From: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
To: Mark Brown <broonie@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
Andrew Morton <akpm@linux-foundation.org>,
Marc Zyngier <maz@kernel.org>,
Oliver Upton <oliver.upton@linux.dev>,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Arnd Bergmann <arnd@arndb.de>, Oleg Nesterov <oleg@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>, Shuah Khan <shuah@kernel.org>,
"Rick P. Edgecombe" <rick.p.edgecombe@intel.com>,
Deepak Gupta <debug@rivosinc.com>,
Ard Biesheuvel <ardb@kernel.org>,
Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
"H.J. Lu" <hjl.tools@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Florian Weimer <fweimer@redhat.com>,
Christian Brauner <brauner@kernel.org>,
linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org,
kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-riscv@lists.infradead.org
Subject: Re: [PATCH v7 34/39] kselftest/arm64: Add a GCS test program built with the system libc
Date: Thu, 14 Dec 2023 23:50:11 -0300 [thread overview]
Message-ID: <875y1089i4.fsf@linaro.org> (raw)
In-Reply-To: <20231122-arm64-gcs-v7-34-201c483bd775@kernel.org>
Mark Brown <broonie@kernel.org> writes:
> + /* Same thing via process_vm_readv() */
> + local_iov.iov_base = &rval;
> + local_iov.iov_len = sizeof(rval);
> + remote_iov.iov_base = (void *)gcspr;
> + remote_iov.iov_len = sizeof(rval);
> + ret = process_vm_writev(child, &local_iov, 1, &remote_iov, 1, 0);
> + if (ret == -1)
> + ksft_print_msg("process_vm_readv() failed: %s (%d)\n",
> + strerror(errno), errno);
The comment and the error message say "process_vm_readv()", but the
function actually called is process_vm_writev(). Is this intended?
Also, process_vm_writev() is failing when I run on my Arm FVP:
# # RUN global.ptrace_read_write ...
# # Child: 1150
# # Child GCSPR 0xffffa210ffd8, flags 1, locked 0
# # process_vm_readv() failed: Bad address (14)
# # libc-gcs.c:271:ptrace_read_write:Expected ret (-1) == sizeof(rval) (8)
# # libc-gcs.c:272:ptrace_read_write:Expected val (281473401005692) == rval (281473402849248)
# # libc-gcs.c:293:ptrace_read_write:Expected val (281473401005692) == ptrace(PTRACE_PEEKDATA, child, (void *)gcspr, NULL) (0)
# # ptrace_read_write: Test failed at step #1
# # FAIL global.ptrace_read_write
# not ok 4 global.ptrace_read_write
If I swap process_vm_readv() and process_vm_writev(), then the read
succeeds but the write fails:
# RUN global.ptrace_read_write ...
# Child: 1996
# Child GCSPR 0xffffa7fcffd8, flags 1, locked 0
# process_vm_writev() failed: Bad address (14)
# libc-gcs.c:291:ptrace_read_write:Expected ret (-1) == sizeof(rval) (8)
# libc-gcs.c:293:ptrace_read_write:Expected val (281473500358268) == ptrace(PTRACE_PEEKDATA, child, (void *)gcspr, NULL) (0)
# ptrace_read_write: Test failed at step #1
# FAIL global.ptrace_read_write
not ok 4 global.ptrace_read_write
> +/* Put it all together, we can safely switch to and from the stack */
> +TEST_F(map_gcs, stack_switch)
> +{
> + size_t cap_index;
> + cap_index = (variant->stack_size / sizeof(unsigned long));
> + unsigned long *orig_gcspr_el0, *pivot_gcspr_el0;
> +
> + /* Skip over the stack terminator and point at the cap */
> + switch (variant->flags & (SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN)) {
> + case SHADOW_STACK_SET_MARKER | SHADOW_STACK_SET_TOKEN:
> + cap_index -= 2;
> + break;
> + case SHADOW_STACK_SET_TOKEN:
> + cap_index -= 1;
> + break;
> + case SHADOW_STACK_SET_MARKER:
> + case 0:
> + /* No cap, no test */
> + return;
> + }
> + pivot_gcspr_el0 = &self->stack[cap_index];
> +
> + /* Pivot to the new GCS */
> + ksft_print_msg("Pivoting to %p from %p, target has value 0x%lx\n",
> + pivot_gcspr_el0, get_gcspr(),
> + *pivot_gcspr_el0);
> + gcsss1(pivot_gcspr_el0);
> + orig_gcspr_el0 = gcsss2();
> + ksft_print_msg("Pivoted to %p from %p, target has value 0x%lx\n",
> + pivot_gcspr_el0, get_gcspr(),
Not sure about the intent here, but perhaps "get_gcspr()" here should be
"orig_gcspr_el0" instead? Ditto in the equivalent place at the
map_gcs.stack_overflow test below.
