blob: 23ddd453f3623b6c4645fa03a55e3711bf0cee8a [file] [log] [blame]
Thomas Gleixnereeac88a2019-06-01 10:08:58 +02001// SPDX-License-Identifier: GPL-2.0-only
Dave Hansene754aed2016-06-08 10:25:35 -07002/*
3 * mpx-mini-test.c: routines to test Intel MPX (Memory Protection eXtentions)
4 *
5 * Written by:
6 * "Ren, Qiaowei" <qiaowei.ren@intel.com>
7 * "Wei, Gang" <gang.wei@intel.com>
8 * "Hansen, Dave" <dave.hansen@intel.com>
Dave Hansene754aed2016-06-08 10:25:35 -07009 */
10
11/*
12 * 2014-12-05: Dave Hansen: fixed all of the compiler warnings, and made sure
13 * it works on 32-bit.
14 */
15
16int inspect_every_this_many_mallocs = 100;
17int zap_all_every_this_many_mallocs = 1000;
18
19#define _GNU_SOURCE
20#define _LARGEFILE64_SOURCE
21
22#include <string.h>
23#include <stdio.h>
24#include <stdint.h>
25#include <stdbool.h>
26#include <signal.h>
27#include <assert.h>
28#include <stdlib.h>
29#include <ucontext.h>
30#include <sys/mman.h>
31#include <sys/types.h>
32#include <sys/stat.h>
33#include <fcntl.h>
34#include <unistd.h>
35
36#include "mpx-hw.h"
37#include "mpx-debug.h"
38#include "mpx-mm.h"
39
40#ifndef __always_inline
41#define __always_inline inline __attribute__((always_inline)
42#endif
43
44#ifndef TEST_DURATION_SECS
45#define TEST_DURATION_SECS 3
46#endif
47
48void write_int_to(char *prefix, char *file, int int_to_write)
49{
50 char buf[100];
51 int fd = open(file, O_RDWR);
52 int len;
53 int ret;
54
55 assert(fd >= 0);
56 len = snprintf(buf, sizeof(buf), "%s%d", prefix, int_to_write);
57 assert(len >= 0);
58 assert(len < sizeof(buf));
59 ret = write(fd, buf, len);
60 assert(ret == len);
61 ret = close(fd);
62 assert(!ret);
63}
64
65void write_pid_to(char *prefix, char *file)
66{
67 write_int_to(prefix, file, getpid());
68}
69
70void trace_me(void)
71{
72/* tracing events dir */
73#define TED "/sys/kernel/debug/tracing/events/"
74/*
75 write_pid_to("common_pid=", TED "signal/filter");
76 write_pid_to("common_pid=", TED "exceptions/filter");
77 write_int_to("", TED "signal/enable", 1);
78 write_int_to("", TED "exceptions/enable", 1);
79*/
80 write_pid_to("", "/sys/kernel/debug/tracing/set_ftrace_pid");
81 write_int_to("", "/sys/kernel/debug/tracing/trace", 0);
82}
83
84#define test_failed() __test_failed(__FILE__, __LINE__)
85static void __test_failed(char *f, int l)
86{
87 fprintf(stderr, "abort @ %s::%d\n", f, l);
88 abort();
89}
90
91/* Error Printf */
92#define eprintf(args...) fprintf(stderr, args)
93
94#ifdef __i386__
95
96/* i386 directory size is 4MB */
97#define REG_IP_IDX REG_EIP
98#define REX_PREFIX
99
100#define XSAVE_OFFSET_IN_FPMEM sizeof(struct _libc_fpstate)
101
102/*
103 * __cpuid() is from the Linux Kernel:
104 */
105static inline void __cpuid(unsigned int *eax, unsigned int *ebx,
106 unsigned int *ecx, unsigned int *edx)
107{
108 /* ecx is often an input as well as an output. */
109 asm volatile(
110 "push %%ebx;"
111 "cpuid;"
112 "mov %%ebx, %1;"
113 "pop %%ebx"
114 : "=a" (*eax),
115 "=g" (*ebx),
116 "=c" (*ecx),
117 "=d" (*edx)
118 : "0" (*eax), "2" (*ecx));
119}
120
121#else /* __i386__ */
122
123#define REG_IP_IDX REG_RIP
124#define REX_PREFIX "0x48, "
125
126#define XSAVE_OFFSET_IN_FPMEM 0
127
128/*
129 * __cpuid() is from the Linux Kernel:
130 */
131static inline void __cpuid(unsigned int *eax, unsigned int *ebx,
132 unsigned int *ecx, unsigned int *edx)
133{
134 /* ecx is often an input as well as an output. */
135 asm volatile(
136 "cpuid;"
137 : "=a" (*eax),
138 "=b" (*ebx),
139 "=c" (*ecx),
140 "=d" (*edx)
141 : "0" (*eax), "2" (*ecx));
142}
143
144#endif /* !__i386__ */
145
146struct xsave_hdr_struct {
147 uint64_t xstate_bv;
148 uint64_t reserved1[2];
149 uint64_t reserved2[5];
150} __attribute__((packed));
151
152struct bndregs_struct {
153 uint64_t bndregs[8];
154} __attribute__((packed));
155
156struct bndcsr_struct {
157 uint64_t cfg_reg_u;
158 uint64_t status_reg;
159} __attribute__((packed));
160
161struct xsave_struct {
162 uint8_t fpu_sse[512];
163 struct xsave_hdr_struct xsave_hdr;
164 uint8_t ymm[256];
165 uint8_t lwp[128];
166 struct bndregs_struct bndregs;
167 struct bndcsr_struct bndcsr;
168} __attribute__((packed));
169
170uint8_t __attribute__((__aligned__(64))) buffer[4096];
171struct xsave_struct *xsave_buf = (struct xsave_struct *)buffer;
172
173uint8_t __attribute__((__aligned__(64))) test_buffer[4096];
174struct xsave_struct *xsave_test_buf = (struct xsave_struct *)test_buffer;
175
176uint64_t num_bnd_chk;
177
178static __always_inline void xrstor_state(struct xsave_struct *fx, uint64_t mask)
179{
180 uint32_t lmask = mask;
181 uint32_t hmask = mask >> 32;
182
183 asm volatile(".byte " REX_PREFIX "0x0f,0xae,0x2f\n\t"
184 : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
185 : "memory");
186}
187
188static __always_inline void xsave_state_1(void *_fx, uint64_t mask)
189{
190 uint32_t lmask = mask;
191 uint32_t hmask = mask >> 32;
192 unsigned char *fx = _fx;
193
194 asm volatile(".byte " REX_PREFIX "0x0f,0xae,0x27\n\t"
195 : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
196 : "memory");
197}
198
199static inline uint64_t xgetbv(uint32_t index)
200{
201 uint32_t eax, edx;
202
203 asm volatile(".byte 0x0f,0x01,0xd0" /* xgetbv */
204 : "=a" (eax), "=d" (edx)
205 : "c" (index));
206 return eax + ((uint64_t)edx << 32);
207}
208
209static uint64_t read_mpx_status_sig(ucontext_t *uctxt)
210{
211 memset(buffer, 0, sizeof(buffer));
212 memcpy(buffer,
213 (uint8_t *)uctxt->uc_mcontext.fpregs + XSAVE_OFFSET_IN_FPMEM,
214 sizeof(struct xsave_struct));
215
216 return xsave_buf->bndcsr.status_reg;
217}
218
219#include <pthread.h>
220
221static uint8_t *get_next_inst_ip(uint8_t *addr)
222{
223 uint8_t *ip = addr;
224 uint8_t sib;
