1 // SPDX-License-Identifier: GPL-2.0
3 * ldt_gdt.c - Test cases for LDT and GDT access
4 * Copyright (c) 2015 Andrew Lutomirski
17 #include <sys/syscall.h>
19 #include <sys/types.h>
24 #include <linux/futex.h>
26 #include <asm/prctl.h>
27 #include <sys/prctl.h>
29 #define AR_ACCESSED (1<<8)
31 #define AR_TYPE_RODATA (0 * (1<<9))
32 #define AR_TYPE_RWDATA (1 * (1<<9))
33 #define AR_TYPE_RODATA_EXPDOWN (2 * (1<<9))
34 #define AR_TYPE_RWDATA_EXPDOWN (3 * (1<<9))
35 #define AR_TYPE_XOCODE (4 * (1<<9))
36 #define AR_TYPE_XRCODE (5 * (1<<9))
37 #define AR_TYPE_XOCODE_CONF (6 * (1<<9))
38 #define AR_TYPE_XRCODE_CONF (7 * (1<<9))
40 #define AR_DPL3 (3 * (1<<13))
42 #define AR_S (1 << 12)
43 #define AR_P (1 << 15)
44 #define AR_AVL (1 << 20)
45 #define AR_L (1 << 21)
46 #define AR_DB (1 << 22)
47 #define AR_G (1 << 23)
50 # define INT80_CLOBBERS "r8", "r9", "r10", "r11"
52 # define INT80_CLOBBERS
57 /* Points to an array of 1024 ints, each holding its own index. */
58 static const unsigned int *counter_page;
59 static struct user_desc *low_user_desc;
60 static struct user_desc *low_user_desc_clear; /* Use to delete GDT entry */
61 static int gdt_entry_num;
63 static void check_invalid_segment(uint16_t index, int ldt)
65 uint32_t has_limit = 0, has_ar = 0, limit, ar;
66 uint32_t selector = (index << 3) | (ldt << 2) | 3;
68 asm ("lsl %[selector], %[limit]\n\t"
70 "movl $1, %[has_limit]\n\t"
72 : [limit] "=r" (limit), [has_limit] "+rm" (has_limit)
73 : [selector] "r" (selector));
74 asm ("larl %[selector], %[ar]\n\t"
76 "movl $1, %[has_ar]\n\t"
78 : [ar] "=r" (ar), [has_ar] "+rm" (has_ar)
79 : [selector] "r" (selector));
81 if (has_limit || has_ar) {
82 printf("[FAIL]\t%s entry %hu is valid but should be invalid\n",
83 (ldt ? "LDT" : "GDT"), index);
86 printf("[OK]\t%s entry %hu is invalid\n",
87 (ldt ? "LDT" : "GDT"), index);
91 static void check_valid_segment(uint16_t index, int ldt,
92 uint32_t expected_ar, uint32_t expected_limit,
95 uint32_t has_limit = 0, has_ar = 0, limit, ar;
96 uint32_t selector = (index << 3) | (ldt << 2) | 3;
98 asm ("lsl %[selector], %[limit]\n\t"
100 "movl $1, %[has_limit]\n\t"
102 : [limit] "=r" (limit), [has_limit] "+rm" (has_limit)
103 : [selector] "r" (selector));
104 asm ("larl %[selector], %[ar]\n\t"
106 "movl $1, %[has_ar]\n\t"
108 : [ar] "=r" (ar), [has_ar] "+rm" (has_ar)
109 : [selector] "r" (selector));
111 if (!has_limit || !has_ar) {
112 printf("[FAIL]\t%s entry %hu is invalid but should be valid\n",
113 (ldt ? "LDT" : "GDT"), index);
118 if (ar != expected_ar) {
119 printf("[FAIL]\t%s entry %hu has AR 0x%08X but expected 0x%08X\n",
120 (ldt ? "LDT" : "GDT"), index, ar, expected_ar);
122 } else if (limit != expected_limit) {
123 printf("[FAIL]\t%s entry %hu has limit 0x%08X but expected 0x%08X\n",
124 (ldt ? "LDT" : "GDT"), index, limit, expected_limit);
126 } else if (verbose) {
127 printf("[OK]\t%s entry %hu has AR 0x%08X and limit 0x%08X\n",
128 (ldt ? "LDT" : "GDT"), index, ar, limit);
132 static bool install_valid_mode(const struct user_desc *desc, uint32_t ar,
135 int ret = syscall(SYS_modify_ldt, oldmode ? 1 : 0x11,
136 desc, sizeof(*desc));
140 uint32_t limit = desc->limit;
141 if (desc->limit_in_pages)
142 limit = (limit << 12) + 4095;
143 check_valid_segment(desc->entry_number, 1, ar, limit, true);
145 } else if (errno == ENOSYS) {
146 printf("[OK]\tmodify_ldt returned -ENOSYS\n");
149 if (desc->seg_32bit) {
150 printf("[FAIL]\tUnexpected modify_ldt failure %d\n",
155 printf("[OK]\tmodify_ldt rejected 16 bit segment\n");
161 static bool install_valid(const struct user_desc *desc, uint32_t ar)
163 return install_valid_mode(desc, ar, false);
166 static void install_invalid(const struct user_desc *desc, bool oldmode)
168 int ret = syscall(SYS_modify_ldt, oldmode ? 1 : 0x11,
169 desc, sizeof(*desc));
173 check_invalid_segment(desc->entry_number, 1);
174 } else if (errno == ENOSYS) {
175 printf("[OK]\tmodify_ldt returned -ENOSYS\n");
177 if (desc->seg_32bit) {
178 printf("[FAIL]\tUnexpected modify_ldt failure %d\n",
182 printf("[OK]\tmodify_ldt rejected 16 bit segment\n");
187 static int safe_modify_ldt(int func, struct user_desc *ptr,
188 unsigned long bytecount)
190 int ret = syscall(SYS_modify_ldt, 0x11, ptr, bytecount);
196 static void fail_install(struct user_desc *desc)
198 if (safe_modify_ldt(0x11, desc, sizeof(*desc)) == 0) {
199 printf("[FAIL]\tmodify_ldt accepted a bad descriptor\n");
201 } else if (errno == ENOSYS) {
202 printf("[OK]\tmodify_ldt returned -ENOSYS\n");
204 printf("[OK]\tmodify_ldt failure %d\n", errno);
208 static void do_simple_tests(void)
210 struct user_desc desc = {
215 .contents = 2, /* Code, not conforming */
218 .seg_not_present = 0,
221 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB);
223 desc.limit_in_pages = 1;
224 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
225 AR_S | AR_P | AR_DB | AR_G);
227 check_invalid_segment(1, 1);
229 desc.entry_number = 2;
230 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
231 AR_S | AR_P | AR_DB | AR_G);
233 check_invalid_segment(1, 1);
235 desc.base_addr = 0xf0000000;
236 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
237 AR_S | AR_P | AR_DB | AR_G);
240 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
241 AR_S | AR_P | AR_DB | AR_G | AR_AVL);
243 desc.seg_not_present = 1;
244 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
245 AR_S | AR_DB | AR_G | AR_AVL);
248 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
249 AR_S | AR_G | AR_AVL);
253 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA |
254 AR_S | AR_DB | AR_G | AR_AVL);
256 desc.read_exec_only = 1;
257 install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA |
258 AR_S | AR_DB | AR_G | AR_AVL);
261 install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA_EXPDOWN |
262 AR_S | AR_DB | AR_G | AR_AVL);
264 desc.read_exec_only = 0;
265 desc.limit_in_pages = 0;
266 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA_EXPDOWN |
267 AR_S | AR_DB | AR_AVL);
270 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE_CONF |
271 AR_S | AR_DB | AR_AVL);
273 desc.read_exec_only = 1;
274 install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE_CONF |
275 AR_S | AR_DB | AR_AVL);
277 desc.read_exec_only = 0;
279 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE |
280 AR_S | AR_DB | AR_AVL);
282 desc.read_exec_only = 1;
286 install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE |
287 AR_S | AR_DB | AR_AVL);
291 bool entry1_okay = install_valid(&desc, AR_DPL3 | AR_TYPE_XOCODE |
292 AR_S | AR_DB | AR_AVL);
295 printf("[RUN]\tTest fork\n");
296 pid_t child = fork();
299 check_valid_segment(desc.entry_number, 1,
300 AR_DPL3 | AR_TYPE_XOCODE |
301 AR_S | AR_DB | AR_AVL, desc.limit,
303 check_invalid_segment(1, 1);
307 if (waitpid(child, &status, 0) != child ||
308 !WIFEXITED(status)) {
309 printf("[FAIL]\tChild died\n");
311 } else if (WEXITSTATUS(status) != 0) {
312 printf("[FAIL]\tChild failed\n");
315 printf("[OK]\tChild succeeded\n");
319 printf("[RUN]\tTest size\n");
