tools/testing/selftests/x86/nx_stack.c

   1 /*
   2  * Copyright (c) 2023 Alexey Dobriyan <adobriyan@gmail.com>
   3  *
   4  * Permission to use, copy, modify, and distribute this software for any
   5  * purpose with or without fee is hereby granted, provided that the above
   6  * copyright notice and this permission notice appear in all copies.
   7  *
   8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  15  */
  16 /*
  17  * Test that userspace stack is NX. Requires linking with -Wl,-z,noexecstack
  18  * because I don't want to bother with PT_GNU_STACK detection.
  19  *
  20  * Fill the stack with INT3's and then try to execute some of them:
  21  * SIGSEGV -- good, SIGTRAP -- bad.
  22  *
  23  * Regular stack is completely overwritten before testing.
  24  * Test doesn't exit SIGSEGV handler after first fault at INT3.
  25  */
  26 #undef _GNU_SOURCE
  27 #define _GNU_SOURCE
  28 #undef NDEBUG
  29 #include <assert.h>
  30 #include <signal.h>
  31 #include <stdint.h>
  32 #include <stdio.h>
  33 #include <stdlib.h>
  34 #include <sys/mman.h>
  35 #include <sys/resource.h>
  36 #include <unistd.h>
  37
  38 #define PAGE_SIZE 4096
  39
  40 /*
  41  * This is memset(rsp, 0xcc, -1); but down.
  42  * It will SIGSEGV when bottom of the stack is reached.
  43  * Byte-size access is important! (see rdi tweak in the signal handler).
  44  */
  45 void make_stack1(void);
  46 asm(
  47 ".pushsection .text\n"
  48 ".globl make_stack1\n"
  49 ".align 16\n"
  50 "make_stack1:\n"
  51         "mov $0xcc, %al\n"
  52 #if defined __amd64__
  53         "mov %rsp, %rdi\n"
  54         "mov $-1, %rcx\n"
  55 #elif defined __i386__
  56         "mov %esp, %edi\n"
  57         "mov $-1, %ecx\n"
  58 #else
  59 #error
  60 #endif
  61         "std\n"
  62         "rep stosb\n"
  63         /* unreachable */
  64         "hlt\n"
  65 ".type make_stack1,@function\n"
  66 ".size make_stack1,.-make_stack1\n"
  67 ".popsection\n"
  68 );
  69
  70 /*
  71  * memset(p, 0xcc, -1);
  72  * It will SIGSEGV when top of the stack is reached.
  73  */
  74 void make_stack2(uint64_t p);
  75 asm(
  76 ".pushsection .text\n"
  77 ".globl make_stack2\n"
  78 ".align 16\n"
  79 "make_stack2:\n"
  80         "mov $0xcc, %al\n"
  81 #if defined __amd64__
  82         "mov $-1, %rcx\n"
  83 #elif defined __i386__
  84         "mov $-1, %ecx\n"
  85 #else
  86 #error
  87 #endif
  88         "cld\n"
  89         "rep stosb\n"
  90         /* unreachable */
  91         "hlt\n"
  92 ".type make_stack2,@function\n"
  93 ".size make_stack2,.-make_stack2\n"
  94 ".popsection\n"
  95 );
  96
  97 static volatile int test_state = 0;
  98 static volatile unsigned long stack_min_addr;
  99
 100 #if defined __amd64__
 101 #define RDI     REG_RDI
 102 #define RIP     REG_RIP
 103 #define RIP_STRING "rip"
 104 #elif defined __i386__
 105 #define RDI     REG_EDI
 106 #define RIP     REG_EIP
 107 #define RIP_STRING "eip"
 108 #else
 109 #error
 110 #endif
 111
 112 static void sigsegv(int _, siginfo_t *__, void *uc_)
 113 {
 114         /*
 115          * Some Linux versions didn't clear DF before entering signal
 116          * handler. make_stack1() doesn't have a chance to clear DF
 117          * either so we clear it by hand here.
