""" Check that lldb features work when the AArch64 Guarded Control Stack (GCS) extension is enabled. """ import lldb from lldbsuite.test.decorators import * from lldbsuite.test.lldbtest import * from lldbsuite.test import lldbutil class AArch64LinuxGCSTestCase(TestBase): NO_DEBUG_INFO_TESTCASE = True @skipUnlessArch("aarch64") @skipUnlessPlatform(["linux"]) def test_gcs_region(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") # This test assumes that we have /proc//smaps files # that include "VmFlags:" lines. # AArch64 kernel config defaults to enabling smaps with # PROC_PAGE_MONITOR and "VmFlags" was added in kernel 3.8, # before GCS was supported at all. self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) lldbutil.run_break_set_by_file_and_line( self, "main.c", line_number("main.c", "// Set break point at this line."), num_expected_locations=1, ) self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) # By now either the program or the system C library enabled GCS and there # should be one region marked for use by it (we cannot predict exactly # where it will be). self.runCmd("memory region --all") found_ss = False for line in self.res.GetOutput().splitlines(): if line.strip() == "shadow stack: yes": if found_ss: self.fail("Found more than one shadow stack region.") found_ss = True self.assertTrue(found_ss, "Failed to find a shadow stack region.") # Note that we must let the debugee get killed here as it cannot exit # cleanly if GCS was manually enabled. @skipUnlessArch("aarch64") @skipUnlessPlatform(["linux"]) def test_gcs_fault(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", "Expected stopped by SIGSEGV.", substrs=[ "stopped", "stop reason = signal SIGSEGV: control protection fault", ], ) # This helper reads all the GCS registers and optionally compares them # against a previous state, then returns the current register values. def check_gcs_registers( self, expected_gcs_features_enabled=None, expected_gcs_features_locked=None, expected_gcspr_el0=None, ): thread = self.dbg.GetSelectedTarget().process.GetThreadAtIndex(0) registerSets = thread.GetFrameAtIndex(0).GetRegisters() gcs_registers = registerSets.GetFirstValueByName( r"Guarded Control Stack Registers" ) gcs_features_enabled = gcs_registers.GetChildMemberWithName( "gcs_features_enabled" ).GetValueAsUnsigned() if expected_gcs_features_enabled is not None: self.assertEqual(expected_gcs_features_enabled, gcs_features_enabled) gcs_features_locked = gcs_registers.GetChildMemberWithName( "gcs_features_locked" ).GetValueAsUnsigned() if expected_gcs_features_locked is not None: self.assertEqual(expected_gcs_features_locked, gcs_features_locked) gcspr_el0 = gcs_registers.GetChildMemberWithName( "gcspr_el0" ).GetValueAsUnsigned() if expected_gcspr_el0 is not None: self.assertEqual(expected_gcspr_el0, gcspr_el0) return gcs_features_enabled, gcs_features_locked, gcspr_el0 @skipUnlessArch("aarch64") @skipUnlessPlatform(["linux"]) def test_gcs_registers(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) self.runCmd("b test_func") self.runCmd("b test_func2") self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) self.expect("register read --all", substrs=["Guarded Control Stack Registers:"]) enabled, locked, spr_el0 = self.check_gcs_registers() # Features enabled should have at least the enable bit set, it could have # others depending on what the C library did, but we can't rely on always # having them. self.assertTrue(enabled & 1, "Expected GCS enable bit to be set.") # Features locked we cannot predict, we will just assert that it remains # the same as we continue. # spr_el0 will point to some memory region that is a shadow stack region. self.expect(f"memory region {spr_el0}", substrs=["shadow stack: yes"]) # Continue into test_func2, where the GCS pointer should have been # decremented, and the other registers remain the same. self.runCmd("continue") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) _, _, spr_el0 = self.check_gcs_registers(enabled, locked, spr_el0 - 8) # Any combination of GCS feature lock bits might have been set by the C # library, and could be set to 0 or 1. To check that we can modify them, # invert one of those bits then write it back to the lock register. # The stack pushing feature is bit 2 of that register. STACK_PUSH = 2 # Get the original value of the stack push lock bit. stack_push = bool((locked >> STACK_PUSH) & 1) # Invert the value and put it back into the set of lock bits. new_locked = (locked & ~(1 << STACK_PUSH)) | (int(not stack_push) << STACK_PUSH) # Write the new lock bits, which are the same as before, only with stack # push locked (if it was previously unlocked), or unlocked (if it was # previously locked). self.runCmd(f"register write gcs_features_locked 0x{new_locked:x}") # We should be able to read back this new set of lock bits. self.expect( f"register read gcs_features_locked", substrs=[f"gcs_features_locked = 0x{new_locked:016x}"], ) # We could prove the write made it to hardware by trying to prctl() to # enable or disable the stack push feature here, but because the libc # may or may not have locked it, it's tricky to coordinate this. Given # that we know the other registers can be written and their values are # seen by the process, we can assume this is too. # Restore the original lock bits, as the libc may rely on being able # to use certain features during program execution. self.runCmd(f"register write gcs_features_locked 0x{locked:x}") # Modify the guarded control stack pointer to cause a fault. spr_el0 += 8 self.runCmd(f"register write gcspr_el0 {spr_el0}") self.expect( "register read gcspr_el0", substrs=[f"gcspr_el0 = 0x{spr_el0:016x}"] ) # If we wrote it back correctly, we will now fault. Don't pass this signal # to the application, as we will continue past it later. self.runCmd("process handle SIGSEGV --pass false") self.runCmd("continue") self.expect( "thread list", "Expected stopped by SIGSEGV.", substrs=[ "stopped", "stop reason = signal SIGSEGV: control protection fault", ], ) # Now to prove we can write gcs_features_enabled, disable GCS and continue # past the fault we caused. Note that although the libc likely locked the # ability to disable GCS, ptrace bypasses the lock bits. enabled &= ~1 self.runCmd(f"register write gcs_features_enabled {enabled}") self.expect( "register read gcs_features_enabled", substrs=[ f"gcs_features_enabled = 0x{enabled:016x}", f"= (PUSH = {(enabled >> 2) & 1}, WRITE = {(enabled >> 1) & 1}, ENABLE = {enabled & 1})", ], ) # With GCS disabled, the invalid guarded control stack pointer is not # checked, so the program can finish normally. self.runCmd("continue") self.expect( "process status", substrs=[ "exited with status = 0", ], ) @skipUnlessPlatform(["linux"]) def test_gcs_expression_simple(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) # Break before GCS has been enabled. self.runCmd("b main") # And after it has been enabled. lldbutil.run_break_set_by_file_and_line( self, "main.c", line_number("main.c", "// Set break point at this line."), num_expected_locations=1, ) self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) # GCS has not been enabled yet and the ABI plugin should know not to # attempt pushing to the control stack. before = self.check_gcs_registers() expr_cmd = "p get_gcs_status()" self.expect(expr_cmd, substrs=["(unsigned long) 0"]) self.check_gcs_registers(*before) # Continue to when GCS has been enabled. self.runCmd("continue") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) # If we fail to setup the GCS entry, we should not leave any of the GCS registers # changed. The last thing we do is write a new GCS entry to memory and # to simulate the failure of that, temporarily point the GCS to the zero page. # # We use the value 8 here because LLDB will decrement it by 8 so it points to # what we think will be an empty entry on the guarded control stack. _, _, original_gcspr = self.check_gcs_registers() self.runCmd("register write gcspr_el0 8") before = self.check_gcs_registers() self.expect(expr_cmd, error=True) self.check_gcs_registers(*before) # Point to the valid shadow stack region again. self.runCmd(f"register write gcspr_el0 {original_gcspr}") # This time we do need to push to the GCS and having done so, we can # return from this expression without causing a fault. before = self.check_gcs_registers() self.expect(expr_cmd, substrs=["(unsigned long) 1"]) self.check_gcs_registers(*before) @skipUnlessPlatform(["linux"]) def test_gcs_expression_disable_gcs(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) # Break after GCS is enabled. lldbutil.run_break_set_by_file_and_line( self, "main.c", line_number("main.c", "// Set break point at this line."), num_expected_locations=1, ) self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) # Unlock all features so the expression can enable them again. self.runCmd("register write gcs_features_locked 0") # Disable all features, but keep GCS itself enabled. PR_SHADOW_STACK_ENABLE = 1 self.runCmd(f"register write gcs_features_enabled 0x{PR_SHADOW_STACK_ENABLE:x}") enabled, locked, spr_el0 = self.check_gcs_registers() # We restore everything apart GCS being enabled, as we are not allowed to # go from disabled -> enabled via ptrace. self.expect("p change_gcs_config(false)", substrs=["true"]) enabled &= ~1 self.check_gcs_registers(enabled, locked, spr_el0) @skipUnlessPlatform(["linux"]) def test_gcs_expression_enable_gcs(self): if not self.isAArch64GCS(): self.skipTest("Target must support GCS.") self.build() self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET) # Break before GCS is enabled. self.runCmd("b main") self.runCmd("run", RUN_SUCCEEDED) if self.process().GetState() == lldb.eStateExited: self.fail("Test program failed to run.") self.expect( "thread list", STOPPED_DUE_TO_BREAKPOINT, substrs=["stopped", "stop reason = breakpoint"], ) # Unlock all features so the expression can enable them again. self.runCmd("register write gcs_features_locked 0") # Disable all features. The program needs PR_SHADOW_STACK_PUSH, but it # will enable that itself. self.runCmd(f"register write gcs_features_enabled 0") enabled, locked, spr_el0 = self.check_gcs_registers() self.expect("p change_gcs_config(true)", substrs=["true"]) # Though we could disable GCS with ptrace, we choose not to to be # consistent with the disabled -> enabled behaviour. enabled |= 1 self.check_gcs_registers(enabled, locked, spr_el0) @skipIfLLVMTargetMissing("AArch64") def test_gcs_core_file(self): # To re-generate the core file, build the test file and run it on a # machine with GCS enabled. Note that because the kernel decides where # the GCS is stored, the value of gcspr_el0 and which memory region it # points to may change between runs. self.runCmd("target create --core corefile") self.expect( "bt", substrs=["stop reason = SIGSEGV: control protection fault"], ) self.expect( "register read --all", substrs=[ "Guarded Control Stack Registers:", "gcs_features_enabled = 0x0000000000000001", "gcs_features_locked = 0x0000000000000000", "gcspr_el0 = 0x0000ffffa83ffff0", ], ) # Should get register fields for both. They have the same fields. self.expect( "register read gcs_features_enabled", substrs=["= (PUSH = 0, WRITE = 0, ENABLE = 1)"], ) self.expect( "register read gcs_features_locked", substrs=["= (PUSH = 0, WRITE = 0, ENABLE = 0)"], ) # Core files do not include /proc/pid/smaps, so we cannot see the # shadow stack "ss" flag. gcspr_el0 should at least point to some mapped # region. self.expect( "memory region $gcspr_el0", substrs=["[0x0000ffffa8000000-0x0000ffffa8400000) rw-"], )