1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 * This code tests that the current task stack is properly erased (filled
  4 * with STACKLEAK_POISON).
  5 *
  6 * Authors:
  7 *   Alexander Popov <alex.popov@linux.com>
  8 *   Tycho Andersen <tycho@tycho.ws>
  9 */
 10
 11#include "lkdtm.h"
 12#include <linux/stackleak.h>
 13
 14#if defined(CONFIG_GCC_PLUGIN_STACKLEAK)
 15/*
 16 * Check that stackleak tracks the lowest stack pointer and erases the stack
 17 * below this as expected.
 18 *
 19 * To prevent the lowest stack pointer changing during the test, IRQs are
 20 * masked and instrumentation of this function is disabled. We assume that the
 21 * compiler will create a fixed-size stack frame for this function.
 22 *
 23 * Any non-inlined function may make further use of the stack, altering the
 24 * lowest stack pointer and/or clobbering poison values. To avoid spurious
 25 * failures we must avoid printing until the end of the test or have already
 26 * encountered a failure condition.
 27 */
 28static void noinstr check_stackleak_irqoff(void)
 29{
 30	const unsigned long task_stack_base = (unsigned long)task_stack_page(current);
 31	const unsigned long task_stack_low = stackleak_task_low_bound(current);
 32	const unsigned long task_stack_high = stackleak_task_high_bound(current);
 33	const unsigned long current_sp = current_stack_pointer;
 34	const unsigned long lowest_sp = current->lowest_stack;
 35	unsigned long untracked_high;
 36	unsigned long poison_high, poison_low;
 37	bool test_failed = false;
 38
 39	/*
 40	 * Check that the current and lowest recorded stack pointer values fall
 41	 * within the expected task stack boundaries. These tests should never
 42	 * fail unless the boundaries are incorrect or we're clobbering the
 43	 * STACK_END_MAGIC, and in either casee something is seriously wrong.
 44	 */
 45	if (current_sp < task_stack_low || current_sp >= task_stack_high) {
 46		instrumentation_begin();
 47		pr_err("FAIL: current_stack_pointer (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
 48		       current_sp, task_stack_low, task_stack_high - 1);
 49		test_failed = true;
 50		goto out;
 51	}
 52	if (lowest_sp < task_stack_low || lowest_sp >= task_stack_high) {
 53		instrumentation_begin();
 54		pr_err("FAIL: current->lowest_stack (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
 55		       lowest_sp, task_stack_low, task_stack_high - 1);
 56		test_failed = true;
 57		goto out;
 58	}
 59
 60	/*
 61	 * Depending on what has run prior to this test, the lowest recorded
 62	 * stack pointer could be above or below the current stack pointer.
 63	 * Start from the lowest of the two.
 64	 *
 65	 * Poison values are naturally-aligned unsigned longs. As the current
 66	 * stack pointer might not be sufficiently aligned, we must align
 67	 * downwards to find the lowest known stack pointer value. This is the
 68	 * high boundary for a portion of the stack which may have been used
 69	 * without being tracked, and has to be scanned for poison.
 70	 */
 71	untracked_high = min(current_sp, lowest_sp);
 72	untracked_high = ALIGN_DOWN(untracked_high, sizeof(unsigned long));
 73
 74	/*
 75	 * Find the top of the poison in the same way as the erasing code.
 
 76	 */
 77	poison_high = stackleak_find_top_of_poison(task_stack_low, untracked_high);
 
 
 
 
 
 
 
 
 
 78
 79	/*
 80	 * Check whether the poisoned portion of the stack (if any) consists
 81	 * entirely of poison. This verifies the entries that
 82	 * stackleak_find_top_of_poison() should have checked.
 83	 */
 84	poison_low = poison_high;
 85	while (poison_low > task_stack_low) {
 86		poison_low -= sizeof(unsigned long);
 87
 88		if (*(unsigned long *)poison_low == STACKLEAK_POISON)
 89			continue;
 90
 91		instrumentation_begin();
 92		pr_err("FAIL: non-poison value %lu bytes below poison boundary: 0x%lx\n",
 93		       poison_high - poison_low, *(unsigned long *)poison_low);
 94		test_failed = true;
 95		goto out;
 96	}
 97
 98	instrumentation_begin();
 99	pr_info("stackleak stack usage:\n"
100		"  high offset: %lu bytes\n"
101		"  current:     %lu bytes\n"
102		"  lowest:      %lu bytes\n"
103		"  tracked:     %lu bytes\n"
104		"  untracked:   %lu bytes\n"
105		"  poisoned:    %lu bytes\n"
106		"  low offset:  %lu bytes\n",
107		task_stack_base + THREAD_SIZE - task_stack_high,
108		task_stack_high - current_sp,
109		task_stack_high - lowest_sp,
110		task_stack_high - untracked_high,
111		untracked_high - poison_high,
112		poison_high - task_stack_low,
113		task_stack_low - task_stack_base);
114
115out:
 
 
 
 
 
 
 
 
 
116	if (test_failed) {
117		pr_err("FAIL: the thread stack is NOT properly erased!\n");
 
118	} else {
119		pr_info("OK: the rest of the thread stack is properly erased\n");
120	}
121	instrumentation_end();
122}
123
124static void lkdtm_STACKLEAK_ERASING(void)
125{
126	unsigned long flags;
127
128	local_irq_save(flags);
129	check_stackleak_irqoff();
130	local_irq_restore(flags);
131}
132#else /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
133static void lkdtm_STACKLEAK_ERASING(void)
134{
135	if (IS_ENABLED(CONFIG_HAVE_ARCH_STACKLEAK)) {
136		pr_err("XFAIL: stackleak is not enabled (CONFIG_GCC_PLUGIN_STACKLEAK=n)\n");
137	} else {
138		pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)\n");
139	}
140}
141#endif /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
142
143static struct crashtype crashtypes[] = {
144	CRASHTYPE(STACKLEAK_ERASING),
145};
146
147struct crashtype_category stackleak_crashtypes = {
148	.crashtypes = crashtypes,
149	.len	    = ARRAY_SIZE(crashtypes),
150};

 1// SPDX-License-Identifier: GPL-2.0
 2/*
 3 * This code tests that the current task stack is properly erased (filled
 4 * with STACKLEAK_POISON).
 5 *
 6 * Authors:
 7 *   Alexander Popov <alex.popov@linux.com>
 8 *   Tycho Andersen <tycho@tycho.ws>
 9 */
10
11#include "lkdtm.h"
12#include <linux/stackleak.h>
13
14void lkdtm_STACKLEAK_ERASING(void)
 
 
 
 
 
 
 
 
 
 
 
 
 
 
15{
16	unsigned long *sp, left, found, i;
17	const unsigned long check_depth =
18			STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
 
 
 
 
19	bool test_failed = false;
20
21	/*
22	 * For the details about the alignment of the poison values, see
23	 * the comment in stackleak_track_stack().
 
 
24	 */
25	sp = PTR_ALIGN(&i, sizeof(unsigned long));
 
 
 
 
 
 
 
 
 
 
 
 
 
26
27	left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long);
28	sp--;
 
 
 
 
 
 
 
 
 
 
 
29
30	/*
31	 * One 'long int' at the bottom of the thread stack is reserved
32	 * and not poisoned.
33	 */
34	if (left > 1) {
35		left--;
36	} else {
37		pr_err("FAIL: not enough stack space for the test\n");
38		test_failed = true;
39		goto end;
40	}
41
42	pr_info("checking unused part of the thread stack (%lu bytes)...\n",
43					left * sizeof(unsigned long));
44
45	/*
46	 * Search for 'check_depth' poison values in a row (just like
47	 * stackleak_erase() does).
 
48	 */
49	for (i = 0, found = 0; i < left && found <= check_depth; i++) {
50		if (*(sp - i) == STACKLEAK_POISON)
51			found++;
52		else
53			found = 0;
54	}
55
56	if (found <= check_depth) {
57		pr_err("FAIL: the erased part is not found (checked %lu bytes)\n",
58						i * sizeof(unsigned long));
59		test_failed = true;
60		goto end;
61	}
62
63	pr_info("the erased part begins after %lu not poisoned bytes\n",
64				(i - found) * sizeof(unsigned long));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
65
66	/* The rest of thread stack should be erased */
67	for (; i < left; i++) {
68		if (*(sp - i) != STACKLEAK_POISON) {
69			pr_err("FAIL: bad value number %lu in the erased part: 0x%lx\n",
70								i, *(sp - i));
71			test_failed = true;
72		}
73	}
74
75end:
76	if (test_failed) {
77		pr_err("FAIL: the thread stack is NOT properly erased!\n");
78		pr_expected_config(CONFIG_GCC_PLUGIN_STACKLEAK);
79	} else {
80		pr_info("OK: the rest of the thread stack is properly erased\n");
81	}
 
 
 
 
 
 
 
 
 
 
82}