225 uint8_t rm;
226 uint8_t mod;
227 uint8_t base;
228 uint8_t modrm;
229
230 /* determine the prefix. */
231 switch(*ip) {
232 case 0xf2:
233 case 0xf3:
234 case 0x66:
235 ip++;
236 break;
237 }
238
239 /* look for rex prefix */
240 if ((*ip & 0x40) == 0x40)
241 ip++;
242
243 /* Make sure we have a MPX instruction. */
244 if (*ip++ != 0x0f)
245 return addr;
246
247 /* Skip the op code byte. */
248 ip++;
249
250 /* Get the modrm byte. */
251 modrm = *ip++;
252
253 /* Break it down into parts. */
254 rm = modrm & 7;
255 mod = (modrm >> 6);
256
257 /* Init the parts of the address mode. */
258 base = 8;
259
260 /* Is it a mem mode? */
261 if (mod != 3) {
262 /* look for scaled indexed addressing */
263 if (rm == 4) {
264 /* SIB addressing */
265 sib = *ip++;
266 base = sib & 7;
267 switch (mod) {
268 case 0:
269 if (base == 5)
270 ip += 4;
271 break;
272
273 case 1:
274 ip++;
275 break;
276
277 case 2:
278 ip += 4;
279 break;
280 }
281
282 } else {
283 /* MODRM addressing */
284 switch (mod) {
285 case 0:
286 /* DISP32 addressing, no base */
287 if (rm == 5)
288 ip += 4;
289 break;
290
291 case 1:
292 ip++;
293 break;
294
295 case 2:
296 ip += 4;
297 break;
298 }
299 }
300 }
301 return ip;
302}
303
304#ifdef si_lower
305static inline void *__si_bounds_lower(siginfo_t *si)
306{
307 return si->si_lower;
308}
309
310static inline void *__si_bounds_upper(siginfo_t *si)
311{
312 return si->si_upper;
313}
314#else
Rui Wang961888b2017-12-18 16:34:10 +0800315
316/*
317 * This deals with old version of _sigfault in some distros:
318 *
319
320old _sigfault:
321 struct {
322 void *si_addr;
323 } _sigfault;
324
325new _sigfault:
326 struct {
327 void __user *_addr;
328 int _trapno;
329 short _addr_lsb;
330 union {
331 struct {
332 void __user *_lower;
333 void __user *_upper;
334 } _addr_bnd;
335 __u32 _pkey;
336 };
337 } _sigfault;
338 *
339 */
340
Dave Hansene754aed2016-06-08 10:25:35 -0700341static inline void **__si_bounds_hack(siginfo_t *si)
342{
343 void *sigfault = &si->_sifields._sigfault;
344 void *end_sigfault = sigfault + sizeof(si->_sifields._sigfault);
Rui Wang961888b2017-12-18 16:34:10 +0800345 int *trapno = (int*)end_sigfault;
346 /* skip _trapno and _addr_lsb */
347 void **__si_lower = (void**)(trapno + 2);
Dave Hansene754aed2016-06-08 10:25:35 -0700348
349 return __si_lower;
350}
351
352static inline void *__si_bounds_lower(siginfo_t *si)
353{
354 return *__si_bounds_hack(si);
355}
356
357static inline void *__si_bounds_upper(siginfo_t *si)
358{
Rui Wang961888b2017-12-18 16:34:10 +0800359 return *(__si_bounds_hack(si) + 1);
Dave Hansene754aed2016-06-08 10:25:35 -0700360}
361#endif
362
363static int br_count;
364static int expected_bnd_index = -1;
365uint64_t shadow_plb[NR_MPX_BOUNDS_REGISTERS][2]; /* shadow MPX bound registers */
366unsigned long shadow_map[NR_MPX_BOUNDS_REGISTERS];
367
Ingo Molnar73bb4d62018-05-14 10:59:08 +0200368/* Failed address bound checks: */
369#ifndef SEGV_BNDERR
370# define SEGV_BNDERR 3
371#endif
372
Dave Hansene754aed2016-06-08 10:25:35 -0700373/*
374 * The kernel is supposed to provide some information about the bounds
375 * exception in the siginfo. It should match what we have in the bounds
376 * registers that we are checking against. Just check against the shadow copy
377 * since it is easily available, and we also check that *it* matches the real
378 * registers.
379 */
380void check_siginfo_vs_shadow(siginfo_t* si)
381{
382 int siginfo_ok = 1;
383 void *shadow_lower = (void *)(unsigned long)shadow_plb[expected_bnd_index][0];
384 void *shadow_upper = (void *)(unsigned long)shadow_plb[expected_bnd_index][1];
385
386 if ((expected_bnd_index < 0) ||
387 (expected_bnd_index >= NR_MPX_BOUNDS_REGISTERS)) {
388 fprintf(stderr, "ERROR: invalid expected_bnd_index: %d\n",
389 expected_bnd_index);
390 exit(6);
391 }
392 if (__si_bounds_lower(si) != shadow_lower)
393 siginfo_ok = 0;
394 if (__si_bounds_upper(si) != shadow_upper)
395 siginfo_ok = 0;
396
397 if (!siginfo_ok) {
398 fprintf(stderr, "ERROR: siginfo bounds do not match "
399 "shadow bounds for register %d\n", expected_bnd_index);
400 exit(7);
401 }
402}
403
404void handler(int signum, siginfo_t *si, void *vucontext)
405{
406 int i;
407 ucontext_t *uctxt = vucontext;
408 int trapno;
409 unsigned long ip;
410
411 dprintf1("entered signal handler\n");
412
413 trapno = uctxt->uc_mcontext.gregs[REG_TRAPNO];
414 ip = uctxt->uc_mcontext.gregs[REG_IP_IDX];
415
416 if (trapno == 5) {
417 typeof(si->si_addr) *si_addr_ptr = &si->si_addr;
418 uint64_t status = read_mpx_status_sig(uctxt);
419 uint64_t br_reason = status & 0x3;
420
421 br_count++;
422 dprintf1("#BR 0x%jx (total seen: %d)\n", status, br_count);
423
Dave Hansene754aed2016-06-08 10:25:35 -0700424 dprintf2("Saw a #BR! status 0x%jx at %016lx br_reason: %jx\n",
425 status, ip, br_reason);
426 dprintf2("si_signo: %d\n", si->si_signo);
427 dprintf2(" signum: %d\n", signum);
428 dprintf2("info->si_code == SEGV_BNDERR: %d\n",
429 (si->si_code == SEGV_BNDERR));
430 dprintf2("info->si_code: %d\n", si->si_code);
431 dprintf2("info->si_lower: %p\n", __si_bounds_lower(si));
432 dprintf2("info->si_upper: %p\n", __si_bounds_upper(si));
433
Dave Hansene754aed2016-06-08 10:25:35 -0700434 for (i = 0; i < 8; i++)
435 dprintf3("[%d]: %p\n", i, si_addr_ptr[i]);
436 switch (br_reason) {
437 case 0: /* traditional BR */
438 fprintf(stderr,
439 "Undefined status with bound exception:%jx\n",
440 status);
441 exit(5);
442 case 1: /* #BR MPX bounds exception */
443 /* these are normal and we expect to see them */
Joerg Roedel5f2173e2017-04-06 16:23:18 +0200444
445 check_siginfo_vs_shadow(si);
446
Dave Hansene754aed2016-06-08 10:25:35 -0700447 dprintf1("bounds exception (normal): status 0x%jx at %p si_addr: %p\n",
