[12/12] gdb: Enable displaced stepping with shadow stack on amd64 linux.

Message ID 20241220200501.324191-13-christina.schimpe@intel.com
State New
Headers
Series Add CET shadow stack support |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_gdb_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_gdb_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_gdb_check--master-aarch64 success Test passed
linaro-tcwg-bot/tcwg_gdb_check--master-arm success Test passed

Commit Message

Schimpe, Christina Dec. 20, 2024, 8:05 p.m. UTC
  This patch enables displaced stepping to support Intel's Control-Flow
Enforcement Technology (CET), which provides the shadow stack feature
for the x86 architecture.
Following the restriction of the linux kernel, enable displaced stepping
for amd64 only.

If displaced stepping is active and the single stepped instruction is a
call instruction, the return address atop the stack is the address following
the copied instruction.  However, to allow normal program execution it has
to be the address following the original instruction.  Due to that reason,
the return address is corrected in amd64_displaced_step_fixup and
i386_displaced_step_fixup.

To avoid a control-protection exception if shadow stack is active,
the shadow stack top address must be corrected as well.
---
 gdb/amd64-linux-tdep.c                        |  2 +
 gdb/amd64-tdep.c                              | 12 +++
 gdb/doc/gdb.texinfo                           | 11 ++-
 gdb/i386-tdep.c                               | 12 +++
 .../gdb.arch/amd64-shadow-stack-disp-step.exp | 84 +++++++++++++++++++
 5 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp
  

Comments

Eli Zaretskii Dec. 20, 2024, 8:14 p.m. UTC | #1
> From: "Schimpe, Christina" <christina.schimpe@intel.com>
> Date: Fri, 20 Dec 2024 20:05:01 +0000
> 
>  gdb/amd64-linux-tdep.c                        |  2 +
>  gdb/amd64-tdep.c                              | 12 +++
>  gdb/doc/gdb.texinfo                           | 11 ++-
>  gdb/i386-tdep.c                               | 12 +++
>  .../gdb.arch/amd64-shadow-stack-disp-step.exp | 84 +++++++++++++++++++
>  5 files changed, 120 insertions(+), 1 deletion(-)
>  create mode 100644 gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp

Thanks, the documentation part is okay.

Reviewed-By: Eli Zaretskii <eliz@gnu.org>
  
Schimpe, Christina Jan. 2, 2025, 9:04 a.m. UTC | #2
Hi Eli, 

Thanks a lot for your quick feedback.
Does your review apply to the documentation of the entire series or just to the patch
"gdb: Enable displaced stepping with shadow stack on amd64 linux." ?

Christina

> -----Original Message-----
> From: Eli Zaretskii <eliz@gnu.org>
> Sent: Friday, December 20, 2024 9:14 PM
> To: Schimpe, Christina <christina.schimpe@intel.com>
> Cc: gdb-patches@sourceware.org
> Subject: Re: [PATCH 12/12] gdb: Enable displaced stepping with shadow stack on
> amd64 linux.
> 
> > From: "Schimpe, Christina" <christina.schimpe@intel.com>
> > Date: Fri, 20 Dec 2024 20:05:01 +0000
> >
> >  gdb/amd64-linux-tdep.c                        |  2 +
> >  gdb/amd64-tdep.c                              | 12 +++
> >  gdb/doc/gdb.texinfo                           | 11 ++-
> >  gdb/i386-tdep.c                               | 12 +++
> >  .../gdb.arch/amd64-shadow-stack-disp-step.exp | 84
> > +++++++++++++++++++
> >  5 files changed, 120 insertions(+), 1 deletion(-)  create mode 100644
> > gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp
> 
> Thanks, the documentation part is okay.
> 
> Reviewed-By: Eli Zaretskii <eliz@gnu.org>
Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Sean Fennelly, Jeffrey Schneiderman, Tiffany Doon Silva
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928
  
Eli Zaretskii Jan. 2, 2025, 9:15 a.m. UTC | #3
> From: "Schimpe, Christina" <christina.schimpe@intel.com>
> CC: "gdb-patches@sourceware.org" <gdb-patches@sourceware.org>
> Date: Thu, 2 Jan 2025 09:04:20 +0000
> 
> Hi Eli, 
> 
> Thanks a lot for your quick feedback.
> Does your review apply to the documentation of the entire series or just to the patch
> "gdb: Enable displaced stepping with shadow stack on amd64 linux." ?

