1 // SPDX-License-Identifier: GPL-2.0
3 * This is for all the tests relating directly to Control Flow Integrity.
8 static int called_count;
10 /* Function taking one argument, without a return value. */
11 static noinline void lkdtm_increment_void(int *counter)
16 /* Function taking one argument, returning int. */
17 static noinline int lkdtm_increment_int(int *counter)
24 * This tries to call an indirect function with a mismatched prototype.
26 static void lkdtm_CFI_FORWARD_PROTO(void)
29 * Matches lkdtm_increment_void()'s prototype, but not
30 * lkdtm_increment_int()'s prototype.
34 pr_info("Calling matched prototype ...\n");
35 func = lkdtm_increment_void;
38 pr_info("Calling mismatched prototype ...\n");
39 func = (void *)lkdtm_increment_int;
42 pr_err("FAIL: survived mismatched prototype function call!\n");
43 pr_expected_config(CONFIG_CFI_CLANG);
47 * This can stay local to LKDTM, as there should not be a production reason
48 * to disable PAC && SCS.
50 #ifdef CONFIG_ARM64_PTR_AUTH_KERNEL
51 # ifdef CONFIG_ARM64_BTI_KERNEL
52 # define __no_pac "branch-protection=bti"
54 # define __no_pac "branch-protection=none"
56 # define __no_ret_protection __noscs __attribute__((__target__(__no_pac)))
58 # define __no_ret_protection __noscs
61 #define no_pac_addr(addr) \
62 ((__force __typeof__(addr))((uintptr_t)(addr) | PAGE_OFFSET))
64 /* The ultimate ROP gadget. */
65 static noinline __no_ret_protection
66 void set_return_addr_unchecked(unsigned long *expected, unsigned long *addr)
68 /* Use of volatile is to make sure final write isn't seen as a dead store. */
69 unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
71 /* Make sure we've found the right place on the stack before writing it. */
72 if (no_pac_addr(*ret_addr) == expected)
75 /* Check architecture, stack layout, or compiler behavior... */
76 pr_warn("Eek: return address mismatch! %px != %px\n",
81 void set_return_addr(unsigned long *expected, unsigned long *addr)
83 /* Use of volatile is to make sure final write isn't seen as a dead store. */
84 unsigned long * volatile *ret_addr = (unsigned long **)__builtin_frame_address(0) + 1;
86 /* Make sure we've found the right place on the stack before writing it. */
87 if (no_pac_addr(*ret_addr) == expected)
90 /* Check architecture, stack layout, or compiler behavior... */
91 pr_warn("Eek: return address mismatch! %px != %px\n",
95 static volatile int force_check;
97 static void lkdtm_CFI_BACKWARD(void)
99 /* Use calculated gotos to keep labels addressable. */
100 void *labels[] = {0, &&normal, &&redirected, &&check_normal, &&check_redirected};
102 pr_info("Attempting unchecked stack return address redirection ...\n");
107 * Prepare to call with NULLs to avoid parameters being treated as
110 set_return_addr_unchecked(NULL, NULL);
111 set_return_addr(NULL, NULL);
124 * Use fallthrough switch case to keep basic block ordering between
125 * set_return_addr*() and the label after it.
127 switch (force_check) {
129 set_return_addr_unchecked(&&normal, &&redirected);
135 pr_err("FAIL: stack return address manipulation failed!\n");
136 /* If we can't redirect "normally", we can't test mitigations. */
142 pr_info("ok: redirected stack return address.\n");
146 pr_info("Attempting checked stack return address redirection ...\n");
148 switch (force_check) {
150 set_return_addr(&&check_normal, &&check_redirected);
156 pr_info("ok: control flow unchanged.\n");
161 pr_err("FAIL: stack return address was redirected!\n");
165 if (IS_ENABLED(CONFIG_ARM64_PTR_AUTH_KERNEL)) {
166 pr_expected_config(CONFIG_ARM64_PTR_AUTH_KERNEL);
169 if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) {
170 pr_expected_config(CONFIG_SHADOW_CALL_STACK);
173 pr_warn("This is probably expected, since this %s was built *without* %s=y nor %s=y\n",
175 "CONFIG_ARM64_PTR_AUTH_KERNEL", "CONFIG_SHADOW_CALL_STACK");
178 static struct crashtype crashtypes[] = {
179 CRASHTYPE(CFI_FORWARD_PROTO),
180 CRASHTYPE(CFI_BACKWARD),
183 struct crashtype_category cfi_crashtypes = {
184 .crashtypes = crashtypes,
185 .len = ARRAY_SIZE(crashtypes),