448 status, (void *)ip, si->si_addr);
449 num_bnd_chk++;
450 uctxt->uc_mcontext.gregs[REG_IP_IDX] =
451 (greg_t)get_next_inst_ip((uint8_t *)ip);
452 break;
453 case 2:
454 fprintf(stderr, "#BR status == 2, missing bounds table,"
455 "kernel should have handled!!\n");
456 exit(4);
457 break;
458 default:
459 fprintf(stderr, "bound check error: status 0x%jx at %p\n",
460 status, (void *)ip);
461 num_bnd_chk++;
462 uctxt->uc_mcontext.gregs[REG_IP_IDX] =
463 (greg_t)get_next_inst_ip((uint8_t *)ip);
464 fprintf(stderr, "bound check error: si_addr %p\n", si->si_addr);
465 exit(3);
466 }
467 } else if (trapno == 14) {
468 eprintf("ERROR: In signal handler, page fault, trapno = %d, ip = %016lx\n",
469 trapno, ip);
470 eprintf("si_addr %p\n", si->si_addr);
471 eprintf("REG_ERR: %lx\n", (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]);
472 test_failed();
473 } else {
474 eprintf("unexpected trap %d! at 0x%lx\n", trapno, ip);
475 eprintf("si_addr %p\n", si->si_addr);
476 eprintf("REG_ERR: %lx\n", (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]);
477 test_failed();
478 }
479}
480
481static inline void cpuid_count(unsigned int op, int count,
482 unsigned int *eax, unsigned int *ebx,
483 unsigned int *ecx, unsigned int *edx)
484{
485 *eax = op;
486 *ecx = count;
487 __cpuid(eax, ebx, ecx, edx);
488}
489
490#define XSTATE_CPUID 0x0000000d
491
492/*
493 * List of XSAVE features Linux knows about:
494 */
495enum xfeature_bit {
496 XSTATE_BIT_FP,
497 XSTATE_BIT_SSE,
498 XSTATE_BIT_YMM,
499 XSTATE_BIT_BNDREGS,
500 XSTATE_BIT_BNDCSR,
501 XSTATE_BIT_OPMASK,
502 XSTATE_BIT_ZMM_Hi256,
503 XSTATE_BIT_Hi16_ZMM,
504
505 XFEATURES_NR_MAX,
506};
507
508#define XSTATE_FP (1 << XSTATE_BIT_FP)
509#define XSTATE_SSE (1 << XSTATE_BIT_SSE)
510#define XSTATE_YMM (1 << XSTATE_BIT_YMM)
511#define XSTATE_BNDREGS (1 << XSTATE_BIT_BNDREGS)
512#define XSTATE_BNDCSR (1 << XSTATE_BIT_BNDCSR)
513#define XSTATE_OPMASK (1 << XSTATE_BIT_OPMASK)
514#define XSTATE_ZMM_Hi256 (1 << XSTATE_BIT_ZMM_Hi256)
515#define XSTATE_Hi16_ZMM (1 << XSTATE_BIT_Hi16_ZMM)
516
517#define MPX_XSTATES (XSTATE_BNDREGS | XSTATE_BNDCSR) /* 0x18 */
518
519bool one_bit(unsigned int x, int bit)
520{
521 return !!(x & (1<<bit));
522}
523
524void print_state_component(int state_bit_nr, char *name)
525{
526 unsigned int eax, ebx, ecx, edx;
527 unsigned int state_component_size;
528 unsigned int state_component_supervisor;
529 unsigned int state_component_user;
530 unsigned int state_component_aligned;
531
532 /* See SDM Section 13.2 */
533 cpuid_count(XSTATE_CPUID, state_bit_nr, &eax, &ebx, &ecx, &edx);
534 assert(eax || ebx || ecx);
535 state_component_size = eax;
536 state_component_supervisor = ((!ebx) && one_bit(ecx, 0));
537 state_component_user = !one_bit(ecx, 0);
538 state_component_aligned = one_bit(ecx, 1);
539 printf("%8s: size: %d user: %d supervisor: %d aligned: %d\n",
540 name,
541 state_component_size, state_component_user,
542 state_component_supervisor, state_component_aligned);
543
544}
545
546/* Intel-defined CPU features, CPUID level 0x00000001 (ecx) */
547#define XSAVE_FEATURE_BIT (26) /* XSAVE/XRSTOR/XSETBV/XGETBV */
548#define OSXSAVE_FEATURE_BIT (27) /* XSAVE enabled in the OS */
549
550bool check_mpx_support(void)
551{
552 unsigned int eax, ebx, ecx, edx;
553
554 cpuid_count(1, 0, &eax, &ebx, &ecx, &edx);
555
556 /* We can't do much without XSAVE, so just make these assert()'s */
557 if (!one_bit(ecx, XSAVE_FEATURE_BIT)) {
558 fprintf(stderr, "processor lacks XSAVE, can not run MPX tests\n");
559 exit(0);
560 }
561
562 if (!one_bit(ecx, OSXSAVE_FEATURE_BIT)) {
563 fprintf(stderr, "processor lacks OSXSAVE, can not run MPX tests\n");
564 exit(0);
565 }
566
567 /* CPUs not supporting the XSTATE CPUID leaf do not support MPX */
568 /* Is this redundant with the feature bit checks? */
569 cpuid_count(0, 0, &eax, &ebx, &ecx, &edx);
570 if (eax < XSTATE_CPUID) {
571 fprintf(stderr, "processor lacks XSTATE CPUID leaf,"
572 " can not run MPX tests\n");
573 exit(0);
574 }
575
576 printf("XSAVE is supported by HW & OS\n");
577
578 cpuid_count(XSTATE_CPUID, 0, &eax, &ebx, &ecx, &edx);
579
580 printf("XSAVE processor supported state mask: 0x%x\n", eax);
581 printf("XSAVE OS supported state mask: 0x%jx\n", xgetbv(0));
582
583 /* Make sure that the MPX states are enabled in in XCR0 */
584 if ((eax & MPX_XSTATES) != MPX_XSTATES) {
585 fprintf(stderr, "processor lacks MPX XSTATE(s), can not run MPX tests\n");
586 exit(0);
587 }
588
589 /* Make sure the MPX states are supported by XSAVE* */
590 if ((xgetbv(0) & MPX_XSTATES) != MPX_XSTATES) {
591 fprintf(stderr, "MPX XSTATE(s) no enabled in XCR0, "
592 "can not run MPX tests\n");
593 exit(0);
594 }
595
596 print_state_component(XSTATE_BIT_BNDREGS, "BNDREGS");
597 print_state_component(XSTATE_BIT_BNDCSR, "BNDCSR");
598
599 return true;
600}
601
602void enable_mpx(void *l1base)
603{
604 /* enable point lookup */
605 memset(buffer, 0, sizeof(buffer));
606 xrstor_state(xsave_buf, 0x18);
607
608 xsave_buf->xsave_hdr.xstate_bv = 0x10;
609 xsave_buf->bndcsr.cfg_reg_u = (unsigned long)l1base | 1;
610 xsave_buf->bndcsr.status_reg = 0;
611
612 dprintf2("bf xrstor\n");
613 dprintf2("xsave cndcsr: status %jx, configu %jx\n",
614 xsave_buf->bndcsr.status_reg, xsave_buf->bndcsr.cfg_reg_u);
615 xrstor_state(xsave_buf, 0x18);
616 dprintf2("after xrstor\n");
617
618 xsave_state_1(xsave_buf, 0x18);
619
620 dprintf1("xsave bndcsr: status %jx, configu %jx\n",
621 xsave_buf->bndcsr.status_reg, xsave_buf->bndcsr.cfg_reg_u);
622}
623
624#include <sys/prctl.h>
625
626struct mpx_bounds_dir *bounds_dir_ptr;
627
628unsigned long __bd_incore(const char *func, int line)
629{