Also, it's strange that the tests defined after map_gcs.stack_overflow
don't run when I execute this test program. I'm doing:
$ ./run_kselftest.sh -t arm64:libc-gcs
I.e., these tests aren't being run in my FVP:
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, too_small)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_1)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_2)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_3)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_4)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_5)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_6)
> +FIXTURE_VARIANT_ADD(map_invalid_gcs, unligned_7)
> +TEST_F(map_invalid_gcs, do_map)
> +FIXTURE_VARIANT_ADD(invalid_mprotect, exec)
> +FIXTURE_VARIANT_ADD(invalid_mprotect, bti)
> +FIXTURE_VARIANT_ADD(invalid_mprotect, exec_bti)
> +TEST_F(invalid_mprotect, do_map)
> +TEST_F(invalid_mprotect, do_map_read)
Finally, one last comment:
> +int main(int argc, char **argv)
> +{
> + unsigned long gcs_mode;
> + int ret;
> +
> + if (!(getauxval(AT_HWCAP2) & HWCAP2_GCS))
> + ksft_exit_skip("SKIP GCS not supported\n");
> +
> + /*
> + * Force shadow stacks on, our tests *should* be fine with or
> + * without libc support and with or without this having ended
> + * up tagged for GCS and enabled by the dynamic linker. We
> + * can't use the libc prctl() function since we can't return
> + * from enabling the stack. Also lock GCS if not already
> + * locked so we can test behaviour when it's locked.
This is probably a leftover from a previous version: the test doesn't
lock any GCS flag.
> + */
> + ret = my_syscall2(__NR_prctl, PR_GET_SHADOW_STACK_STATUS, &gcs_mode);
> + if (ret) {
> + ksft_print_msg("Failed to read GCS state: %d\n", ret);
> + return EXIT_FAILURE;
> + }
> +
> + if (!(gcs_mode & PR_SHADOW_STACK_ENABLE)) {
> + gcs_mode = PR_SHADOW_STACK_ENABLE;
> + ret = my_syscall2(__NR_prctl, PR_SET_SHADOW_STACK_STATUS,
> + gcs_mode);
> + if (ret) {
> + ksft_print_msg("Failed to configure GCS: %d\n", ret);
> + return EXIT_FAILURE;
> + }
> + }
> +
> + /* Avoid returning in case libc doesn't understand GCS */
> + exit(test_harness_run(argc, argv));
> +}
--
Thiago
next prev parent reply other threads:[~2023-12-15 2:50 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-22 9:42 [PATCH v7 00/39] arm64/gcs: Provide support for GCS in userspace Mark Brown
2023-11-22 9:42 ` [PATCH v7 01/39] arm64/mm: Restructure arch_validate_flags() for extensibility Mark Brown
2023-11-22 9:42 ` [PATCH v7 02/39] prctl: arch-agnostic prctl for shadow stack Mark Brown
2023-12-12 19:17 ` Deepak Gupta
2023-12-12 19:22 ` Mark Brown
2023-12-13 0:50 ` Deepak Gupta
2023-12-13 13:37 ` Mark Brown
2023-12-13 19:43 ` Deepak Gupta
2023-12-13 19:48 ` Mark Brown
2023-12-12 20:17 ` Edgecombe, Rick P
2023-12-12 20:26 ` Mark Brown
2023-12-12 21:22 ` Edgecombe, Rick P
2023-12-13 13:49 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 03/39] mman: Add map_shadow_stack() flags Mark Brown
2023-11-22 9:42 ` [PATCH v7 04/39] arm64: Document boot requirements for Guarded Control Stacks Mark Brown
2023-11-22 9:42 ` [PATCH v7 05/39] arm64/gcs: Document the ABI " Mark Brown
2023-11-22 9:42 ` [PATCH v7 06/39] arm64/sysreg: Add new system registers for GCS Mark Brown
2023-11-22 9:42 ` [PATCH v7 07/39] arm64/sysreg: Add definitions for architected GCS caps Mark Brown
2023-11-22 9:42 ` [PATCH v7 08/39] arm64/gcs: Add manual encodings of GCS instructions Mark Brown
2023-11-22 9:42 ` [PATCH v7 09/39] arm64/gcs: Provide put_user_gcs() Mark Brown
2023-11-22 9:42 ` [PATCH v7 10/39] arm64/cpufeature: Runtime detection of Guarded Control Stack (GCS) Mark Brown
2023-11-22 9:42 ` [PATCH v7 11/39] arm64/mm: Allocate PIE slots for EL0 guarded control stack Mark Brown
2023-11-22 9:42 ` [PATCH v7 12/39] mm: Define VM_SHADOW_STACK for arm64 when we support GCS Mark Brown
