selftests/x86: Add a syscall_arg_fault_64 test for negative GSBASE (a5d25e01) · Commits · 戴 / test

If the kernel erroneously allows WRGSBASE and user code writes a negative value, paranoid_entry will get confused. Check for this by writing a negative value to GSBASE and doing SYSENTER with TF set. A successful run looks like: [RUN] SYSENTER with TF, invalid state, and GSBASE < 0 [SKIP] Illegal instruction A failed run causes a kernel hang, and I believe it's because we double-fault and then get a never ending series of page faults and, when we exhaust the double fault stack we double fault again, starting the process over. Signed-off-by:

Andy Lutomirski <luto@kernel.org> Signed-off-by:

Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/f4f71efc91b9eae5e3dae21c9aee1c70cf5f370e.1590620529.git.luto@kernel.org

tools/testing/selftests/x86/syscall_arg_fault.c

+26 −0

Original line number	Diff line number	Diff line
		@@ -72,6 +72,7 @@ static void sigsegv_or_sigbus(int sig, siginfo_t info, void ctx_void)
		if (ax != -EFAULT && ax != -ENOSYS) {
		printf("[FAIL]\tAX had the wrong value: 0x%lx\n",
		(unsigned long)ax);
		printf("\tIP = 0x%lx\n", (unsigned long)ctx->uc_mcontext.gregs[REG_IP]);
		n_errs++;
		} else {
		printf("[OK]\tSeems okay\n");
		@@ -226,5 +227,30 @@ int main()
		}
		set_eflags(get_eflags() & ~X86_EFLAGS_TF);

		#ifdef __x86_64__
		printf("[RUN]\tSYSENTER with TF, invalid state, and GSBASE < 0\n");

		if (sigsetjmp(jmpbuf, 1) == 0) {
		sigtrap_consecutive_syscalls = 0;

		asm volatile ("wrgsbase %%rax\n\t"
		:: "a" (0xffffffffffff0000UL));

		set_eflags(get_eflags() \| X86_EFLAGS_TF);
		asm volatile (
		"movl $-1, %%eax\n\t"
		"movl $-1, %%ebx\n\t"
		"movl $-1, %%ecx\n\t"
		"movl $-1, %%edx\n\t"
		"movl $-1, %%esi\n\t"
		"movl $-1, %%edi\n\t"
		"movl $-1, %%ebp\n\t"
		"movl $-1, %%esp\n\t"
		"sysenter"
		: : : "memory", "flags");
		}
		set_eflags(get_eflags() & ~X86_EFLAGS_TF);
		#endif

		return 0;
		}

Admin message