630 unsigned long ret = nr_incore(bounds_dir_ptr, MPX_BOUNDS_DIR_SIZE_BYTES);
631 return ret;
632}
633#define bd_incore() __bd_incore(__func__, __LINE__)
634
635void check_clear(void *ptr, unsigned long sz)
636{
637 unsigned long *i;
638
639 for (i = ptr; (void *)i < ptr + sz; i++) {
640 if (*i) {
641 dprintf1("%p is NOT clear at %p\n", ptr, i);
642 assert(0);
643 }
644 }
645 dprintf1("%p is clear for %lx\n", ptr, sz);
646}
647
648void check_clear_bd(void)
649{
650 check_clear(bounds_dir_ptr, 2UL << 30);
651}
652
653#define USE_MALLOC_FOR_BOUNDS_DIR 1
654bool process_specific_init(void)
655{
656 unsigned long size;
657 unsigned long *dir;
658 /* Guarantee we have the space to align it, add padding: */
659 unsigned long pad = getpagesize();
660
661 size = 2UL << 30; /* 2GB */
662 if (sizeof(unsigned long) == 4)
663 size = 4UL << 20; /* 4MB */
664 dprintf1("trying to allocate %ld MB bounds directory\n", (size >> 20));
665
666 if (USE_MALLOC_FOR_BOUNDS_DIR) {
667 unsigned long _dir;
668
669 dir = malloc(size + pad);
670 assert(dir);
671 _dir = (unsigned long)dir;
672 _dir += 0xfffUL;
673 _dir &= ~0xfffUL;
674 dir = (void *)_dir;
675 } else {
676 /*
677 * This makes debugging easier because the address
678 * calculations are simpler:
679 */
680 dir = mmap((void *)0x200000000000, size + pad,
681 PROT_READ|PROT_WRITE,
682 MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
683 if (dir == (void *)-1) {
684 perror("unable to allocate bounds directory");
685 abort();
686 }
687 check_clear(dir, size);
688 }
689 bounds_dir_ptr = (void *)dir;
690 madvise(bounds_dir_ptr, size, MADV_NOHUGEPAGE);
691 bd_incore();
692 dprintf1("bounds directory: 0x%p -> 0x%p\n", bounds_dir_ptr,
693 (char *)bounds_dir_ptr + size);
694 check_clear(dir, size);
695 enable_mpx(dir);
696 check_clear(dir, size);
697 if (prctl(43, 0, 0, 0, 0)) {
698 printf("no MPX support\n");
699 abort();
700 return false;
701 }
702 return true;
703}
704
705bool process_specific_finish(void)
706{
707 if (prctl(44)) {
708 printf("no MPX support\n");
709 return false;
710 }
711 return true;
712}
713
714void setup_handler()
715{
716 int r, rs;
717 struct sigaction newact;
718 struct sigaction oldact;
719
720 /* #BR is mapped to sigsegv */
721 int signum = SIGSEGV;
722
723 newact.sa_handler = 0; /* void(*)(int)*/
724 newact.sa_sigaction = handler; /* void (*)(int, siginfo_t*, void *) */
725
726 /*sigset_t - signals to block while in the handler */
727 /* get the old signal mask. */
728 rs = sigprocmask(SIG_SETMASK, 0, &newact.sa_mask);
729 assert(rs == 0);
730
731 /* call sa_sigaction, not sa_handler*/
732 newact.sa_flags = SA_SIGINFO;
733
734 newact.sa_restorer = 0; /* void(*)(), obsolete */
735 r = sigaction(signum, &newact, &oldact);
736 assert(r == 0);
737}
738
739void mpx_prepare(void)
740{
741 dprintf2("%s()\n", __func__);
742 setup_handler();
743 process_specific_init();
744}
745
746void mpx_cleanup(void)
747{
748 printf("%s(): %jd BRs. bye...\n", __func__, num_bnd_chk);
749 process_specific_finish();
750}
751
752/*-------------- the following is test case ---------------*/
753#include <stdint.h>
754#include <stdbool.h>
755#include <stdlib.h>
756#include <stdio.h>
757#include <time.h>
758
759uint64_t num_lower_brs;
760uint64_t num_upper_brs;
761
762#define MPX_CONFIG_OFFSET 1024
763#define MPX_BOUNDS_OFFSET 960
764#define MPX_HEADER_OFFSET 512
765#define MAX_ADDR_TESTED (1<<28)
766#define TEST_ROUNDS 100
767
768/*
769 0F 1A /r BNDLDX-Load
770 0F 1B /r BNDSTX-Store Extended Bounds Using Address Translation
771 66 0F 1A /r BNDMOV bnd1, bnd2/m128
772 66 0F 1B /r BNDMOV bnd1/m128, bnd2
773 F2 0F 1A /r BNDCU bnd, r/m64
774 F2 0F 1B /r BNDCN bnd, r/m64
775 F3 0F 1A /r BNDCL bnd, r/m64
776 F3 0F 1B /r BNDMK bnd, m64
777*/
778
779static __always_inline void xsave_state(void *_fx, uint64_t mask)
780{
781 uint32_t lmask = mask;
782 uint32_t hmask = mask >> 32;
783 unsigned char *fx = _fx;
784
785 asm volatile(".byte " REX_PREFIX "0x0f,0xae,0x27\n\t"
786 : : "D" (fx), "m" (*fx), "a" (lmask), "d" (hmask)
787 : "memory");
788}
789
790static __always_inline void mpx_clear_bnd0(void)
791{
792 long size = 0;
793 void *ptr = NULL;
794 /* F3 0F 1B /r BNDMK bnd, m64 */
795 /* f3 0f 1b 04 11 bndmk (%rcx,%rdx,1),%bnd0 */
796 asm volatile(".byte 0xf3,0x0f,0x1b,0x04,0x11\n\t"
797 : : "c" (ptr), "d" (size-1)
798 : "memory");
799}
800
801static __always_inline void mpx_make_bound_helper(unsigned long ptr,
802 unsigned long size)
803{
804 /* F3 0F 1B /r BNDMK bnd, m64 */
805 /* f3 0f 1b 04 11 bndmk (%rcx,%rdx,1),%bnd0 */
806 asm volatile(".byte 0xf3,0x0f,0x1b,0x04,0x11\n\t"
807 : : "c" (ptr), "d" (size-1)
808 : "memory");
809}
810
811static __always_inline void mpx_check_lowerbound_helper(unsigned long ptr)
812{
813 /* F3 0F 1A /r NDCL bnd, r/m64 */
814 /* f3 0f 1a 01 bndcl (%rcx),%bnd0 */
815 asm volatile(".byte 0xf3,0x0f,0x1a,0x01\n\t"
816 : : "c" (ptr)
817 : "memory");
818}
819
820static __always_inline void mpx_check_upperbound_helper(unsigned long ptr)
821{
822 /* F2 0F 1A /r BNDCU bnd, r/m64 */
823 /* f2 0f 1a 01 bndcu (%rcx),%bnd0 */
824 asm volatile(".byte 0xf2,0x0f,0x1a,0x01\n\t"
825 : : "c" (ptr)
826 : "memory");
827}
828
829static __always_inline void mpx_movbndreg_helper()
830{
831 /* 66 0F 1B /r BNDMOV bnd1/m128, bnd2 */
832 /* 66 0f 1b c2 bndmov %bnd0,%bnd2 */
833
834 asm volatile(".byte 0x66,0x0f,0x1b,0xc2\n\t");
835}
836
837static __always_inline void mpx_movbnd2mem_helper(uint8_t *mem)
838{
839 /* 66 0F 1B /r BNDMOV bnd1/m128, bnd2 */
840 /* 66 0f 1b 01 bndmov %bnd0,(%rcx) */
841 asm volatile(".byte 0x66,0x0f,0x1b,0x01\n\t"
842 : : "c" (mem)
843 : "memory");
844}
845
846static __always_inline void mpx_movbnd_from_mem_helper(uint8_t *mem)
847{
848 /* 66 0F 1A /r BNDMOV bnd1, bnd2/m128 */
849 /* 66 0f 1a 01 bndmov (%rcx),%bnd0 */
850 asm volatile(".byte 0x66,0x0f,0x1a,0x01\n\t"
851 : : "c" (mem)
852 : "memory");
853}
854
855static __always_inline void mpx_store_dsc_helper(unsigned long ptr_addr,
856 unsigned long ptr_val)
857{
858 /* 0F 1B /r BNDSTX-Store Extended Bounds Using Address Translation */
859 /* 0f 1b 04 11 bndstx %bnd0,(%rcx,%rdx,1) */
860 asm volatile(".byte 0x0f,0x1b,0x04,0x11\n\t"
861 : : "c" (ptr_addr), "d" (ptr_val)
862 : "memory");
863}
864
865static __always_inline void mpx_load_dsc_helper(unsigned long ptr_addr,
866 unsigned long ptr_val)
867{
868 /* 0F 1A /r BNDLDX-Load */
869 /*/ 0f 1a 04 11 bndldx (%rcx,%rdx,1),%bnd0 */
870 asm volatile(".byte 0x0f,0x1a,0x04,0x11\n\t"
871 : : "c" (ptr_addr), "d" (ptr_val)
872 : "memory");
873}
874
875void __print_context(void *__print_xsave_buffer, int line)
876{
877 uint64_t *bounds = (uint64_t *)(__print_xsave_buffer + MPX_BOUNDS_OFFSET);
878 uint64_t *cfg = (uint64_t *)(__print_xsave_buffer + MPX_CONFIG_OFFSET);
879
880 int i;
881 eprintf("%s()::%d\n", "print_context", line);
882 for (i = 0; i < 4; i++) {
883 eprintf("bound[%d]: 0x%016lx 0x%016lx(0x%016lx)\n", i,
884 (unsigned long)bounds[i*2],
885 ~(unsigned long)bounds[i*2+1],
886 (unsigned long)bounds[i*2+1]);
887 }
888
889 eprintf("cpcfg: %jx cpstatus: %jx\n", cfg[0], cfg[1]);
890}
891#define print_context(x) __print_context(x, __LINE__)
892#ifdef DEBUG
893#define dprint_context(x) print_context(x)
894#else
895#define dprint_context(x) do{}while(0)
896#endif
897
898void init()
899{
900 int i;
901
902 srand((unsigned int)time(NULL));
903
904 for (i = 0; i < 4; i++) {
905 shadow_plb[i][0] = 0;
906 shadow_plb[i][1] = ~(unsigned long)0;
907 }
908}
909
910long int __mpx_random(int line)
911{
912#ifdef NOT_SO_RANDOM
913 static long fake = 722122311;
914 fake += 563792075;
915 return fakse;
916#else
917 return random();
918#endif
919}
920#define mpx_random() __mpx_random(__LINE__)
921
922uint8_t *get_random_addr()
923{
924 uint8_t*addr = (uint8_t *)(unsigned long)(rand() % MAX_ADDR_TESTED);
925 return (addr - (unsigned long)addr % sizeof(uint8_t *));
926}
927
928static inline bool compare_context(void *__xsave_buffer)
929{
930 uint64_t *bounds = (uint64_t *)(__xsave_buffer + MPX_BOUNDS_OFFSET);
931
932 int i;
933 for (i = 0; i < 4; i++) {
934 dprintf3("shadow[%d]{%016lx/%016lx}\nbounds[%d]{%016lx/%016lx}\n",
935 i, (unsigned long)shadow_plb[i][0], (unsigned long)shadow_plb[i][1],
936 i, (unsigned long)bounds[i*2], ~(unsigned long)bounds[i*2+1]);
937 if ((shadow_plb[i][0] != bounds[i*2]) ||
938 (shadow_plb[i][1] != ~(unsigned long)bounds[i*2+1])) {
939 eprintf("ERROR comparing shadow to real bound register %d\n", i);
940 eprintf("shadow{0x%016lx/0x%016lx}\nbounds{0x%016lx/0x%016lx}\n",
941 (unsigned long)shadow_plb[i][0], (unsigned long)shadow_plb[i][1],
942 (unsigned long)bounds[i*2], (unsigned long)bounds[i*2+1]);
943 return false;
944 }
945 }
946
947 return true;
948}
949
950void mkbnd_shadow(uint8_t *ptr, int index, long offset)
951{
952 uint64_t *lower = (uint64_t *)&(shadow_plb[index][0]);
953 uint64_t *upper = (uint64_t *)&(shadow_plb[index][1]);
954 *lower = (unsigned long)ptr;
955 *upper = (unsigned long)ptr + offset - 1;
956}
957
958void check_lowerbound_shadow(uint8_t *ptr, int index)
959{
960 uint64_t *lower = (uint64_t *)&(shadow_plb[index][0]);
961 if (*lower > (uint64_t)(unsigned long)ptr)
962 num_lower_brs++;
963 else
964 dprintf1("LowerBoundChk passed:%p\n", ptr);
965}
966
967void check_upperbound_shadow(uint8_t *ptr, int index)
968{
969 uint64_t upper = *(uint64_t *)&(shadow_plb[index][1]);
970 if (upper < (uint64_t)(unsigned long)ptr)
971 num_upper_brs++;
972 else
973 dprintf1("UpperBoundChk passed:%p\n", ptr);
974}
975
976__always_inline void movbndreg_shadow(int src, int dest)
977{
978 shadow_plb[dest][0] = shadow_plb[src][0];
979 shadow_plb[dest][1] = shadow_plb[src][1];
980}
981
982__always_inline void movbnd2mem_shadow(int src, unsigned long *dest)
983{
984 unsigned long *lower = (unsigned long *)&(shadow_plb[src][0]);
985 unsigned long *upper = (unsigned long *)&(shadow_plb[src][1]);
986 *dest = *lower;
987 *(dest+1) = *upper;
988}
989
990__always_inline void movbnd_from_mem_shadow(unsigned long *src, int dest)
991{
992 unsigned long *lower = (unsigned long *)&(shadow_plb[dest][0]);
993 unsigned long *upper = (unsigned long *)&(shadow_plb[dest][1]);
994 *lower = *src;
995 *upper = *(src+1);
996}
997
998__always_inline void stdsc_shadow(int index, uint8_t *ptr, uint8_t *ptr_val)
999{
1000 shadow_map[0] = (unsigned long)shadow_plb[index][0];
1001 shadow_map[1] = (unsigned long)shadow_plb[index][1];
1002 shadow_map[2] = (unsigned long)ptr_val;
1003 dprintf3("%s(%d, %p, %p) set shadow map[2]: %p\n", __func__,
1004 index, ptr, ptr_val, ptr_val);
1005 /*ptr ignored */
1006}
1007
1008void lddsc_shadow(int index, uint8_t *ptr, uint8_t *ptr_val)
1009{
1010 uint64_t lower = shadow_map[0];
1011 uint64_t upper = shadow_map[1];
1012 uint8_t *value = (uint8_t *)shadow_map[2];
1013
1014 if (value != ptr_val) {
1015 dprintf2("%s(%d, %p, %p) init shadow bounds[%d] "
1016 "because %p != %p\n", __func__, index, ptr,
1017 ptr_val, index, value, ptr_val);
1018 shadow_plb[index][0] = 0;
1019 shadow_plb[index][1] = ~(unsigned long)0;
1020 } else {
1021 shadow_plb[index][0] = lower;
1022 shadow_plb[index][1] = upper;
1023 }
1024 /* ptr ignored */
1025}
1026
1027static __always_inline void mpx_test_helper0(uint8_t *buf, uint8_t *ptr)
1028{
1029 mpx_make_bound_helper((unsigned long)ptr, 0x1800);
1030}
1031
1032static __always_inline void mpx_test_helper0_shadow(uint8_t *buf, uint8_t *ptr)
1033{
1034 mkbnd_shadow(ptr, 0, 0x1800);
