Author | Tokens | Token Proportion | Commits | Commit Proportion |
---|---|---|---|---|
Sandipan Das | 971 | 100.00% | 5 | 100.00% |
Total | 971 | 5 |
// SPDX-License-Identifier: GPL-2.0+ /* * Copyright 2020, Sandipan Das, IBM Corp. * * Test if applying execute protection on pages using memory * protection keys works as expected. */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <unistd.h> #include "pkeys.h" #define PPC_INST_NOP 0x60000000 #define PPC_INST_TRAP 0x7fe00008 #define PPC_INST_BLR 0x4e800020 static volatile sig_atomic_t fault_pkey, fault_code, fault_type; static volatile sig_atomic_t remaining_faults; static volatile unsigned int *fault_addr; static unsigned long pgsize, numinsns; static unsigned int *insns; static void trap_handler(int signum, siginfo_t *sinfo, void *ctx) { /* Check if this fault originated from the expected address */ if (sinfo->si_addr != (void *) fault_addr) sigsafe_err("got a fault for an unexpected address\n"); _exit(1); } static void segv_handler(int signum, siginfo_t *sinfo, void *ctx) { int signal_pkey; signal_pkey = siginfo_pkey(sinfo); fault_code = sinfo->si_code; /* Check if this fault originated from the expected address */ if (sinfo->si_addr != (void *) fault_addr) { sigsafe_err("got a fault for an unexpected address\n"); _exit(1); } /* Check if too many faults have occurred for a single test case */ if (!remaining_faults) { sigsafe_err("got too many faults for the same address\n"); _exit(1); } /* Restore permissions in order to continue */ switch (fault_code) { case SEGV_ACCERR: if (mprotect(insns, pgsize, PROT_READ | PROT_WRITE)) { sigsafe_err("failed to set access permissions\n"); _exit(1); } break; case SEGV_PKUERR: if (signal_pkey != fault_pkey) { sigsafe_err("got a fault for an unexpected pkey\n"); _exit(1); } switch (fault_type) { case PKEY_DISABLE_ACCESS: pkey_set_rights(fault_pkey, 0); break; case PKEY_DISABLE_EXECUTE: /* * Reassociate the exec-only pkey with the region * to be able to continue. Unlike AMR, we cannot * set IAMR directly from userspace to restore the * permissions. */ if (mprotect(insns, pgsize, PROT_EXEC)) { sigsafe_err("failed to set execute permissions\n"); _exit(1); } break; default: sigsafe_err("got a fault with an unexpected type\n"); _exit(1); } break; default: sigsafe_err("got a fault with an unexpected code\n"); _exit(1); } remaining_faults--; } static int test(void) { struct sigaction segv_act, trap_act; unsigned long rights; int pkey, ret, i; ret = pkeys_unsupported(); if (ret) return ret; /* Setup SIGSEGV handler */ segv_act.sa_handler = 0; segv_act.sa_sigaction = segv_handler; FAIL_IF(sigprocmask(SIG_SETMASK, 0, &segv_act.sa_mask) != 0); segv_act.sa_flags = SA_SIGINFO; segv_act.sa_restorer = 0; FAIL_IF(sigaction(SIGSEGV, &segv_act, NULL) != 0); /* Setup SIGTRAP handler */ trap_act.sa_handler = 0; trap_act.sa_sigaction = trap_handler; FAIL_IF(sigprocmask(SIG_SETMASK, 0, &trap_act.sa_mask) != 0); trap_act.sa_flags = SA_SIGINFO; trap_act.sa_restorer = 0; FAIL_IF(sigaction(SIGTRAP, &trap_act, NULL) != 0); /* Setup executable region */ pgsize = getpagesize(); numinsns = pgsize / sizeof(unsigned int); insns = (unsigned int *) mmap(NULL, pgsize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); FAIL_IF(insns == MAP_FAILED); /* Write the instruction words */ for (i = 1; i < numinsns - 1; i++) insns[i] = PPC_INST_NOP; /* * Set the first instruction as an unconditional trap. If * the last write to this address succeeds, this should * get overwritten by a no-op. */ insns[0] = PPC_INST_TRAP; /* * Later, to jump to the executable region, we use a branch * and link instruction (bctrl) which sets the return address * automatically in LR. Use that to return back. */ insns[numinsns - 1] = PPC_INST_BLR; /* Allocate a pkey that restricts execution */ rights = PKEY_DISABLE_EXECUTE; pkey = sys_pkey_alloc(0, rights); FAIL_IF(pkey < 0); /* * Pick the first instruction's address from the executable * region. */ fault_addr = insns; /* The following two cases will avoid SEGV_PKUERR */ fault_type = -1; fault_pkey = -1; /* * Read an instruction word from the address when AMR bits * are not set i.e. the pkey permits both read and write * access. * * This should not generate a fault as having PROT_EXEC * implies PROT_READ on GNU systems. The pkey currently * restricts execution only based on the IAMR bits. The * AMR bits are cleared. */ remaining_faults = 0; FAIL_IF(sys_pkey_mprotect(insns, pgsize, PROT_EXEC, pkey) != 0); printf("read from %p, pkey permissions are %s\n", fault_addr, pkey_rights(rights)); i = *fault_addr; FAIL_IF(remaining_faults != 0); /* * Write an instruction word to the address when AMR bits * are not set i.e. the pkey permits both read and write * access. * * This should generate an access fault as having just * PROT_EXEC also restricts writes. The pkey currently * restricts execution only based on the IAMR bits. The * AMR bits are cleared. */ remaining_faults = 1; FAIL_IF(sys_pkey_mprotect(insns, pgsize, PROT_EXEC, pkey) != 0); printf("write to %p, pkey permissions are %s\n", fault_addr, pkey_rights(rights)); *fault_addr = PPC_INST_TRAP; FAIL_IF(remaining_faults != 0 || fault_code != SEGV_ACCERR); /* The following three cases will generate SEGV_PKUERR */ rights |= PKEY_DISABLE_ACCESS; fault_type = PKEY_DISABLE_ACCESS; fault_pkey = pkey; /* * Read an instruction word from the address when AMR bits * are set i.e. the pkey permits neither read nor write * access. * * This should generate a pkey fault based on AMR bits only * as having PROT_EXEC implicitly allows reads. */ remaining_faults = 1; FAIL_IF(sys_pkey_mprotect(insns, pgsize, PROT_EXEC, pkey) != 0); pkey_set_rights(pkey, rights); printf("read from %p, pkey permissions are %s\n", fault_addr, pkey_rights(rights)); i = *fault_addr; FAIL_IF(remaining_faults != 0 || fault_code != SEGV_PKUERR); /* * Write an instruction word to the address when AMR bits * are set i.e. the pkey permits neither read nor write * access. * * This should generate two faults. First, a pkey fault * based on AMR bits and then an access fault since * PROT_EXEC does not allow writes. */ remaining_faults = 2; FAIL_IF(sys_pkey_mprotect(insns, pgsize, PROT_EXEC, pkey) != 0); pkey_set_rights(pkey, rights); printf("write to %p, pkey permissions are %s\n", fault_addr, pkey_rights(rights)); *fault_addr = PPC_INST_NOP; FAIL_IF(remaining_faults != 0 || fault_code != SEGV_ACCERR); /* Free the current pkey */ sys_pkey_free(pkey); rights = 0; do { /* * Allocate pkeys with all valid combinations of read, * write and execute restrictions. */ pkey = sys_pkey_alloc(0, rights); FAIL_IF(pkey < 0); /* * Jump to the executable region. AMR bits may or may not * be set but they should not affect execution. * * This should generate pkey faults based on IAMR bits which * may be set to restrict execution. * * The first iteration also checks if the overwrite of the * first instruction word from a trap to a no-op succeeded. */ fault_pkey = pkey; fault_type = -1; remaining_faults = 0; if (rights & PKEY_DISABLE_EXECUTE) { fault_type = PKEY_DISABLE_EXECUTE; remaining_faults = 1; } FAIL_IF(sys_pkey_mprotect(insns, pgsize, PROT_EXEC, pkey) != 0); printf("execute at %p, pkey permissions are %s\n", fault_addr, pkey_rights(rights)); asm volatile("mtctr %0; bctrl" : : "r"(insns)); FAIL_IF(remaining_faults != 0); if (rights & PKEY_DISABLE_EXECUTE) FAIL_IF(fault_code != SEGV_PKUERR); /* Free the current pkey */ sys_pkey_free(pkey); /* Find next valid combination of pkey rights */ rights = next_pkey_rights(rights); } while (rights); /* Cleanup */ munmap((void *) insns, pgsize); return 0; } int main(void) { return test_harness(test, "pkey_exec_prot"); }
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1