %%eax\n\t"
2238c2ecf20Sopenharmony_ci			"movl $-1, %%ebx\n\t"
2248c2ecf20Sopenharmony_ci			"movl $-1, %%ecx\n\t"
2258c2ecf20Sopenharmony_ci			"movl $-1, %%edx\n\t"
2268c2ecf20Sopenharmony_ci			"movl $-1, %%esi\n\t"
2278c2ecf20Sopenharmony_ci			"movl $-1, %%edi\n\t"
2288c2ecf20Sopenharmony_ci			"movl $-1, %%ebp\n\t"
2298c2ecf20Sopenharmony_ci			"movl $-1, %%esp\n\t"
2308c2ecf20Sopenharmony_ci			"sysenter"
2318c2ecf20Sopenharmony_ci			: : : "memory", "flags");
2328c2ecf20Sopenharmony_ci	}
2338c2ecf20Sopenharmony_ci	set_eflags(get_eflags() & ~X86_EFLAGS_TF);
2348c2ecf20Sopenharmony_ci#endif
2358c2ecf20Sopenharmony_ci
2368c2ecf20Sopenharmony_ci	return 0;
2378c2ecf20Sopenharmony_ci}
238