/*
 * sigreturn.c - tests that x86 avoids Intel SYSRET pitfalls
 * Copyright (c) 2014-2016 Andrew Lutomirski
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms and conditions of the GNU General Public License,
 * version 2, as published by the Free Software Foundation.
 *
 * This program is distributed in the hope it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 */

#define _GNU_SOURCE

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <inttypes.h>
#include <sys/signal.h>
#include <sys/ucontext.h>
#include <sys/syscall.h>
#include <err.h>
#include <stddef.h>
#include <stdbool.h>
#include <setjmp.h>
#include <sys/user.h>
#include <sys/mman.h>
#include <assert.h>


asm (
        ".pushsection \".text\", \"ax\"\n\t"
        ".balign 4096\n\t"
        "test_page: .globl test_page\n\t"
        ".fill 4094,1,0xcc\n\t"
        "test_syscall_insn:\n\t"
        "syscall\n\t"
        ".ifne . - test_page - 4096\n\t"
        ".error \"test page is not one page long\"\n\t"
        ".endif\n\t"
        ".popsection"
    );

extern const char test_page[];
static void const *current_test_page_addr = test_page;

static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
                       int flags)
{
        struct sigaction sa;
        memset(&sa, 0, sizeof(sa));
        sa.sa_sigaction = handler;
        sa.sa_flags = SA_SIGINFO | flags;
        sigemptyset(&sa.sa_mask);
        if (sigaction(sig, &sa, 0))
                err(1, "sigaction");
}

static void clearhandler(int sig)
{
        struct sigaction sa;
        memset(&sa, 0, sizeof(sa));
        sa.sa_handler = SIG_DFL;
        sigemptyset(&sa.sa_mask);
        if (sigaction(sig, &sa, 0))
                err(1, "sigaction");
}

/* State used by our signal handlers. */
static gregset_t initial_regs;

static volatile unsigned long rip;

static void sigsegv_for_sigreturn_test(int sig, siginfo_t *info, void *ctx_void)
{
        ucontext_t *ctx = (ucontext_t*)ctx_void;

        if (rip != ctx->uc_mcontext.gregs[REG_RIP]) {
                printf("[FAIL]\tRequested RIP=0x%lx but got RIP=0x%lx\n",
                       rip, (unsigned long)ctx->uc_mcontext.gregs[REG_RIP]);
                fflush(stdout);
                _exit(1);
        }

        memcpy(&ctx->uc_mcontext.gregs, &initial_regs, sizeof(gregset_t));

        printf("[OK]\tGot SIGSEGV at RIP=0x%lx\n", rip);
}

static void sigusr1(int sig, siginfo_t *info, void *ctx_void)
{
        ucontext_t *ctx = (ucontext_t*)ctx_void;

        memcpy(&initial_regs, &ctx->uc_mcontext.gregs, sizeof(gregset_t));

        /* Set IP and CX to match so that SYSRET can happen. */
        ctx->uc_mcontext.gregs[REG_RIP] = rip;
        ctx->uc_mcontext.gregs[REG_RCX] = rip;

        /* R11 and EFLAGS should already match. */
        assert(ctx->uc_mcontext.gregs[REG_EFL] ==
               ctx->uc_mcontext.gregs[REG_R11]);

        sethandler(SIGSEGV, sigsegv_for_sigreturn_test, SA_RESETHAND);

        return;
}

static void test_sigreturn_to(unsigned long ip)
{
        rip = ip;
        printf("[RUN]\tsigreturn to 0x%lx\n", ip);
        raise(SIGUSR1);
}

static jmp_buf jmpbuf;

static void sigsegv_for_fallthrough(int sig, siginfo_t *info, void *ctx_void)
{
        ucontext_t *ctx = (ucontext_t*)ctx_void;

        if (rip != ctx->uc_mcontext.gregs[REG_RIP]) {
                printf("[FAIL]\tExpected SIGSEGV at 0x%lx but got RIP=0x%lx\n",
                       rip, (unsigned long)ctx->uc_mcontext.gregs[REG_RIP]);
                fflush(stdout);
                _exit(1);
        }

        siglongjmp(jmpbuf, 1);
}

static void test_syscall_fallthrough_to(unsigned long ip)
{
        void *new_address = (void *)(ip - 4096);
        void *ret;

        printf("[RUN]\tTrying a SYSCALL that falls through to 0x%lx\n", ip);

        ret = mremap((void *)current_test_page_addr, 4096, 4096,
                     MREMAP_MAYMOVE | MREMAP_FIXED, new_address);
        if (ret == MAP_FAILED) {
                if (ip <= (1UL << 47) - PAGE_SIZE) {
                        err(1, "mremap to %p", new_address);
                } else {
                        printf("[OK]\tmremap to %p failed\n", new_address);
                        return;
                }
        }

        if (ret != new_address)
                errx(1, "mremap malfunctioned: asked for %p but got %p\n",
                     new_address, ret);

        current_test_page_addr = new_address;
        rip = ip;

        if (sigsetjmp(jmpbuf, 1) == 0) {
                asm volatile ("call *%[syscall_insn]" :: "a" (SYS_getpid),
                              [syscall_insn] "rm" (ip - 2));
                errx(1, "[FAIL]\tSyscall trampoline returned");
        }

        printf("[OK]\tWe survived\n");
}

int main()
{
        /*
         * When the kernel returns from a slow-path syscall, it will
         * detect whether SYSRET is appropriate.  If it incorrectly
         * thinks that SYSRET is appropriate when RIP is noncanonical,
         * it'll crash on Intel CPUs.
         */
        sethandler(SIGUSR1, sigusr1, 0);
        for (int i = 47; i < 64; i++)
                test_sigreturn_to(1UL<<i);

        clearhandler(SIGUSR1);

        sethandler(SIGSEGV, sigsegv_for_fallthrough, 0);

        /* One extra test to check that we didn't screw up the mremap logic. */
        test_syscall_fallthrough_to((1UL << 47) - 2*PAGE_SIZE);

        /* These are the interesting cases. */
        for (int i = 47; i < 64; i++) {
                test_syscall_fallthrough_to((1UL<<i) - PAGE_SIZE);
                test_syscall_fallthrough_to(1UL<<i);
        }

        return 0;
}