* [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose
@ 2024-10-14 16:02 Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures Martin Doucha
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Martin Doucha @ 2024-10-14 16:02 UTC (permalink / raw)
To: ltp
The original reproducer reported all errors in signal handler and
triggered INT3 to signal itself. Pass stack selector and CPU flags
values to C variables and report any discrepancies using standard
LTP functions.
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
testcases/cve/cve-2015-3290.c | 39 ++++++++++++++++++++++-------------
1 file changed, 25 insertions(+), 14 deletions(-)
diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 143c98230..4185c22a7 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -177,6 +177,8 @@ static greg_t *csptr(ucontext_t *ctx)
}
#endif
+#define LDT_SS 0x7
+
static volatile long expected_rsp;
static int running = 1;
@@ -220,6 +222,8 @@ static void set_ldt(void)
static void try_corrupt_stack(unsigned short *orig_ss)
{
+ unsigned long flags = 0, new_ss = 0;
+
#ifdef __x86_64__
asm volatile (
/* A small puzzle for the curious reader. */
@@ -227,6 +231,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
/* Save rsp for diagnostics */
"mov %%rsp, %[expected_rsp] \n\t"
+ "xorq %%rax, %%rax \n\t"
/*
* Let 'er rip.
@@ -255,16 +260,14 @@ static void try_corrupt_stack(unsigned short *orig_ss)
"subq $128, %%rsp \n\t"
"pushfq \n\t"
- "testl $(1<<9),(%%rsp) \n\t"
+ "movq (%%rsp),%%rdx \n\t"
"addq $136, %%rsp \n\t"
- "jz 3f \n\t"
- "cmpl %[ss], %%eax \n\t"
- "je 4f \n\t"
+ "jmp 4f \n\t"
"3: int3 \n\t"
"4: \n\t"
- : [expected_rsp] "=m" (expected_rsp)
- : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
- : "rax", "rcx", "rdx", "rbp", "r11", "flags"
+ : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
+ : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
+ : "rcx", "rbp", "r11", "flags"
);
#else
asm volatile (
@@ -274,6 +277,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
/* Save rsp for diagnostics */
"mov %%esp, %[expected_rsp] \n\t"
+ "xorl %%eax, %%eax \n\t"
/*
* Let 'er rip.
@@ -303,18 +307,25 @@ static void try_corrupt_stack(unsigned short *orig_ss)
"mov (%[orig_ss]), %%ss \n\t" /* end corruption */
"pushf \n\t"
- "testl $(1<<9),(%%esp) \n\t"
+ "movl (%%esp), %%edx \n\t"
"addl $4, %%esp \n\t"
- "jz 3f \n\t"
- "cmpl %[ss], %%eax \n\t"
- "je 4f \n\t"
+ "jmp 4f \n\t"
"3: int3 \n\t"
"4: mov %%esi, %%ebp \n\t"
- : [expected_rsp] "=m" (expected_rsp)
- : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
- : "eax", "ecx", "edx", "esi", "ebp", "flags"
+ : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
+ : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
+ : "ecx", "esi", "ebp", "flags"
);
#endif
+
+ if (!(flags & (1 << 9))) {
+ tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
+ }
+
+ if (new_ss != LDT_SS) {
+ tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
+ new_ss, LDT_SS);
+ }
}
static int perf_event_open(struct perf_event_attr *hw_event, pid_t pid,
--
2.46.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures
2024-10-14 16:02 [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
@ 2024-10-14 16:02 ` Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 3/3] cve-2015-3290: Allow early test exit Martin Doucha
2024-10-15 8:32 ` [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2 siblings, 0 replies; 5+ messages in thread
From: Martin Doucha @ 2024-10-14 16:02 UTC (permalink / raw)
To: ltp
On some kernels, the new error messages may produce millions of lines
of test output. Limit the maximum number of failures to avoid huge test
logs.
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
testcases/cve/cve-2015-3290.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 4185c22a7..3bdc0f8f0 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -178,8 +178,10 @@ static greg_t *csptr(ucontext_t *ctx)
#endif
#define LDT_SS 0x7
+#define MAX_FAILS 1000
static volatile long expected_rsp;
+static volatile int fail_count;
static int running = 1;
static void set_ldt(void)
@@ -320,11 +322,13 @@ static void try_corrupt_stack(unsigned short *orig_ss)
if (!(flags & (1 << 9))) {
tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
+ fail_count++;
}
if (new_ss != LDT_SS) {
tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
new_ss, LDT_SS);
+ fail_count++;
}
}
@@ -417,6 +421,11 @@ static void *child_thread(void *arg)
* the system.