321 for (i = 0; i < 8192; i++) {
322 desc.entry_number = i;
324 if (safe_modify_ldt(0x11, &desc, sizeof(desc)) != 0) {
325 printf("[FAIL]\tFailed to install entry %d\n", i);
330 for (int j = 0; j < i; j++) {
331 check_valid_segment(j, 1, AR_DPL3 | AR_TYPE_XOCODE |
332 AR_S | AR_DB | AR_AVL, j, false);
334 printf("[DONE]\tSize test\n");
336 printf("[SKIP]\tSkipping fork and size tests because we have no LDT\n");
339 /* Test entry_number too high. */
340 desc.entry_number = 8192;
343 /* Test deletion and actions mistakeable for deletion. */
344 memset(&desc, 0, sizeof(desc));
345 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P);
347 desc.seg_not_present = 1;
348 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S);
350 desc.seg_not_present = 0;
351 desc.read_exec_only = 1;
352 install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S | AR_P);
354 desc.read_exec_only = 0;
355 desc.seg_not_present = 1;
356 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S);
358 desc.read_exec_only = 1;
360 install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S);
364 install_valid(&desc, AR_DPL3 | AR_TYPE_RODATA | AR_S);
367 install_invalid(&desc, false);
369 desc.seg_not_present = 0;
370 desc.read_exec_only = 0;
372 install_valid(&desc, AR_DPL3 | AR_TYPE_RWDATA | AR_S | AR_P | AR_DB);
373 install_invalid(&desc, true);
379 * 2: thread should clear LDT entry 0
380 * 3: thread should exit
382 static volatile unsigned int ftx;
384 static void *threadproc(void *ctx)
389 if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0)
390 err(1, "sched_setaffinity to CPU 1"); /* should never fail */
393 syscall(SYS_futex, &ftx, FUTEX_WAIT, 0, NULL, NULL, 0);
399 /* clear LDT entry 0 */
400 const struct user_desc desc = {};
401 if (syscall(SYS_modify_ldt, 1, &desc, sizeof(desc)) != 0)
402 err(1, "modify_ldt");
404 /* If ftx == 2, set it to zero. If ftx == 100, quit. */
406 asm volatile ("lock xaddl %[x], %[ftx]" :
407 [x] "+r" (x), [ftx] "+m" (ftx));
416 #define SA_RESTORER 0x04000000
420 * The UAPI header calls this 'struct sigaction', which conflicts with
423 struct fake_ksigaction {
424 void *handler; /* the real type is nasty */
425 unsigned long sa_flags;
426 void (*sa_restorer)(void);
427 unsigned char sigset[8];
430 static void fix_sa_restorer(int sig)
432 struct fake_ksigaction ksa;
434 if (syscall(SYS_rt_sigaction, sig, NULL, &ksa, 8) == 0) {
436 * glibc has a nasty bug: it sometimes writes garbage to
437 * sa_restorer. This interacts quite badly with anything
438 * that fiddles with SS because it can trigger legacy
439 * stack switching. Patch it up. See:
441 * https://sourceware.org/bugzilla/show_bug.cgi?id=21269
443 if (!(ksa.sa_flags & SA_RESTORER) && ksa.sa_restorer) {
444 ksa.sa_restorer = NULL;
445 if (syscall(SYS_rt_sigaction, sig, &ksa, NULL,
446 sizeof(ksa.sigset)) != 0)
447 err(1, "rt_sigaction");
452 static void fix_sa_restorer(int sig)
454 /* 64-bit glibc works fine. */
458 static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
462 memset(&sa, 0, sizeof(sa));
463 sa.sa_sigaction = handler;
464 sa.sa_flags = SA_SIGINFO | flags;
465 sigemptyset(&sa.sa_mask);
466 if (sigaction(sig, &sa, 0))
469 fix_sa_restorer(sig);
472 static jmp_buf jmpbuf;
474 static void sigsegv(int sig, siginfo_t *info, void *ctx_void)
476 siglongjmp(jmpbuf, 1);
479 static void do_multicpu_tests(void)
483 int failures = 0, iters = 5, i;
484 unsigned short orig_ss;
488 if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) {
489 printf("[SKIP]\tCannot set affinity to CPU 1\n");
495 if (sched_setaffinity(0, sizeof(cpuset), &cpuset) != 0) {
496 printf("[SKIP]\tCannot set affinity to CPU 0\n");
500 sethandler(SIGSEGV, sigsegv, 0);
502 /* True 32-bit kernels send SIGILL instead of SIGSEGV on IRET faults. */
503 sethandler(SIGILL, sigsegv, 0);
506 printf("[RUN]\tCross-CPU LDT invalidation\n");
508 if (pthread_create(&thread, 0, threadproc, 0) != 0)
509 err(1, "pthread_create");
511 asm volatile ("mov %%ss, %0" : "=rm" (orig_ss));
513 for (i = 0; i < 5; i++) {
514 if (sigsetjmp(jmpbuf, 1) != 0)
517 /* Make sure the thread is ready after the last test. */
521 struct user_desc desc = {
526 .contents = 0, /* Data */
529 .seg_not_present = 0,
533 if (safe_modify_ldt(0x11, &desc, sizeof(desc)) != 0) {
535 err(1, "modify_ldt");
536 printf("[SKIP]\tmodify_ldt unavailable\n");
540 /* Arm the thread. */
542 syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0);
544 asm volatile ("mov %0, %%ss" : : "r" (0x7));
553 * On success, modify_ldt will segfault us synchronously,
554 * and we'll escape via siglongjmp.
558 asm volatile ("mov %0, %%ss" : : "rm" (orig_ss));
561 ftx = 100; /* Kill the thread. */
562 syscall(SYS_futex, &ftx, FUTEX_WAKE, 0, NULL, NULL, 0);
564 if (pthread_join(thread, NULL) != 0)
565 err(1, "pthread_join");
568 printf("[FAIL]\t%d of %d iterations failed\n", failures, iters);
571 printf("[OK]\tAll %d iterations succeeded\n", iters);
575 static int finish_exec_test(void)
578 * In a sensible world, this would be check_invalid_segment(0, 1);
579 * For better or for worse, though, the LDT is inherited across exec.
580 * We can probably change this safely, but for now we test it.
582 check_valid_segment(0, 1,
583 AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB,
586 return nerrs ? 1 : 0;
589 static void do_exec_test(void)
591 printf("[RUN]\tTest exec\n");
593 struct user_desc desc = {
598 .contents = 2, /* Code, not conforming */
601 .seg_not_present = 0,
604 install_valid(&desc, AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB);
606 pid_t child = fork();
608 execl("/proc/self/exe", "ldt_gdt_test_exec", NULL);
609 printf("[FAIL]\tCould not exec self\n");
610 exit(1); /* exec failed */
613 if (waitpid(child, &status, 0) != child ||
614 !WIFEXITED(status)) {
615 printf("[FAIL]\tChild died\n");
617 } else if (WEXITSTATUS(status) != 0) {
618 printf("[FAIL]\tChild failed\n");
621 printf("[OK]\tChild succeeded\n");
626 static void setup_counter_page(void)
628 unsigned int *page = mmap(NULL, 4096, PROT_READ | PROT_WRITE,
629 MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
630 if (page == MAP_FAILED)
633 for (int i = 0; i < 1024; i++)
638 static int invoke_set_thread_area(void)
641 asm volatile ("int $0x80"
642 : "=a" (ret), "+m" (low_user_desc) :
643 "a" (243), "b" (low_user_desc)
648 static void setup_low_user_desc(void)
650 low_user_desc = mmap(NULL, 2 * sizeof(struct user_desc),
651 PROT_READ | PROT_WRITE,
652 MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
653 if (low_user_desc == MAP_FAILED)
656 low_user_desc->entry_number = -1;
657 low_user_desc->base_addr = (unsigned long)&counter_page[1];
658 low_user_desc->limit = 0xfffff;
659 low_user_desc->seg_32bit = 1;
660 low_user_desc->contents = 0; /* Data, grow-up*/
661 low_user_desc->read_exec_only = 0;
662 low_user_desc->limit_in_pages = 1;
663 low_user_desc->seg_not_present = 0;
664 low_user_desc->useable = 0;
666 if (invoke_set_thread_area() == 0) {
667 gdt_entry_num = low_user_desc->entry_number;