1035}
1036
1037static __always_inline void mpx_test_helper1(uint8_t *buf, uint8_t *ptr)
1038{
1039 /* these are hard-coded to check bnd0 */
1040 expected_bnd_index = 0;
1041 mpx_check_lowerbound_helper((unsigned long)(ptr-1));
1042 mpx_check_upperbound_helper((unsigned long)(ptr+0x1800));
1043 /* reset this since we do not expect any more bounds exceptions */
1044 expected_bnd_index = -1;
1045}
1046
1047static __always_inline void mpx_test_helper1_shadow(uint8_t *buf, uint8_t *ptr)
1048{
1049 check_lowerbound_shadow(ptr-1, 0);
1050 check_upperbound_shadow(ptr+0x1800, 0);
1051}
1052
1053static __always_inline void mpx_test_helper2(uint8_t *buf, uint8_t *ptr)
1054{
1055 mpx_make_bound_helper((unsigned long)ptr, 0x1800);
1056 mpx_movbndreg_helper();
1057 mpx_movbnd2mem_helper(buf);
1058 mpx_make_bound_helper((unsigned long)(ptr+0x12), 0x1800);
1059}
1060
1061static __always_inline void mpx_test_helper2_shadow(uint8_t *buf, uint8_t *ptr)
1062{
1063 mkbnd_shadow(ptr, 0, 0x1800);
1064 movbndreg_shadow(0, 2);
1065 movbnd2mem_shadow(0, (unsigned long *)buf);
1066 mkbnd_shadow(ptr+0x12, 0, 0x1800);
1067}
1068
1069static __always_inline void mpx_test_helper3(uint8_t *buf, uint8_t *ptr)
1070{
1071 mpx_movbnd_from_mem_helper(buf);
1072}
1073
1074static __always_inline void mpx_test_helper3_shadow(uint8_t *buf, uint8_t *ptr)
1075{
1076 movbnd_from_mem_shadow((unsigned long *)buf, 0);
1077}
1078
1079static __always_inline void mpx_test_helper4(uint8_t *buf, uint8_t *ptr)
1080{
1081 mpx_store_dsc_helper((unsigned long)buf, (unsigned long)ptr);
1082 mpx_make_bound_helper((unsigned long)(ptr+0x12), 0x1800);
1083}
1084
1085static __always_inline void mpx_test_helper4_shadow(uint8_t *buf, uint8_t *ptr)
1086{
1087 stdsc_shadow(0, buf, ptr);
1088 mkbnd_shadow(ptr+0x12, 0, 0x1800);
1089}
1090
1091static __always_inline void mpx_test_helper5(uint8_t *buf, uint8_t *ptr)
1092{
1093 mpx_load_dsc_helper((unsigned long)buf, (unsigned long)ptr);
1094}
1095
1096static __always_inline void mpx_test_helper5_shadow(uint8_t *buf, uint8_t *ptr)
1097{
1098 lddsc_shadow(0, buf, ptr);
1099}
1100
1101#define NR_MPX_TEST_FUNCTIONS 6
1102
1103/*
1104 * For compatibility reasons, MPX will clear the bounds registers
1105 * when you make function calls (among other things). We have to
1106 * preserve the registers in between calls to the "helpers" since
1107 * they build on each other.
1108 *
1109 * Be very careful not to make any function calls inside the
1110 * helpers, or anywhere else beween the xrstor and xsave.
1111 */
1112#define run_helper(helper_nr, buf, buf_shadow, ptr) do { \
1113 xrstor_state(xsave_test_buf, flags); \
1114 mpx_test_helper##helper_nr(buf, ptr); \
1115 xsave_state(xsave_test_buf, flags); \
1116 mpx_test_helper##helper_nr##_shadow(buf_shadow, ptr); \
1117} while (0)
1118
1119static void run_helpers(int nr, uint8_t *buf, uint8_t *buf_shadow, uint8_t *ptr)
1120{
1121 uint64_t flags = 0x18;
1122
1123 dprint_context(xsave_test_buf);
1124 switch (nr) {
1125 case 0:
1126 run_helper(0, buf, buf_shadow, ptr);
1127 break;
1128 case 1:
1129 run_helper(1, buf, buf_shadow, ptr);
1130 break;
1131 case 2:
1132 run_helper(2, buf, buf_shadow, ptr);
1133 break;
1134 case 3:
1135 run_helper(3, buf, buf_shadow, ptr);
1136 break;
1137 case 4:
1138 run_helper(4, buf, buf_shadow, ptr);
1139 break;
1140 case 5:
1141 run_helper(5, buf, buf_shadow, ptr);
1142 break;
1143 default:
1144 test_failed();
1145 break;
1146 }
1147 dprint_context(xsave_test_buf);
1148}
1149
1150unsigned long buf_shadow[1024]; /* used to check load / store descriptors */
1151extern long inspect_me(struct mpx_bounds_dir *bounds_dir);
1152
1153long cover_buf_with_bt_entries(void *buf, long buf_len)
1154{
1155 int i;
1156 long nr_to_fill;
1157 int ratio = 1000;
1158 unsigned long buf_len_in_ptrs;
1159
1160 /* Fill about 1/100 of the space with bt entries */
1161 nr_to_fill = buf_len / (sizeof(unsigned long) * ratio);
1162
1163 if (!nr_to_fill)
1164 dprintf3("%s() nr_to_fill: %ld\n", __func__, nr_to_fill);
1165
1166 /* Align the buffer to pointer size */
1167 while (((unsigned long)buf) % sizeof(void *)) {
1168 buf++;
1169 buf_len--;
1170 }
1171 /* We are storing pointers, so make */
1172 buf_len_in_ptrs = buf_len / sizeof(void *);
1173
1174 for (i = 0; i < nr_to_fill; i++) {
1175 long index = (mpx_random() % buf_len_in_ptrs);
1176 void *ptr = buf + index * sizeof(unsigned long);
1177 unsigned long ptr_addr = (unsigned long)ptr;
1178
1179 /* ptr and size can be anything */
1180 mpx_make_bound_helper((unsigned long)ptr, 8);
1181
1182 /*
1183 * take bnd0 and put it in to bounds tables "buf + index" is an
1184 * address inside the buffer where we are pretending that we
1185 * are going to put a pointer We do not, though because we will
1186 * never load entries from the table, so it doesn't matter.
1187 */
1188 mpx_store_dsc_helper(ptr_addr, (unsigned long)ptr);
1189 dprintf4("storing bound table entry for %lx (buf start @ %p)\n",
1190 ptr_addr, buf);
1191 }
1192 return nr_to_fill;
1193}
1194
1195unsigned long align_down(unsigned long alignme, unsigned long align_to)
1196{
1197 return alignme & ~(align_to-1);
1198}
1199
1200unsigned long align_up(unsigned long alignme, unsigned long align_to)
1201{
1202 return (alignme + align_to - 1) & ~(align_to-1);
1203}
1204
1205/*
1206 * Using 1MB alignment guarantees that each no allocation
1207 * will overlap with another's bounds tables.
1208 *
1209 * We have to cook our own allocator here. malloc() can
1210 * mix other allocation with ours which means that even
1211 * if we free all of our allocations, there might still
1212 * be bounds tables for the *areas* since there is other
1213 * valid memory there.
1214 *
1215 * We also can't use malloc() because a free() of an area
1216 * might not free it back to the kernel. We want it
1217 * completely unmapped an malloc() does not guarantee
1218 * that.
1219 */
1220#ifdef __i386__
1221long alignment = 4096;
1222long sz_alignment = 4096;
1223#else
1224long alignment = 1 * MB;
1225long sz_alignment = 1 * MB;
1226#endif
1227void *mpx_mini_alloc(unsigned long sz)
1228{
1229 unsigned long long tries = 0;
1230 static void *last;
1231 void *ptr;
1232 void *try_at;
1233
1234 sz = align_up(sz, sz_alignment);
1235
1236 try_at = last + alignment;
1237 while (1) {
1238 ptr = mmap(try_at, sz, PROT_READ|PROT_WRITE,
1239 MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
1240 if (ptr == (void *)-1)
1241 return NULL;
1242 if (ptr == try_at)
1243 break;
1244
1245 munmap(ptr, sz);
1246 try_at += alignment;
1247#ifdef __i386__
1248 /*
1249 * This isn't quite correct for 32-bit binaries
1250 * on 64-bit kernels since they can use the
1251 * entire 32-bit address space, but it's close
1252 * enough.
1253 */
1254 if (try_at > (void *)0xC0000000)
1255#else
1256 if (try_at > (void *)0x0000800000000000)
1257#endif
1258 try_at = (void *)0x0;
1259 if (!(++tries % 10000))
1260 dprintf1("stuck in %s(), tries: %lld\n", __func__, tries);
1261 continue;
1262 }
1263 last = ptr;
1264 dprintf3("mpx_mini_alloc(0x%lx) returning: %p\n", sz, ptr);
1265 return ptr;
1266}
1267void mpx_mini_free(void *ptr, long sz)
1268{
1269 dprintf2("%s() ptr: %p\n", __func__, ptr);
1270 if ((unsigned long)ptr > 0x100000000000) {
1271 dprintf1("uh oh !!!!!!!!!!!!!!! pointer too high: %p\n", ptr);
1272 test_failed();
1273 }
1274 sz = align_up(sz, sz_alignment);
1275 dprintf3("%s() ptr: %p before munmap\n", __func__, ptr);
1276 munmap(ptr, sz);
1277 dprintf3("%s() ptr: %p DONE\n", __func__, ptr);
1278}
1279
1280#define NR_MALLOCS 100
1281struct one_malloc {
1282 char *ptr;
1283 int nr_filled_btes;
1284 unsigned long size;
1285};
1286struct one_malloc mallocs[NR_MALLOCS];
1287
1288void free_one_malloc(int index)
1289{
1290 unsigned long free_ptr;
1291 unsigned long mask;
1292
1293 if (!mallocs[index].ptr)
1294 return;
1295
1296 mpx_mini_free(mallocs[index].ptr, mallocs[index].size);
1297 dprintf4("freed[%d]: %p\n", index, mallocs[index].ptr);
1298
1299 free_ptr = (unsigned long)mallocs[index].ptr;
1300 mask = alignment-1;
1301 dprintf4("lowerbits: %lx / %lx mask: %lx\n", free_ptr,
1302 (free_ptr & mask), mask);
1303 assert((free_ptr & mask) == 0);
1304
1305 mallocs[index].ptr = NULL;
1306}
1307
1308#ifdef __i386__
1309#define MPX_BOUNDS_TABLE_COVERS 4096
1310#else
1311#define MPX_BOUNDS_TABLE_COVERS (1 * MB)
1312#endif
1313void zap_everything(void)
1314{
1315 long after_zap;
1316 long before_zap;
1317 int i;
1318
1319 before_zap = inspect_me(bounds_dir_ptr);
1320 dprintf1("zapping everything start: %ld\n", before_zap);
1321 for (i = 0; i < NR_MALLOCS; i++)
1322 free_one_malloc(i);
1323
1324 after_zap = inspect_me(bounds_dir_ptr);
1325 dprintf1("zapping everything done: %ld\n", after_zap);
1326 /*
1327 * We only guarantee to empty the thing out if our allocations are
1328 * exactly aligned on the boundaries of a boudns table.
1329 */
1330 if ((alignment >= MPX_BOUNDS_TABLE_COVERS) &&
1331 (sz_alignment >= MPX_BOUNDS_TABLE_COVERS)) {
1332 if (after_zap != 0)
1333 test_failed();
1334
1335 assert(after_zap == 0);
1336 }
1337}
1338
1339void do_one_malloc(void)
1340{
1341 static int malloc_counter;
1342 long sz;
1343 int rand_index = (mpx_random() % NR_MALLOCS);
1344 void *ptr = mallocs[rand_index].ptr;
1345
1346 dprintf3("%s() enter\n", __func__);
1347
1348 if (ptr) {
1349 dprintf3("freeing one malloc at index: %d\n", rand_index);
1350 free_one_malloc(rand_index);
1351 if (mpx_random() % (NR_MALLOCS*3) == 3) {
1352 int i;
1353 dprintf3("zapping some more\n");
1354 for (i = rand_index; i < NR_MALLOCS; i++)
1355 free_one_malloc(i);
1356 }
1357 if ((mpx_random() % zap_all_every_this_many_mallocs) == 4)
1358 zap_everything();
1359 }
1360
1361 /* 1->~1M */
1362 sz = (1 + mpx_random() % 1000) * 1000;
1363 ptr = mpx_mini_alloc(sz);
1364 if (!ptr) {
1365 /*
1366 * If we are failing allocations, just assume we
1367 * are out of memory and zap everything.
1368 */
1369 dprintf3("zapping everything because out of memory\n");
1370 zap_everything();
1371 goto out;
1372 }
1373
1374 dprintf3("malloc: %p size: 0x%lx\n", ptr, sz);
1375 mallocs[rand_index].nr_filled_btes = cover_buf_with_bt_entries(ptr, sz);
1376 mallocs[rand_index].ptr = ptr;
1377 mallocs[rand_index].size = sz;
1378out:
1379 if ((++malloc_counter) % inspect_every_this_many_mallocs == 0)
1380 inspect_me(bounds_dir_ptr);
1381}
1382
1383void run_timed_test(void (*test_func)(void))
1384{
1385 int done = 0;
1386 long iteration = 0;
1387 static time_t last_print;
1388 time_t now;
1389 time_t start;
1390
1391 time(&start);
1392 while (!done) {
1393 time(&now);
1394 if ((now - start) > TEST_DURATION_SECS)
1395 done = 1;
1396
1397 test_func();
1398 iteration++;
1399
1400 if ((now - last_print > 1) || done) {
1401 printf("iteration %ld complete, OK so far\n", iteration);
1402 last_print = now;
1403 }
1404 }
1405}
1406
1407void check_bounds_table_frees(void)
1408{
1409 printf("executing unmaptest\n");
1410 inspect_me(bounds_dir_ptr);
1411 run_timed_test(&do_one_malloc);
1412 printf("done with malloc() fun\n");
1413}
1414
1415void insn_test_failed(int test_nr, int test_round, void *buf,
1416 void *buf_shadow, void *ptr)
1417{
1418 print_context(xsave_test_buf);
1419 eprintf("ERROR: test %d round %d failed\n", test_nr, test_round);
1420 while (test_nr == 5) {
1421 struct mpx_bt_entry *bte;
1422 struct mpx_bounds_dir *bd = (void *)bounds_dir_ptr;
1423 struct mpx_bd_entry *bde = mpx_vaddr_to_bd_entry(buf, bd);
1424
1425 printf(" bd: %p\n", bd);
1426 printf("&bde: %p\n", bde);
1427 printf("*bde: %lx\n", *(unsigned long *)bde);
1428 if (!bd_entry_valid(bde))
1429 break;
1430
1431 bte = mpx_vaddr_to_bt_entry(buf, bd);
1432 printf(" te: %p\n", bte);
1433 printf("bte[0]: %lx\n", bte->contents[0]);
1434 printf("bte[1]: %lx\n", bte->contents[1]);
1435 printf("bte[2]: %lx\n", bte->contents[2]);
1436 printf("bte[3]: %lx\n", bte->contents[3]);
1437 break;
1438 }
1439 test_failed();
1440}
1441
1442void check_mpx_insns_and_tables(void)
1443{
1444 int successes = 0;
1445 int failures = 0;
1446 int buf_size = (1024*1024);
1447 unsigned long *buf = malloc(buf_size);
1448 const int total_nr_tests = NR_MPX_TEST_FUNCTIONS * TEST_ROUNDS;
1449 int i, j;
1450
1451 memset(buf, 0, buf_size);
1452 memset(buf_shadow, 0, sizeof(buf_shadow));
1453
1454 for (i = 0; i < TEST_ROUNDS; i++) {
1455 uint8_t *ptr = get_random_addr() + 8;
1456
1457 for (j = 0; j < NR_MPX_TEST_FUNCTIONS; j++) {
1458 if (0 && j != 5) {
1459 successes++;
1460 continue;
1461 }
1462 dprintf2("starting test %d round %d\n", j, i);
1463 dprint_context(xsave_test_buf);
1464 /*
1465 * test5 loads an address from the bounds tables.