*/
syscall(0x3fffffff);
+
+ if (fail_count >= MAX_FAILS) {
+ tst_res(TINFO, "Too many failures, exiting");
+ break;
+ }
}
for (i = 0; i < ARRAY_SIZE(perf_events); i++)
@@ -456,6 +465,9 @@ static void do_child(void)
free(orig_ss);
free(threads);
+ if (fail_count)
+ exit(1);
+
tst_res(TPASS, "can't corrupt nested NMI state after %ld iterations",
total_iter);
}
--
2.46.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [LTP] [PATCH 3/3] cve-2015-3290: Allow early test exit
2024-10-14 16:02 [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures Martin Doucha
@ 2024-10-14 16:02 ` Martin Doucha
2024-10-15 8:32 ` [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2 siblings, 0 replies; 5+ messages in thread
From: Martin Doucha @ 2024-10-14 16:02 UTC (permalink / raw)
To: ltp
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
testcases/cve/cve-2015-3290.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 3bdc0f8f0..231069bbb 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -424,6 +424,7 @@ static void *child_thread(void *arg)
if (fail_count >= MAX_FAILS) {
tst_res(TINFO, "Too many failures, exiting");
+ running = 0;
break;
}
}
@@ -455,7 +456,9 @@ static void do_child(void)
&orig_ss[i]);
}
- sleep(tst_remaining_runtime());
+ while (running && tst_remaining_runtime())
+ sleep(1);
+
running = 0;
for (i = 0; i < ncpus; i++) {
--
2.46.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose
2024-10-14 16:02 [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 3/3] cve-2015-3290: Allow early test exit Martin Doucha
@ 2024-10-15 8:32 ` Martin Doucha
2024-10-15 18:57 ` Petr Vorel
2 siblings, 1 reply; 5+ messages in thread
From: Martin Doucha @ 2024-10-15 8:32 UTC (permalink / raw)
To: ltp
Hi,
I forgot to mention that I've tested these changes on kernel v3.16
affected by the CVE and the kernel bug was still reproducible.
On 14. 10. 24 18:02, Martin Doucha wrote:
> The original reproducer reported all errors in signal handler and
> triggered INT3 to signal itself. Pass stack selector and CPU flags
> values to C variables and report any discrepancies using standard
> LTP functions.
>
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
> testcases/cve/cve-2015-3290.c | 39 ++++++++++++++++++++++-------------
> 1 file changed, 25 insertions(+), 14 deletions(-)
>
> diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
> index 143c98230..4185c22a7 100644
> --- a/testcases/cve/cve-2015-3290.c
> +++ b/testcases/cve/cve-2015-3290.c
> @@ -177,6 +177,8 @@ static greg_t *csptr(ucontext_t *ctx)
> }
> #endif
>
> +#define LDT_SS 0x7
> +
> static volatile long expected_rsp;
> static int running = 1;
>
> @@ -220,6 +222,8 @@ static void set_ldt(void)
>
> static void try_corrupt_stack(unsigned short *orig_ss)
> {
> + unsigned long flags = 0, new_ss = 0;
> +
> #ifdef __x86_64__
> asm volatile (
> /* A small puzzle for the curious reader. */
> @@ -227,6 +231,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>
> /* Save rsp for diagnostics */
> "mov %%rsp, %[expected_rsp] \n\t"
> + "xorq %%rax, %%rax \n\t"
>
> /*
> * Let 'er rip.
> @@ -255,16 +260,14 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>
> "subq $128, %%rsp \n\t"
> "pushfq \n\t"
> - "testl $(1<<9),(%%rsp) \n\t"
> + "movq (%%rsp),%%rdx \n\t"
> "addq $136, %%rsp \n\t"
> - "jz 3f \n\t"
> - "cmpl %[ss], %%eax \n\t"
> - "je 4f \n\t"
> + "jmp 4f \n\t"
> "3: int3 \n\t"
> "4: \n\t"
> - : [expected_rsp] "=m" (expected_rsp)
> - : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
> - : "rax", "rcx", "rdx", "rbp", "r11", "flags"
> + : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
> + : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
> + : "rcx", "rbp", "r11", "flags"
> );
> #else
> asm volatile (
> @@ -274,6 +277,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>
> /* Save rsp for diagnostics */
> "mov %%esp, %[expected_rsp] \n\t"
> + "xorl %%eax, %%eax \n\t"
>
> /*
> * Let 'er rip.
> @@ -303,18 +307,25 @@ static void try_corrupt_stack(unsigned short *orig_ss)
> "mov (%[orig_ss]), %%ss \n\t" /* end corruption */
>
> "pushf \n\t"
> - "testl $(1<<9),(%%esp) \n\t"
> + "movl (%%esp), %%edx \n\t"
> "addl $4, %%esp \n\t"
> - "jz 3f \n\t"
> - "cmpl %[ss], %%eax \n\t"
> - "je 4f \n\t"
> + "jmp 4f \n\t"
> "3: int3 \n\t"
> "4: mov %%esi, %%ebp \n\t"
> - : [expected_rsp] "=m" (expected_rsp)
> - : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
> - : "eax", "ecx", "edx", "esi", "ebp", "flags"
> + : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
> + : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
> + : "ecx", "esi", "ebp", "flags"
> );
> #endif
> +
> + if (!(flags & (1 << 9))) {
> + tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
> + }
> +
> + if (new_ss != LDT_SS) {
> + tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
> + new_ss, LDT_SS);
> + }
> }
>
> static int perf_event_open(struct perf_event_attr *hw_event, pid_t pid,
--
Martin Doucha mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose
2024-10-15 8:32 ` [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
@ 2024-10-15 18:57 ` Petr Vorel
0 siblings, 0 replies; 5+ messages in thread
From: Petr Vorel @ 2024-10-15 18:57 UTC (permalink / raw)
To: Martin Doucha; +Cc: ltp
Hi Martin,
> Hi,
> I forgot to mention that I've tested these changes on kernel v3.16 affected
> by the CVE and the kernel bug was still reproducible.
Thanks for retesting your patch.
Patchset merged.
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-10-15 18:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-14 16:02 [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures Martin Doucha
2024-10-14 16:02 ` [LTP] [PATCH 3/3] cve-2015-3290: Allow early test exit Martin Doucha
2024-10-15 8:32 ` [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose Martin Doucha
2024-10-15 18:57 ` Petr Vorel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox