blob: 6a33889d0902af7430d0d51451148787e8cbacf0 [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0
/*
* This is for all the tests relating directly to Control Flow Integrity.
*/
#include "lkdtm.h"
#include <asm/page.h>
static int called_count;
/* Function taking one argument, without a return value. */
static noinline void lkdtm_increment_void(int *counter)
{
(*counter)++;
}
/* Function taking one argument, returning int. */
static noinline int lkdtm_increment_int(int *counter)
{
(*counter)++;
return *counter;
}
/* Don't allow the compiler to inline the calls. */
static noinline void lkdtm_indirect_call(void (*func)(int *))
{
func(&called_count);
}
/*
* This tries to call an indirect function with a mismatched prototype.
*/
static void lkdtm_CFI_FORWARD_PROTO(void)
{
/*
* Matches lkdtm_increment_void()'s prototype, but not
* lkdtm_increment_int()'s prototype.
*/
pr_info("Calling matched prototype ...\n");
lkdtm_indirect_call(lkdtm_increment_void);
pr_info("Calling mismatched prototype ...\n");
lkdtm_indirect_call((void *)lkdtm_increment_int);
pr_err("FAIL: survived mismatched prototype function call!\n");
pr_expected_config(CONFIG_CFI_CLANG);
}
/*
* This can stay local to LKDTM, as there should not be a production reason
* to disable PAC && SCS.
*/
#ifdef CONFIG_ARM64_PTR_AUTH_KERNEL
# ifdef CONFIG_ARM64_BTI_KERNEL
# define __no_pac "branch-protection=bti"
# else
# ifdef CONFIG_CC_HAS_BRANCH_PROT_PAC_RET
# define __no_pac "branch-protection=none"
# else
# define __no_pac "sign-return-address=none"
# endif
# endif
# define __no_ret_protection __noscs __attribute__((__target__(__no_pac)))
#else
# define __no_ret_protection __noscs
#endif
#define no_pac_addr(addr) \
((__force __typeof__(addr))((uintptr_t)(addr) | PAGE_OFFSET))
#ifdef CONFIG_RISCV
/* https://github.com/riscv-non-isa/riscv-elf-psabi-doc/blob/master/riscv-cc.adoc#frame-pointer-convention */
#define FRAME_RA_OFFSET (-1)
#else
#define FRAME_RA_OFFSET 1
#endif
/* The ultimate ROP gadget. */
static noinline __no_ret_protection
void set_return_addr_unchecked(unsigned long *expected, unsigned long *addr)
{
/* Use of volatile is to make sure final write isn't seen as a dead store. */
unsigned long * volatile *ret_addr =
(unsigned long **)__builtin_frame_address(0) + FRAME_RA_OFFSET;
/* Make sure we've found the right place on the stack before writing it. */
if (no_pac_addr(*ret_addr) == expected)
*ret_addr = (addr);
else
/* Check architecture, stack layout, or compiler behavior... */
pr_warn("Eek: return address mismatch! %px != %px\n",
*ret_addr, addr);
}
static noinline
void set_return_addr(unsigned long *expected, unsigned long *addr)
{
/* Use of volatile is to make sure final write isn't seen as a dead store. */
unsigned long * volatile *ret_addr =
(unsigned long **)__builtin_frame_address(0) + FRAME_RA_OFFSET;
/* Make sure we've found the right place on the stack before writing it. */
if (no_pac_addr(*ret_addr) == expected)
*ret_addr = (addr);
else
/* Check architecture, stack layout, or compiler behavior... */
pr_warn("Eek: return address mismatch! %px != %px\n",
*ret_addr, addr);
}
static volatile int force_check;
static void lkdtm_CFI_BACKWARD(void)
{
/* Use calculated gotos to keep labels addressable. */
void *labels[] = { NULL, &&normal, &&redirected, &&check_normal, &&check_redirected };
pr_info("Attempting unchecked stack return address redirection ...\n");
/* Always false */
if (force_check) {
/*
* Prepare to call with NULLs to avoid parameters being treated as
* constants in -02.
*/
set_return_addr_unchecked(NULL, NULL);
set_return_addr(NULL, NULL);
if (force_check)
goto *labels[1];
if (force_check)
goto *labels[2];
if (force_check)
goto *labels[3];
if (force_check)
goto *labels[4];
return;
}
/*
* Use fallthrough switch case to keep basic block ordering between
* set_return_addr*() and the label after it.
*/
switch (force_check) {
case 0:
set_return_addr_unchecked(&&normal, &&redirected);
fallthrough;
case 1:
normal:
/* Always true */
if (!force_check) {
pr_err("FAIL: stack return address manipulation failed!\n");
/* If we can't redirect "normally", we can't test mitigations. */
return;
}
break;
default:
redirected:
pr_info("ok: redirected stack return address.\n");
break;
}
pr_info("Attempting checked stack return address redirection ...\n");
switch (force_check) {
case 0:
set_return_addr(&&check_normal, &&check_redirected);
fallthrough;
case 1:
check_normal:
/* Always true */
if (!force_check) {
pr_info("ok: control flow unchanged.\n");
return;
}
check_redirected:
pr_err("FAIL: stack return address was redirected!\n");
break;
}
if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {
pr_expected_config(CONFIG_ARM64_PTR_AUTH_KERNEL);
return;
}
if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) {
pr_expected_config(CONFIG_SHADOW_CALL_STACK);
return;
}
pr_warn("This is probably expected, since this %s was built *without* %s=y nor %s=y\n",
lkdtm_kernel_info,
"CONFIG_ARM64_PTR_AUTH_KERNEL", "CONFIG_SHADOW_CALL_STACK");
}
static struct crashtype crashtypes[] = {
CRASHTYPE(CFI_FORWARD_PROTO),
CRASHTYPE(CFI_BACKWARD),
};
struct crashtype_category cfi_crashtypes = {
.crashtypes = crashtypes,
.len = ARRAY_SIZE(crashtypes),
};