1466 * The load will only complete if 'ptr' matches
1467 * the load and the store, so with random addrs,
1468 * the odds of this are very small. Make it
1469 * higher by only moving 'ptr' 1/10 times.
1470 */
1471 if (random() % 10 <= 0)
1472 ptr = get_random_addr() + 8;
1473 dprintf3("random ptr{%p}\n", ptr);
1474 dprint_context(xsave_test_buf);
1475 run_helpers(j, (void *)buf, (void *)buf_shadow, ptr);
1476 dprint_context(xsave_test_buf);
1477 if (!compare_context(xsave_test_buf)) {
1478 insn_test_failed(j, i, buf, buf_shadow, ptr);
1479 failures++;
1480 goto exit;
1481 }
1482 successes++;
1483 dprint_context(xsave_test_buf);
1484 dprintf2("finished test %d round %d\n", j, i);
1485 dprintf3("\n");
1486 dprint_context(xsave_test_buf);
1487 }
1488 }
1489
1490exit:
1491 dprintf2("\nabout to free:\n");
1492 free(buf);
1493 dprintf1("successes: %d\n", successes);
1494 dprintf1(" failures: %d\n", failures);
1495 dprintf1(" tests: %d\n", total_nr_tests);
1496 dprintf1(" expected: %jd #BRs\n", num_upper_brs + num_lower_brs);
1497 dprintf1(" saw: %d #BRs\n", br_count);
1498 if (failures) {
1499 eprintf("ERROR: non-zero number of failures\n");
1500 exit(20);
1501 }
1502 if (successes != total_nr_tests) {
Colin Ian Kinga180ac12019-01-02 09:54:03 +00001503 eprintf("ERROR: succeeded fewer than number of tries (%d != %d)\n",
Dave Hansene754aed2016-06-08 10:25:35 -07001504 successes, total_nr_tests);
1505 exit(21);
1506 }
1507 if (num_upper_brs + num_lower_brs != br_count) {
1508 eprintf("ERROR: unexpected number of #BRs: %jd %jd %d\n",
1509 num_upper_brs, num_lower_brs, br_count);
1510 eprintf("successes: %d\n", successes);
1511 eprintf(" failures: %d\n", failures);
1512 eprintf(" tests: %d\n", total_nr_tests);
1513 eprintf(" expected: %jd #BRs\n", num_upper_brs + num_lower_brs);
1514 eprintf(" saw: %d #BRs\n", br_count);
1515 exit(22);
1516 }
1517}
1518
1519/*
1520 * This is supposed to SIGSEGV nicely once the kernel
1521 * can no longer allocate vaddr space.
1522 */
1523void exhaust_vaddr_space(void)
1524{
1525 unsigned long ptr;
1526 /* Try to make sure there is no room for a bounds table anywhere */
1527 unsigned long skip = MPX_BOUNDS_TABLE_SIZE_BYTES - PAGE_SIZE;
1528#ifdef __i386__
1529 unsigned long max_vaddr = 0xf7788000UL;
1530#else
1531 unsigned long max_vaddr = 0x800000000000UL;
1532#endif
1533
1534 dprintf1("%s() start\n", __func__);
1535 /* do not start at 0, we aren't allowed to map there */
1536 for (ptr = PAGE_SIZE; ptr < max_vaddr; ptr += skip) {
1537 void *ptr_ret;
1538 int ret = madvise((void *)ptr, PAGE_SIZE, MADV_NORMAL);
1539
1540 if (!ret) {
1541 dprintf1("madvise() %lx ret: %d\n", ptr, ret);
1542 continue;
1543 }
1544 ptr_ret = mmap((void *)ptr, PAGE_SIZE, PROT_READ|PROT_WRITE,
1545 MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
1546 if (ptr_ret != (void *)ptr) {
1547 perror("mmap");
1548 dprintf1("mmap(%lx) ret: %p\n", ptr, ptr_ret);
1549 break;
1550 }
1551 if (!(ptr & 0xffffff))
1552 dprintf1("mmap(%lx) ret: %p\n", ptr, ptr_ret);
1553 }
1554 for (ptr = PAGE_SIZE; ptr < max_vaddr; ptr += skip) {
1555 dprintf2("covering 0x%lx with bounds table entries\n", ptr);
1556 cover_buf_with_bt_entries((void *)ptr, PAGE_SIZE);
1557 }
1558 dprintf1("%s() end\n", __func__);
1559 printf("done with vaddr space fun\n");
1560}
1561
1562void mpx_table_test(void)
1563{
1564 printf("starting mpx bounds table test\n");
1565 run_timed_test(check_mpx_insns_and_tables);
1566 printf("done with mpx bounds table test\n");
1567}
1568
1569int main(int argc, char **argv)
1570{
1571 int unmaptest = 0;
1572 int vaddrexhaust = 0;
1573 int tabletest = 0;
1574 int i;
1575
1576 check_mpx_support();
1577 mpx_prepare();
1578 srandom(11179);
1579
1580 bd_incore();
1581 init();
1582 bd_incore();
1583
1584 trace_me();
1585
1586 xsave_state((void *)xsave_test_buf, 0x1f);
1587 if (!compare_context(xsave_test_buf))
1588 printf("Init failed\n");
1589
1590 for (i = 1; i < argc; i++) {
1591 if (!strcmp(argv[i], "unmaptest"))
1592 unmaptest = 1;
1593 if (!strcmp(argv[i], "vaddrexhaust"))
1594 vaddrexhaust = 1;
1595 if (!strcmp(argv[i], "tabletest"))
1596 tabletest = 1;
1597 }
1598 if (!(unmaptest || vaddrexhaust || tabletest)) {
1599 unmaptest = 1;
1600 /* vaddrexhaust = 1; */
1601 tabletest = 1;
1602 }
1603 if (unmaptest)
1604 check_bounds_table_frees();
1605 if (tabletest)
1606 mpx_table_test();
1607 if (vaddrexhaust)
1608 exhaust_vaddr_space();
1609 printf("%s completed successfully\n", argv[0]);
1610 exit(0);
1611}
1612
1613#include "mpx-dig.c"