 118          */
 119         asm volatile ("cld" ::: "memory");
 120
 121         ucontext_t *uc = uc_;
 122
 123         if (test_state == 0) {
 124                 /* Stack is faulted and cleared from RSP to the lowest address. */
 125                 stack_min_addr = ++uc->uc_mcontext.gregs[RDI];
 126                 if (1) {
 127                         printf("stack min %lx\n", stack_min_addr);
 128                 }
 129                 uc->uc_mcontext.gregs[RIP] = (uintptr_t)&make_stack2;
 130                 test_state = 1;
 131         } else if (test_state == 1) {
 132                 /* Stack has been cleared from top to bottom. */
 133                 unsigned long stack_max_addr = uc->uc_mcontext.gregs[RDI];
 134                 if (1) {
 135                         printf("stack max %lx\n", stack_max_addr);
 136                 }
 137                 /* Start faulting pages on stack and see what happens. */
 138                 uc->uc_mcontext.gregs[RIP] = stack_max_addr - PAGE_SIZE;
 139                 test_state = 2;
 140         } else if (test_state == 2) {
 141                 /* Stack page is NX -- good, test next page. */
 142                 uc->uc_mcontext.gregs[RIP] -= PAGE_SIZE;
 143                 if (uc->uc_mcontext.gregs[RIP] == stack_min_addr) {
 144                         /* One more SIGSEGV and test ends. */
 145                         test_state = 3;
 146                 }
 147         } else {
 148                 printf("PASS\tAll stack pages are NX\n");
 149                 _exit(EXIT_SUCCESS);
 150         }
 151 }
 152
 153 static void sigtrap(int _, siginfo_t *__, void *uc_)
 154 {
 155         const ucontext_t *uc = uc_;
 156         unsigned long rip = uc->uc_mcontext.gregs[RIP];
 157         printf("FAIL\texecutable page on the stack: " RIP_STRING " %lx\n", rip);
 158         _exit(EXIT_FAILURE);
 159 }
 160
 161 int main(void)
 162 {
 163         {
 164                 struct sigaction act = {};
 165                 sigemptyset(&act.sa_mask);
 166                 act.sa_flags = SA_SIGINFO;
 167                 act.sa_sigaction = &sigsegv;
 168                 int rv = sigaction(SIGSEGV, &act, NULL);
 169                 assert(rv == 0);
 170         }
 171         {
 172                 struct sigaction act = {};
 173                 sigemptyset(&act.sa_mask);
 174                 act.sa_flags = SA_SIGINFO;
 175                 act.sa_sigaction = &sigtrap;
 176                 int rv = sigaction(SIGTRAP, &act, NULL);
 177                 assert(rv == 0);
 178         }
 179         {
 180                 struct rlimit rlim;
 181                 int rv = getrlimit(RLIMIT_STACK, &rlim);
 182                 assert(rv == 0);
 183                 /* Cap stack at time-honored 8 MiB value. */
 184                 rlim.rlim_max = rlim.rlim_cur;
 185                 if (rlim.rlim_max > 8 * 1024 * 1024) {
 186                         rlim.rlim_max = 8 * 1024 * 1024;
 187                 }
 188                 rv = setrlimit(RLIMIT_STACK, &rlim);
 189                 assert(rv == 0);
 190         }
 191         {
 192                 /*
 193                  * We don't know now much stack SIGSEGV handler uses.
 194                  * Bump this by 1 page every time someone complains,
 195                  * or rewrite it in assembly.
 196                  */
 197                 const size_t len = SIGSTKSZ;
 198                 void *p = mmap(NULL, len, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
 199                 assert(p != MAP_FAILED);
 200                 stack_t ss = {};
 201                 ss.ss_sp = p;
 202                 ss.ss_size = len;
 203                 int rv = sigaltstack(&ss, NULL);
 204                 assert(rv == 0);
 205         }
 206         make_stack1();
 207         /*
 208          * Unreachable, but if _this_ INT3 is ever reached, it's a bug somewhere.
 209          * Fold it into main SIGTRAP pathway.
 210          */
 211         __builtin_trap();
 212 }