668 printf("[NOTE]\tset_thread_area is available; will use GDT index %d\n", gdt_entry_num);
670 printf("[NOTE]\tset_thread_area is unavailable\n");
673 low_user_desc_clear = low_user_desc + 1;
674 low_user_desc_clear->entry_number = gdt_entry_num;
675 low_user_desc_clear->read_exec_only = 1;
676 low_user_desc_clear->seg_not_present = 1;
679 static void test_gdt_invalidation(void)
682 return; /* 64-bit only system -- we can't use set_thread_area */
684 unsigned short prev_sel;
689 unsigned long saved_base;
690 unsigned long new_base;
694 invoke_set_thread_area();
696 sel = (gdt_entry_num << 3) | 3;
697 asm volatile ("movw %%ds, %[prev_sel]\n\t"
698 "movw %[sel], %%ds\n\t"
702 "movl %[arg1], %%ebx\n\t"
703 "int $0x80\n\t" /* Should invalidate ds */
707 "movw %%ds, %[sel]\n\t"
708 "movw %[prev_sel], %%ds"
709 : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
711 : "m" (low_user_desc_clear),
712 [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
721 printf("[%s]\tInvalidate DS with set_thread_area: new DS = 0x%hx\n",
725 invoke_set_thread_area();
727 sel = (gdt_entry_num << 3) | 3;
728 asm volatile ("movw %%es, %[prev_sel]\n\t"
729 "movw %[sel], %%es\n\t"
733 "movl %[arg1], %%ebx\n\t"
734 "int $0x80\n\t" /* Should invalidate es */
738 "movw %%es, %[sel]\n\t"
739 "movw %[prev_sel], %%es"
740 : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
742 : "m" (low_user_desc_clear),
743 [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
752 printf("[%s]\tInvalidate ES with set_thread_area: new ES = 0x%hx\n",
756 invoke_set_thread_area();
758 sel = (gdt_entry_num << 3) | 3;
760 syscall(SYS_arch_prctl, ARCH_GET_FS, &saved_base);
762 asm volatile ("movw %%fs, %[prev_sel]\n\t"
763 "movw %[sel], %%fs\n\t"
767 "movl %[arg1], %%ebx\n\t"
768 "int $0x80\n\t" /* Should invalidate fs */
772 "movw %%fs, %[sel]\n\t"
773 : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
775 : "m" (low_user_desc_clear),
776 [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
780 syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
783 /* Restore FS/BASE for glibc */
784 asm volatile ("movw %[prev_sel], %%fs" : : [prev_sel] "rm" (prev_sel));
787 syscall(SYS_arch_prctl, ARCH_SET_FS, saved_base);
796 printf("[%s]\tInvalidate FS with set_thread_area: new FS = 0x%hx\n",
800 if (sel == 0 && new_base != 0) {
802 printf("[FAIL]\tNew FSBASE was 0x%lx\n", new_base);
804 printf("[OK]\tNew FSBASE was zero\n");
809 invoke_set_thread_area();
811 sel = (gdt_entry_num << 3) | 3;
813 syscall(SYS_arch_prctl, ARCH_GET_GS, &saved_base);
815 asm volatile ("movw %%gs, %[prev_sel]\n\t"
816 "movw %[sel], %%gs\n\t"
820 "movl %[arg1], %%ebx\n\t"
821 "int $0x80\n\t" /* Should invalidate gs */
825 "movw %%gs, %[sel]\n\t"
826 : [prev_sel] "=&r" (prev_sel), [sel] "+r" (sel),
828 : "m" (low_user_desc_clear),
829 [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
833 syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
836 /* Restore GS/BASE for glibc */
837 asm volatile ("movw %[prev_sel], %%gs" : : [prev_sel] "rm" (prev_sel));
840 syscall(SYS_arch_prctl, ARCH_SET_GS, saved_base);
849 printf("[%s]\tInvalidate GS with set_thread_area: new GS = 0x%hx\n",
853 if (sel == 0 && new_base != 0) {
855 printf("[FAIL]\tNew GSBASE was 0x%lx\n", new_base);
857 printf("[OK]\tNew GSBASE was zero\n");
862 int main(int argc, char **argv)
864 if (argc == 1 && !strcmp(argv[0], "ldt_gdt_test_exec"))
865 return finish_exec_test();
867 setup_counter_page();
868 setup_low_user_desc();
876 test_gdt_invalidation();
878 return nerrs ? 1 : 0;