1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This code tests that the current task stack is properly erased (filled
4  * with STACKLEAK_POISON).
5  *
6  * Authors:
7  *   Alexander Popov <alex.popov@linux.com>
8  *   Tycho Andersen <tycho@tycho.ws>
9  */
10 
11 #include "lkdtm.h"
12 #include <linux/stackleak.h>
13 
14 #if defined(CONFIG_GCC_PLUGIN_STACKLEAK)
15 /*
16  * Check that stackleak tracks the lowest stack pointer and erases the stack
17  * below this as expected.
18  *
19  * To prevent the lowest stack pointer changing during the test, IRQs are
20  * masked and instrumentation of this function is disabled. We assume that the
21  * compiler will create a fixed-size stack frame for this function.
22  *
23  * Any non-inlined function may make further use of the stack, altering the
24  * lowest stack pointer and/or clobbering poison values. To avoid spurious
25  * failures we must avoid printing until the end of the test or have already
26  * encountered a failure condition.
27  */
check_stackleak_irqoff(void)28 static void noinstr check_stackleak_irqoff(void)
29 {
30 	const unsigned long task_stack_base = (unsigned long)task_stack_page(current);
31 	const unsigned long task_stack_low = stackleak_task_low_bound(current);
32 	const unsigned long task_stack_high = stackleak_task_high_bound(current);
33 	const unsigned long current_sp = current_stack_pointer;
34 	const unsigned long lowest_sp = current->lowest_stack;
35 	unsigned long untracked_high;
36 	unsigned long poison_high, poison_low;
37 	bool test_failed = false;
38 
39 	/*
40 	 * Check that the current and lowest recorded stack pointer values fall
41 	 * within the expected task stack boundaries. These tests should never
42 	 * fail unless the boundaries are incorrect or we're clobbering the
43 	 * STACK_END_MAGIC, and in either casee something is seriously wrong.
44 	 */
45 	if (current_sp < task_stack_low || current_sp >= task_stack_high) {
46 		instrumentation_begin();
47 		pr_err("FAIL: current_stack_pointer (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
48 		       current_sp, task_stack_low, task_stack_high - 1);
49 		test_failed = true;
50 		goto out;
51 	}
52 	if (lowest_sp < task_stack_low || lowest_sp >= task_stack_high) {
53 		instrumentation_begin();
54 		pr_err("FAIL: current->lowest_stack (0x%lx) outside of task stack bounds [0x%lx..0x%lx]\n",
55 		       lowest_sp, task_stack_low, task_stack_high - 1);
56 		test_failed = true;
57 		goto out;
58 	}
59 
60 	/*
61 	 * Depending on what has run prior to this test, the lowest recorded
62 	 * stack pointer could be above or below the current stack pointer.
63 	 * Start from the lowest of the two.
64 	 *
65 	 * Poison values are naturally-aligned unsigned longs. As the current
66 	 * stack pointer might not be sufficiently aligned, we must align
67 	 * downwards to find the lowest known stack pointer value. This is the
68 	 * high boundary for a portion of the stack which may have been used
69 	 * without being tracked, and has to be scanned for poison.
70 	 */
71 	untracked_high = min(current_sp, lowest_sp);
72 	untracked_high = ALIGN_DOWN(untracked_high, sizeof(unsigned long));
73 
74 	/*
75 	 * Find the top of the poison in the same way as the erasing code.
76 	 */
77 	poison_high = stackleak_find_top_of_poison(task_stack_low, untracked_high);
78 
79 	/*
80 	 * Check whether the poisoned portion of the stack (if any) consists
81 	 * entirely of poison. This verifies the entries that
82 	 * stackleak_find_top_of_poison() should have checked.
83 	 */
84 	poison_low = poison_high;
85 	while (poison_low > task_stack_low) {
86 		poison_low -= sizeof(unsigned long);
87 
88 		if (*(unsigned long *)poison_low == STACKLEAK_POISON)
89 			continue;
90 
91 		instrumentation_begin();
92 		pr_err("FAIL: non-poison value %lu bytes below poison boundary: 0x%lx\n",
93 		       poison_high - poison_low, *(unsigned long *)poison_low);
94 		test_failed = true;
95 		goto out;
96 	}
97 
98 	instrumentation_begin();
99 	pr_info("stackleak stack usage:\n"
100 		"  high offset: %lu bytes\n"
101 		"  current:     %lu bytes\n"
102 		"  lowest:      %lu bytes\n"
103 		"  tracked:     %lu bytes\n"
104 		"  untracked:   %lu bytes\n"
105 		"  poisoned:    %lu bytes\n"
106 		"  low offset:  %lu bytes\n",
107 		task_stack_base + THREAD_SIZE - task_stack_high,
108 		task_stack_high - current_sp,
109 		task_stack_high - lowest_sp,
110 		task_stack_high - untracked_high,
111 		untracked_high - poison_high,
112 		poison_high - task_stack_low,
113 		task_stack_low - task_stack_base);
114 
115 out:
116 	if (test_failed) {
117 		pr_err("FAIL: the thread stack is NOT properly erased!\n");
118 	} else {
119 		pr_info("OK: the rest of the thread stack is properly erased\n");
120 	}
121 	instrumentation_end();
122 }
123 
lkdtm_STACKLEAK_ERASING(void)124 static void lkdtm_STACKLEAK_ERASING(void)
125 {
126 	unsigned long flags;
127 
128 	local_irq_save(flags);
129 	check_stackleak_irqoff();
130 	local_irq_restore(flags);
131 }
132 #else /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
lkdtm_STACKLEAK_ERASING(void)133 static void lkdtm_STACKLEAK_ERASING(void)
134 {
135 	if (IS_ENABLED(CONFIG_HAVE_ARCH_STACKLEAK)) {
136 		pr_err("XFAIL: stackleak is not enabled (CONFIG_GCC_PLUGIN_STACKLEAK=n)\n");
137 	} else {
138 		pr_err("XFAIL: stackleak is not supported on this arch (HAVE_ARCH_STACKLEAK=n)\n");
139 	}
140 }
141 #endif /* defined(CONFIG_GCC_PLUGIN_STACKLEAK) */
142 
143 static struct crashtype crashtypes[] = {
144 	CRASHTYPE(STACKLEAK_ERASING),
145 };
146 
147 struct crashtype_category stackleak_crashtypes = {
148 	.crashtypes = crashtypes,
149 	.len	    = ARRAY_SIZE(crashtypes),
150 };
151