139 lines
5.3 KiB
Python
139 lines
5.3 KiB
Python
#!/usr/bin/env python3
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Copyright (c) 2025 Intel Corporation
|
|
#
|
|
# Test for indirect target selection (ITS) mitigation.
|
|
#
|
|
# Tests if the RETs are correctly patched by evaluating the
|
|
# vmlinux .return_sites in /proc/kcore.
|
|
#
|
|
# Install dependencies
|
|
# add-apt-repository ppa:michel-slm/kernel-utils
|
|
# apt update
|
|
# apt install -y python3-drgn python3-pyelftools python3-capstone
|
|
#
|
|
# Run on target machine
|
|
# mkdir -p /usr/lib/debug/lib/modules/$(uname -r)
|
|
# cp $VMLINUX /usr/lib/debug/lib/modules/$(uname -r)/vmlinux
|
|
#
|
|
# Usage: ./its_ret_alignment.py
|
|
|
|
import os, sys, argparse
|
|
from pathlib import Path
|
|
|
|
this_dir = os.path.dirname(os.path.realpath(__file__))
|
|
sys.path.insert(0, this_dir + '/../../kselftest')
|
|
import ksft
|
|
import common as c
|
|
|
|
bug = "indirect_target_selection"
|
|
mitigation = c.get_sysfs(bug)
|
|
if not mitigation or "Aligned branch/return thunks" not in mitigation:
|
|
ksft.test_result_skip("Skipping its_ret_alignment.py: Aligned branch/return thunks not enabled")
|
|
ksft.finished()
|
|
|
|
c.check_dependencies_or_skip(['drgn', 'elftools', 'capstone'], script_name="its_ret_alignment.py")
|
|
|
|
from elftools.elf.elffile import ELFFile
|
|
from drgn.helpers.common.memory import identify_address
|
|
|
|
cap = c.init_capstone()
|
|
|
|
if len(os.sys.argv) > 1:
|
|
arg_vmlinux = os.sys.argv[1]
|
|
if not os.path.exists(arg_vmlinux):
|
|
ksft.test_result_fail(f"its_ret_alignment.py: vmlinux not found at user-supplied path: {arg_vmlinux}")
|
|
ksft.exit_fail()
|
|
os.makedirs(f"/usr/lib/debug/lib/modules/{os.uname().release}", exist_ok=True)
|
|
os.system(f'cp {arg_vmlinux} /usr/lib/debug/lib/modules/$(uname -r)/vmlinux')
|
|
|
|
vmlinux = f"/usr/lib/debug/lib/modules/{os.uname().release}/vmlinux"
|
|
if not os.path.exists(vmlinux):
|
|
ksft.test_result_fail(f"its_ret_alignment.py: vmlinux not found at {vmlinux}")
|
|
ksft.exit_fail()
|
|
|
|
ksft.print_msg(f"Using vmlinux: {vmlinux}")
|
|
|
|
rethunks_start_vmlinux, rethunks_sec_offset, size = c.get_section_info(vmlinux, '.return_sites')
|
|
ksft.print_msg(f"vmlinux: Section .return_sites (0x{rethunks_start_vmlinux:x}) found at 0x{rethunks_sec_offset:x} with size 0x{size:x}")
|
|
|
|
sites_offset = c.get_patch_sites(vmlinux, rethunks_sec_offset, size)
|
|
total_rethunk_tests = len(sites_offset)
|
|
ksft.print_msg(f"Found {total_rethunk_tests} rethunk sites")
|
|
|
|
prog = c.get_runtime_kernel()
|
|
rethunks_start_kcore = prog.symbol('__return_sites').address
|
|
ksft.print_msg(f'kcore: __rethunk_sites: 0x{rethunks_start_kcore:x}')
|
|
|
|
its_return_thunk = prog.symbol('its_return_thunk').address
|
|
ksft.print_msg(f'kcore: its_return_thunk: 0x{its_return_thunk:x}')
|
|
|
|
tests_passed = 0
|
|
tests_failed = 0
|
|
tests_unknown = 0
|
|
tests_skipped = 0
|
|
|
|
with open(vmlinux, 'rb') as f:
|
|
elffile = ELFFile(f)
|
|
text_section = elffile.get_section_by_name('.text')
|
|
|
|
for i in range(len(sites_offset)):
|
|
site = rethunks_start_kcore + sites_offset[i]
|
|
vmlinux_site = rethunks_start_vmlinux + sites_offset[i]
|
|
try:
|
|
passed = unknown = failed = skipped = False
|
|
|
|
symbol = identify_address(prog, site)
|
|
vmlinux_insn = c.get_instruction_from_vmlinux(elffile, text_section, text_section['sh_addr'], vmlinux_site)
|
|
kcore_insn = list(cap.disasm(prog.read(site, 16), site))[0]
|
|
|
|
insn_end = site + kcore_insn.size - 1
|
|
|
|
safe_site = insn_end & 0x20
|
|
site_status = "" if safe_site else "(unsafe)"
|
|
|
|
ksft.print_msg(f"\nSite {i}: {symbol} <0x{site:x}> {site_status}")
|
|
ksft.print_msg(f"\tvmlinux: 0x{vmlinux_insn.address:x}:\t{vmlinux_insn.mnemonic}\t{vmlinux_insn.op_str}")
|
|
ksft.print_msg(f"\tkcore: 0x{kcore_insn.address:x}:\t{kcore_insn.mnemonic}\t{kcore_insn.op_str}")
|
|
|
|
if safe_site:
|
|
tests_passed += 1
|
|
passed = True
|
|
ksft.print_msg(f"\tPASSED: At safe address")
|
|
continue
|
|
|
|
if "jmp" in kcore_insn.mnemonic:
|
|
passed = True
|
|
elif "ret" not in kcore_insn.mnemonic:
|
|
skipped = True
|
|
|
|
if passed:
|
|
ksft.print_msg(f"\tPASSED: Found {kcore_insn.mnemonic} {kcore_insn.op_str}")
|
|
tests_passed += 1
|
|
elif skipped:
|
|
ksft.print_msg(f"\tSKIPPED: Found '{kcore_insn.mnemonic}'")
|
|
tests_skipped += 1
|
|
elif unknown:
|
|
ksft.print_msg(f"UNKNOWN: An unknown instruction: {kcore_insn}")
|
|
tests_unknown += 1
|
|
else:
|
|
ksft.print_msg(f'\t************* FAILED *************')
|
|
ksft.print_msg(f"\tFound {kcore_insn.mnemonic} {kcore_insn.op_str}")
|
|
ksft.print_msg(f'\t**********************************')
|
|
tests_failed += 1
|
|
except Exception as e:
|
|
ksft.print_msg(f"UNKNOWN: An unexpected error occurred: {e}")
|
|
tests_unknown += 1
|
|
|
|
ksft.print_msg(f"\n\nSummary:")
|
|
ksft.print_msg(f"PASSED: \t{tests_passed} \t/ {total_rethunk_tests}")
|
|
ksft.print_msg(f"FAILED: \t{tests_failed} \t/ {total_rethunk_tests}")
|
|
ksft.print_msg(f"SKIPPED: \t{tests_skipped} \t/ {total_rethunk_tests}")
|
|
ksft.print_msg(f"UNKNOWN: \t{tests_unknown} \t/ {total_rethunk_tests}")
|
|
|
|
if tests_failed == 0:
|
|
ksft.test_result_pass("All ITS return thunk sites passed.")
|
|
else:
|
|
ksft.test_result_fail(f"{tests_failed} failed sites need ITS return thunks.")
|
|
ksft.finished()
|