All of them.
  

Patch

diff --git a/gdb/amd64-linux-tdep.c b/gdb/amd64-linux-tdep.c
index ef59cfcb7e4..a034d75dd52 100644
--- a/gdb/amd64-linux-tdep.c
+++ b/gdb/amd64-linux-tdep.c
@@ -2068,6 +2068,8 @@  amd64_linux_init_abi_common(struct gdbarch_info info, struct gdbarch *gdbarch,
     (gdbarch, amd64_linux_remove_non_address_bits_watchpoint);
 
   set_gdbarch_shadow_stack_push (gdbarch, amd64_linux_shadow_stack_push);
+  set_gdbarch_get_shadow_stack_pointer (gdbarch,
+					amd64_linux_get_shadow_stack_pointer);
   dwarf2_frame_set_init_reg (gdbarch, amd64_init_reg);
 }
 
diff --git a/gdb/amd64-tdep.c b/gdb/amd64-tdep.c
index a298333e70a..988a4cb285b 100644
--- a/gdb/amd64-tdep.c
+++ b/gdb/amd64-tdep.c
@@ -1747,6 +1747,18 @@  amd64_displaced_step_fixup (struct gdbarch *gdbarch,
       displaced_debug_printf ("relocated return addr at %s to %s",
 			      paddress (gdbarch, rsp),
 			      paddress (gdbarch, retaddr));
+
+      /* If shadow stack is enabled, we need to correct the return address
+	 on the shadow stack too.  */
+      std::optional<CORE_ADDR> ssp = gdbarch_get_shadow_stack_pointer (gdbarch);
+      if (ssp.has_value ())
+	{
+	  write_memory_unsigned_integer (*ssp, retaddr_len, byte_order,
+					 retaddr);
+	  displaced_debug_printf ("relocated shadow stack return addr at %s "
+				  "to %s", paddress (gdbarch, *ssp),
+				  paddress (gdbarch, retaddr));
+	}
     }
 }
 
diff --git a/gdb/doc/gdb.texinfo b/gdb/doc/gdb.texinfo
index 4bed63cb0a1..022c944ea5c 100644
--- a/gdb/doc/gdb.texinfo
+++ b/gdb/doc/gdb.texinfo
@@ -26858,12 +26858,20 @@  the program stream must be an @code{ENDBR} instruction, otherwise the
 processor signals a control protection exception.
 @end itemize
 
-Impact on Call/Print:
+Impact on GDB commands:
+@itemize @bullet
+@item Call/Print:
 Inferior calls in @value{GDBN} reset the current PC to the beginning of the
 function that is called.  No call instruction is executed, but the @code{RET}
 instruction actually is.  To avoid a control protection exception due to the
 missing return address on the shadow stack, @value{GDBN} pushes the new return
 address to the shadow stack and updates the shadow stack pointer.
+@item Step:
+With displaced stepping, @value{GDBN} may run an out of line copy of a call
+instruction.  In this case, the wrong return address is pushed on the shadow
+stack.  @value{GDBN} corrects this value to avoid a control protection
+exception.  For more details on displaced stepping, see @ref{displaced-stepping}.
+@end itemize
 
 @node Alpha
 @subsection Alpha
@@ -41579,6 +41587,7 @@  GLOBAL              Disassembler_2	(Matches current architecture)
 @cindex out-of-line single-stepping
 @item set displaced-stepping
 @itemx show displaced-stepping
+@anchor{displaced-stepping}
 Control whether or not @value{GDBN} will do @dfn{displaced stepping}
 if the target supports it.  Displaced stepping is a way to single-step
 over breakpoints without removing them from the inferior, by executing
diff --git a/gdb/i386-tdep.c b/gdb/i386-tdep.c
index b338029d990..ec98b52c649 100644
--- a/gdb/i386-tdep.c
+++ b/gdb/i386-tdep.c
@@ -899,6 +899,18 @@  i386_displaced_step_fixup (struct gdbarch *gdbarch,
       displaced_debug_printf ("relocated return addr at %s to %s",
 			      paddress (gdbarch, esp),
 			      paddress (gdbarch, retaddr));
+
+      /* If shadow stack is enabled, we need to correct the return address
+	 on the shadow stack too.  */
+      std::optional<CORE_ADDR> ssp = gdbarch_get_shadow_stack_pointer (gdbarch);
+      if (ssp.has_value ())
+	{
+	  write_memory_unsigned_integer (*ssp, retaddr_len, byte_order,
+					 retaddr);
+	  displaced_debug_printf ("relocated shadow stack return addr at %s "
+				  "to %s", paddress (gdbarch, *ssp),
+				  paddress (gdbarch, retaddr));
+	}
     }
 }
 
diff --git a/gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp b/gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp
new file mode 100644
index 00000000000..493ca0100cb
--- /dev/null
+++ b/gdb/testsuite/gdb.arch/amd64-shadow-stack-disp-step.exp
@@ -0,0 +1,84 @@ 
+# Copyright 2024 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Test continue from call instructions with shadow stack and displaced
+# stepping being enabled.
+
+require allow_ssp_tests support_displaced_stepping
+
+standard_testfile amd64-shadow-stack.c
+
+save_vars { ::env(GLIBC_TUNABLES) } {
+
+    append_environment GLIBC_TUNABLES "glibc.cpu.hwcaps" "SHSTK"
+
+    if { [prepare_for_testing "failed to prepare" ${testfile} ${srcfile} \
+	  additional_flags="-fcf-protection=return"] } {
+	return -1
+    }
+
+    # Enable displaced stepping.
+    gdb_test_no_output "set displaced-stepping on"
+    gdb_test "show displaced-stepping" ".* displaced stepping .* is on.*"
+
+    if { ![runto_main] } {
+	return -1
+    }
+
+    # Get the address of the call1 instruction.
+    set call1_addr -1
+    gdb_test_multiple "disassemble main" "" {
+	-re -wrap "($hex) <\\+($decimal)>:\\s*call\\s*0x.*<call1>.*" {
+	    set call1_addr $expect_out(1,string)
+	    pass $gdb_test_name
+	}
+    }
+
+    if { $call1_addr == -1 } {
+	return -1
+    }
+
+    # Get the address of the call2 instruction.
+    set call2_addr -1
+    gdb_test_multiple "disassemble call1" "" {
+	-re -wrap "($hex) <\\+($decimal)>:\\s*call\\s*0x.*<call2>.*" {
+	    set call2_addr $expect_out(1,string)
+	    pass $gdb_test_name
+	}
+    }
+
+    if { $call2_addr == -1 } {
+	return -1
+    }
+
+    gdb_test "break *$call1_addr" \
+	"Breakpoint $decimal at $hex.*" \
+	"break at the address of the call1 instruction"
+
+    gdb_test "break *$call2_addr" \
+	"Breakpoint $decimal at $hex.*" \
+	"break at the address of the call2 instruction"
+
+    gdb_test "continue" \
+	"Breakpoint $decimal, $call1_addr in main ().*" \
+	"continue until call1 instruction"
+
+    # Test continue from breakpoint at call1 and call2 instructions.
+    gdb_test "continue" \
+	"Breakpoint $decimal, $call2_addr in call1 ().*" \
+	"continue from call1 instruction"
+
+    gdb_continue_to_end "continue from call2 instruction"
+}