2023-11-22 9:42 ` [PATCH v7 13/39] arm64/mm: Map pages for guarded control stack Mark Brown
2023-12-04 3:01 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 14/39] KVM: arm64: Manage GCS registers for guests Mark Brown
2023-11-22 9:42 ` [PATCH v7 15/39] arm64/gcs: Allow GCS usage at EL0 and EL1 Mark Brown
2023-11-22 9:42 ` [PATCH v7 16/39] arm64/idreg: Add overrride for GCS Mark Brown
2023-11-22 9:42 ` [PATCH v7 17/39] arm64/hwcap: Add hwcap " Mark Brown
2023-11-22 9:42 ` [PATCH v7 18/39] arm64/traps: Handle GCS exceptions Mark Brown
2023-11-22 9:42 ` [PATCH v7 19/39] arm64/mm: Handle GCS data aborts Mark Brown
2023-11-22 9:42 ` [PATCH v7 20/39] arm64/gcs: Context switch GCS state for EL0 Mark Brown
2023-12-13 19:59 ` Deepak Gupta
2023-12-13 20:02 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 21/39] arm64/gcs: Allocate a new GCS for threads with GCS enabled Mark Brown
2023-12-06 20:22 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 22/39] arm64/gcs: Implement shadow stack prctl() interface Mark Brown
2023-12-06 21:27 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 23/39] arm64/mm: Implement map_shadow_stack() Mark Brown
2023-12-06 21:44 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 24/39] arm64/signal: Set up and restore the GCS context for signal handlers Mark Brown
2023-12-09 3:15 ` Thiago Jung Bauermann
2023-12-09 13:09 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 25/39] arm64/signal: Expose GCS state in signal frames Mark Brown
2023-12-09 22:28 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 26/39] arm64/ptrace: Expose GCS via ptrace and core files Mark Brown
2023-12-09 23:49 ` Thiago Jung Bauermann
2023-12-10 14:22 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 27/39] arm64: Add Kconfig for Guarded Control Stack (GCS) Mark Brown
2023-11-22 9:42 ` [PATCH v7 28/39] kselftest/arm64: Verify the GCS hwcap Mark Brown
2023-11-22 9:42 ` [PATCH v7 29/39] kselftest/arm64: Add GCS as a detected feature in the signal tests Mark Brown
2023-11-22 9:42 ` [PATCH v7 30/39] kselftest/arm64: Add framework support for GCS to signal handling tests Mark Brown
2023-11-22 9:42 ` [PATCH v7 31/39] kselftest/arm64: Allow signals tests to specify an expected si_code Mark Brown
2023-11-22 9:42 ` [PATCH v7 32/39] kselftest/arm64: Always run signals tests with GCS enabled Mark Brown
2023-11-22 9:42 ` [PATCH v7 33/39] kselftest/arm64: Add very basic GCS test program Mark Brown
2023-11-22 9:42 ` [PATCH v7 34/39] kselftest/arm64: Add a GCS test program built with the system libc Mark Brown
2023-12-15 2:50 ` Thiago Jung Bauermann [this message]
2023-12-15 14:59 ` Mark Brown
2023-12-17 2:18 ` Thiago Jung Bauermann
2024-01-18 19:58 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 35/39] kselftest/arm64: Add test coverage for GCS mode locking Mark Brown
2023-11-22 9:42 ` [PATCH v7 36/39] selftests/arm64: Add GCS signal tests Mark Brown
2023-12-17 2:12 ` Thiago Jung Bauermann
2024-01-18 21:10 ` Mark Brown
2023-11-22 9:42 ` [PATCH v7 37/39] kselftest/arm64: Add a GCS stress test Mark Brown
2023-12-13 2:45 ` Thiago Jung Bauermann
2023-11-22 9:42 ` [PATCH v7 38/39] kselftest/arm64: Enable GCS for the FP stress tests Mark Brown
2023-11-22 9:42 ` [PATCH v7 39/39] kselftest/clone3: Enable GCS in the clone3 selftests Mark Brown
2023-12-20 4:13 ` [PATCH v7 00/39] arm64/gcs: Provide support for GCS in userspace Thiago Jung Bauermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875y1089i4.fsf@linaro.org \
--to=thiago.bauermann@linaro.org \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=debug@rivosinc.com \
--cc=ebiederm@xmission.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=maz@kernel.org \
--cc=oleg@redhat.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rick.p.edgecombe@intel.com \
--cc=shuah@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).