[LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose

[LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose

[Martin Doucha]

The original reproducer reported all errors in signal handler and
triggered INT3 to signal itself. Pass stack selector and CPU flags
values to C variables and report any discrepancies using standard
LTP functions.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2015-3290.c | 39 ++++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 14 deletions(-)

diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 143c98230..4185c22a7 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -177,6 +177,8 @@ static greg_t *csptr(ucontext_t *ctx)
 }
 #endif
 
+#define LDT_SS 0x7
+
 static volatile long expected_rsp;
 static int running = 1;
 
@@ -220,6 +222,8 @@ static void set_ldt(void)
 
 static void try_corrupt_stack(unsigned short *orig_ss)
 {
+	unsigned long flags = 0, new_ss = 0;
+
 #ifdef __x86_64__
 	asm volatile (
 	      /* A small puzzle for the curious reader. */
@@ -227,6 +231,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
 
 	      /* Save rsp for diagnostics */
 	      "mov    %%rsp, %[expected_rsp] \n\t"
+	      "xorq   %%rax, %%rax    \n\t"
 
 	      /*
 	       * Let 'er rip.
@@ -255,16 +260,14 @@ static void try_corrupt_stack(unsigned short *orig_ss)
 
 	      "subq   $128, %%rsp \n\t"
 	      "pushfq	 \n\t"
-	      "testl  $(1<<9),(%%rsp)   \n\t"
+	      "movq   (%%rsp),%%rdx	 \n\t"
 	      "addq   $136, %%rsp \n\t"
-	      "jz 3f      \n\t"
-	      "cmpl   %[ss], %%eax    \n\t"
-	      "je 4f      \n\t"
+	      "jmp    4f      \n\t"
 	      "3:  int3	   \n\t"
 	      "4:	     \n\t"
-	      : [expected_rsp] "=m" (expected_rsp)
-	      : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
-		 : "rax", "rcx", "rdx", "rbp", "r11", "flags"
+	      : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
+	      : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
+		 : "rcx", "rbp", "r11", "flags"
 	);
 #else
 	asm volatile (
@@ -274,6 +277,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
 
 	      /* Save rsp for diagnostics */
 	      "mov    %%esp, %[expected_rsp] \n\t"
+	      "xorl   %%eax, %%eax    \n\t"
 
 	      /*
 	       * Let 'er rip.
@@ -303,18 +307,25 @@ static void try_corrupt_stack(unsigned short *orig_ss)
 	      "mov    (%[orig_ss]), %%ss \n\t"  /* end corruption */
 
 	      "pushf	  \n\t"
-	      "testl  $(1<<9),(%%esp)   \n\t"
+	      "movl   (%%esp), %%edx \n\t"
 	      "addl   $4, %%esp   \n\t"
-	      "jz 3f      \n\t"
-	      "cmpl   %[ss], %%eax    \n\t"
-	      "je 4f      \n\t"
+	      "jmp    4f      \n\t"
 	      "3:  int3	   \n\t"
 	      "4:  mov %%esi, %%ebp   \n\t"
-	      : [expected_rsp] "=m" (expected_rsp)
-	      : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
-		 : "eax", "ecx", "edx", "esi", "ebp", "flags"
+	      : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
+	      : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
+		 : "ecx", "esi", "ebp", "flags"
 	);
 #endif
+
+	if (!(flags & (1 << 9))) {
+		tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
+	}
+
+	if (new_ss != LDT_SS) {
+		tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
+			new_ss, LDT_SS);
+	}
 }
 
 static int perf_event_open(struct perf_event_attr *hw_event, pid_t pid,
-- 
2.46.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/3] cve-2015-3290: Exit after 1000 failures

[Martin Doucha]

On some kernels, the new error messages may produce millions of lines
of test output. Limit the maximum number of failures to avoid huge test
logs.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2015-3290.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 4185c22a7..3bdc0f8f0 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -178,8 +178,10 @@ static greg_t *csptr(ucontext_t *ctx)
 #endif
 
 #define LDT_SS 0x7
+#define MAX_FAILS 1000
 
 static volatile long expected_rsp;
+static volatile int fail_count;
 static int running = 1;
 
 static void set_ldt(void)
@@ -320,11 +322,13 @@ static void try_corrupt_stack(unsigned short *orig_ss)
 
 	if (!(flags & (1 << 9))) {
 		tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
+		fail_count++;
 	}
 
 	if (new_ss != LDT_SS) {
 		tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
 			new_ss, LDT_SS);
+		fail_count++;
 	}
 }
 
@@ -417,6 +421,11 @@ static void *child_thread(void *arg)
 		 * the system.
 		 */
 		syscall(0x3fffffff);
+
+		if (fail_count >= MAX_FAILS) {
+			tst_res(TINFO, "Too many failures, exiting");
+			break;
+		}
 	}
 
 	for (i = 0; i < ARRAY_SIZE(perf_events); i++)
@@ -456,6 +465,9 @@ static void do_child(void)
 	free(orig_ss);
 	free(threads);
 
+	if (fail_count)
+		exit(1);
+
 	tst_res(TPASS, "can't corrupt nested NMI state after %ld iterations",
 		total_iter);
 }
-- 
2.46.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 3/3] cve-2015-3290: Allow early test exit

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2015-3290.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
index 3bdc0f8f0..231069bbb 100644
--- a/testcases/cve/cve-2015-3290.c
+++ b/testcases/cve/cve-2015-3290.c
@@ -424,6 +424,7 @@ static void *child_thread(void *arg)
 
 		if (fail_count >= MAX_FAILS) {
 			tst_res(TINFO, "Too many failures, exiting");
+			running = 0;
 			break;
 		}
 	}
@@ -455,7 +456,9 @@ static void do_child(void)
 			&orig_ss[i]);
 	}
 
-	sleep(tst_remaining_runtime());
+	while (running && tst_remaining_runtime())
+		sleep(1);
+
 	running = 0;
 
 	for (i = 0; i < ncpus; i++) {
-- 
2.46.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose

[Martin Doucha]

Hi,
I forgot to mention that I've tested these changes on kernel v3.16 
affected by the CVE and the kernel bug was still reproducible.

On 14. 10. 24 18:02, Martin Doucha wrote:
> The original reproducer reported all errors in signal handler and
> triggered INT3 to signal itself. Pass stack selector and CPU flags
> values to C variables and report any discrepancies using standard
> LTP functions.
> 
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
>   testcases/cve/cve-2015-3290.c | 39 ++++++++++++++++++++++-------------
>   1 file changed, 25 insertions(+), 14 deletions(-)
> 
> diff --git a/testcases/cve/cve-2015-3290.c b/testcases/cve/cve-2015-3290.c
> index 143c98230..4185c22a7 100644
> --- a/testcases/cve/cve-2015-3290.c
> +++ b/testcases/cve/cve-2015-3290.c
> @@ -177,6 +177,8 @@ static greg_t *csptr(ucontext_t *ctx)
>   }
>   #endif
>   
> +#define LDT_SS 0x7
> +
>   static volatile long expected_rsp;
>   static int running = 1;
>   
> @@ -220,6 +222,8 @@ static void set_ldt(void)
>   
>   static void try_corrupt_stack(unsigned short *orig_ss)
>   {
> +	unsigned long flags = 0, new_ss = 0;
> +
>   #ifdef __x86_64__
>   	asm volatile (
>   	      /* A small puzzle for the curious reader. */
> @@ -227,6 +231,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>   
>   	      /* Save rsp for diagnostics */
>   	      "mov    %%rsp, %[expected_rsp] \n\t"
> +	      "xorq   %%rax, %%rax    \n\t"
>   
>   	      /*
>   	       * Let 'er rip.
> @@ -255,16 +260,14 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>   
>   	      "subq   $128, %%rsp \n\t"
>   	      "pushfq	 \n\t"
> -	      "testl  $(1<<9),(%%rsp)   \n\t"
> +	      "movq   (%%rsp),%%rdx	 \n\t"
>   	      "addq   $136, %%rsp \n\t"
> -	      "jz 3f      \n\t"
> -	      "cmpl   %[ss], %%eax    \n\t"
> -	      "je 4f      \n\t"
> +	      "jmp    4f      \n\t"
>   	      "3:  int3	   \n\t"
>   	      "4:	     \n\t"
> -	      : [expected_rsp] "=m" (expected_rsp)
> -	      : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
> -		 : "rax", "rcx", "rdx", "rbp", "r11", "flags"
> +	      : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
> +	      : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
> +		 : "rcx", "rbp", "r11", "flags"
>   	);
>   #else
>   	asm volatile (
> @@ -274,6 +277,7 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>   
>   	      /* Save rsp for diagnostics */
>   	      "mov    %%esp, %[expected_rsp] \n\t"
> +	      "xorl   %%eax, %%eax    \n\t"
>   
>   	      /*
>   	       * Let 'er rip.
> @@ -303,18 +307,25 @@ static void try_corrupt_stack(unsigned short *orig_ss)
>   	      "mov    (%[orig_ss]), %%ss \n\t"  /* end corruption */
>   
>   	      "pushf	  \n\t"
> -	      "testl  $(1<<9),(%%esp)   \n\t"
> +	      "movl   (%%esp), %%edx \n\t"
>   	      "addl   $4, %%esp   \n\t"
> -	      "jz 3f      \n\t"
> -	      "cmpl   %[ss], %%eax    \n\t"
> -	      "je 4f      \n\t"
> +	      "jmp    4f      \n\t"
>   	      "3:  int3	   \n\t"
>   	      "4:  mov %%esi, %%ebp   \n\t"
> -	      : [expected_rsp] "=m" (expected_rsp)
> -	      : [ss] "n" (0x7), [orig_ss] "r" (orig_ss)
> -		 : "eax", "ecx", "edx", "esi", "ebp", "flags"
> +	      : [expected_rsp] "=m" (expected_rsp), "+d" (flags), "+a" (new_ss)
> +	      : [ss] "n" (LDT_SS), [orig_ss] "r" (orig_ss)
> +		 : "ecx", "esi", "ebp", "flags"
>   	);
>   #endif
> +
> +	if (!(flags & (1 << 9))) {
> +		tst_res(TFAIL, "Interrupt flag is disabled (0x%lx)", flags);
> +	}
> +
> +	if (new_ss != LDT_SS) {
> +		tst_res(TFAIL, "Wrong stack selector 0x%lx, expected 0x%x",
> +			new_ss, LDT_SS);
> +	}
>   }
>   
>   static int perf_event_open(struct perf_event_attr *hw_event, pid_t pid,

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] cve-2015-3290: Make stack selector and CPU flags check more verbose

[Petr Vorel]

Hi Martin,

> Hi,
> I forgot to mention that I've tested these changes on kernel v3.16 affected
> by the CVE and the kernel bug was still reproducible.

Thanks for retesting your patch.
Patchset merged.

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp