mirror/binutils-gdb
2
0
Fork 0
mirror of https://sourceware.org/git/binutils-gdb.git synced 2025-01-30 12:44:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
77c8aaf716
binutils-gdb/gdb/testsuite/gdb.arch/i386-mpx-call.exp
Tom de Vries 346e7e1923 [gdb/testsuite] Update gdb.arch/i386-mpx-call.exp for -m32 
When running test-case gdb.arch/i386-mpx-call.exp with target board unix/-m32,
we run into:
...
(gdb) continue^M
Continuing.^M
(gdb) FAIL: gdb.arch/i386-mpx-call.exp: upper_bnd0: continue to a bnd violation
...

Let's look first for reference at -m64, where the test passes.

The test-case uses -mmpx -fcheck-pointer-bounds to generate pointer checks in
the exec.  Effectively, -fcheck-pointer-bounds modifies the calling ABI: a
call passes pointer bounds as well as arguments.  The call to upper (with
four pointer arguments and an int argument, passed in 5 registers) is modified
like this:
...
   lea    -0xa0(%rbp),%rcx
   lea    -0x80(%rbp),%rdx
   lea    -0x60(%rbp),%rsi
   lea    -0x40(%rbp),%rax
   mov    $0x0,%r8d
+  bndmov -0x110(%rbp),%bnd3
+  bndmov -0x100(%rbp),%bnd2
+  bndmov -0xf0(%rbp),%bnd1
+  bndmov -0xe0(%rbp),%bnd0
   mov    %rax,%rdi
-  callq  <upper>
+  bnd callq <upper>
...
passsing the four pointer bounds in bounds registers BND0-3.

The top-level mechanism of the test is as follows:
- run the exec to after all mallocs are done, such that all pointer variables
  are valid
- do inferior calls, similar to those present in the program

The inferior call mechanism doesn't differentiate between a call to a function
compiled with -fcheck-pointer-bounds, and one without.  It merely resets the
bound registers to all-allowed state (see amd64_push_dummy_call), to make sure
the checks don't trigger during the inferior call.  [ This is the same as what
happens when executing a call without bnd prefix when the BNDPRESERVE bit of
the BNDCFG register is set to 0, a provision for calling an instrumented
function using a non-instrumented call. ]

First, two inferior calls are done (default_run and verify_default_values)
with the bound registers unmodified by the test.  So, the memory accesses are
performed with the bounds registers set by amd64_push_dummy_call to
all-allowed, and the bounds checks do not trigger.

Then we try to do an inferior call with modified bounds registers, set to
none-allowed.  In order to do that, we set a breakpoint at *upper before
doing the inferior call.  Once we hit the breakpoint during the inferior call,
the bounds registers are set to none-allowed, and we continue expecting to run
into an triggered bounds check, which takes the shape of a sigsegv.

Back to -m32.  Here, the pointer arguments are passed in memory rather than
registers, so with -fcheck-pointer-bounds, the pointer bounds are placed in
the Bounds Table using bndstx:
...
  movl   $0x0,0x10(%eax)
  lea    -0x70(%ebp),%edx
  mov    %edx,0xc(%eax)
  lea    -0x5c(%ebp),%edx
  mov    %edx,0x8(%eax)
  lea    -0x48(%ebp),%edx
  mov    %edx,0x4(%eax)
  lea    -0x34(%ebp),%edx
  mov    %edx,(%eax)
  lea    0xc(%eax),%edx
  mov    0xc(%eax),%ecx
  bndmov -0xa8(%ebp),%bnd1
  bndstx %bnd1,(%edx,%ecx,1)
  lea    0x8(%eax),%edx
  mov    0x8(%eax),%ecx
  bndmov -0xa0(%ebp),%bnd3
  bndstx %bnd3,(%edx,%ecx,1)
  lea    0x4(%eax),%edx
  mov    0x4(%eax),%ecx
  bndmov -0x98(%ebp),%bnd1
  bndstx %bnd1,(%edx,%ecx,1)
  mov    (%eax),%edx
  bndmov -0x90(%ebp),%bnd3
  bndstx %bnd3,(%eax,%edx,1)
  bnd call 804893f <upper>
...

Again, the bounds registers are reset at the start of the inferior call by
amd64_push_dummy_call, and modified by the test-case, but neither has any
effect.  The code in upper reads the pointer bounds from the Bounds Table, not
from the bounds registers.

Note that for a test.c with an out-of-bounds access:
...
$ cat test.c
void foo (int *a) { volatile int v = a[1]; }
int main (void) { int a; foo (&a); return 0; }
$ gcc test.c -mmpx -fcheck-pointer-bounds -g -m32
$ ./a.out
Saw a #BR! status 1 at 0x804848d
...
and inferior call foo (&a) right before "bnd call foo" (at the point that the
bounds for a are setup in the bounds table) doesn't trigger a bounds violation:
...
(gdb) call foo (&a)
(gdb)
...
This is because the bounds table doesn't associate a pointer with bounds, but
rather a pair of pointer and pointer location.  So, the bound is setup for &a,
with as location the pushed argument in the frame.  The inferior call however
executes in a dummy frame, so the bound is checked for &a with as location the
pushed argument in the dummy frame, which is different, so the bounds check
doesn't trigger.

In conclusion, this is expected behaviour.

Update the test-case to not expect to override effective pointer bounds using
the bounds registers when the bounds passing is done via the Bounds Table.

Tested on x86_64-linux.

gdb/testsuite/ChangeLog:

2020-12-11  Tom de Vries  <tdevries@suse.de>

	PR testsuite/26991
	* gdb.arch/i386-mpx-call.exp: Don't expect to trigger bounds
        violations by setting bounds registers if the bounds are passed in the
        Bounds Table.
2020-12-11 18:26:40 +01:00

417 lines
9.6 KiB
Plaintext
Raw Blame History

# Copyright (C) 2017-2020 Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if { ![istarget i?86-*-*] && ![istarget x86_64-*-* ] } {
untested "skipping x86 MPX tests."
return
}
standard_testfile
if { ![supports_mpx_check_pointer_bounds] } {
return -1
}
set comp_flags "-mmpx -fcheck-pointer-bounds -I${srcdir}/../nat"
if {[prepare_for_testing "failed to prepare" ${testfile} ${srcfile} \
[list debug additional_flags=${comp_flags}]] } {
return -1
}
if ![runto_main] {
untested "could not run to main"
return -1
}
set test "check whether processor supports MPX"
gdb_test_multiple "print have_mpx ()" $test {
-re ".*= 1\r\n$gdb_prompt " {
pass $test
}
-re ".*= 0\r\n$gdb_prompt " {
pass $test
untested "processor does not support MPX; skipping tests"
return
}
}
set bounds_table 0
gdb_test_multiple "disassemble upper" "" {
-re -wrap "bndldx.*" {
set bounds_table 1
}
-re -wrap "" {
}
}
# Convenience for returning from an inferior call that causes a BND violation.
#
gdb_test_no_output "set confirm off"
# Convenience variable.
#
set bound_reg " = \\\{lbound = $hex, ubound = $hex\\\}.*"
set int_braw_reg " = \\\{lbound = 0x0, ubound_raw = 0x0\\\}.*"
set bndcfg_reg " = \\\{raw = $hex, config = \\\{base = $hex, reserved = $hex,\
preserved = $hex, enabled = $hex\\\}\\\}"
set bndstatus_reg " = \\\{raw = $hex, status = \\\{bde = $hex,\
error = $hex\\\}\\\}"
set u_fault [multi_line "Program received signal SIGSEGV, Segmentation fault" \
"Upper bound violation while accessing address $hex" \
"Bounds: \\\[lower = $hex, upper = $hex\\\]"]
# Simplify the tests below.
#
proc sanity_check_bndregs {arglist} {
global int_braw_reg
foreach a $arglist {
gdb_test "p /x $a" "$int_braw_reg"\
"$a"
}
}
# Set bnd register to have no access to memory.
#
proc remove_memory_access {reg} {
global hex
sanity_check_bndregs {"\$bnd0raw" "\$bnd1raw" "\$bnd2raw" "\$bnd3raw"}
gdb_test "p /x $reg.lbound = $reg.ubound" "= $hex"\
"$reg lower bound set"
gdb_test "p /x $reg.ubound = 0" " = 0x0"\
"$reg upper bound set"
}
# Prepare convenience variables for bndconfig and status
# for posterior comparison.
#
proc prepare_bndcfg_bndstatus {} {
global bndcfg_reg
global bndstatus_reg
gdb_test "p /x \$temp_bndcfgu = \$bndcfgu" "$bndcfg_reg"\
"bndcfgu should not change"
gdb_test "p /x \$temp_bndstatus = \$bndstatus" "$bndstatus_reg"\
"bndstatus should not change"
}
# Compare values set for convenience variables and actual values of bndconfig
# and bndstatus registers.
#
proc compare_bndstatus_with_convenience {} {
gdb_test "p \$temp_bndcfgu == \$bndcfgu" "= 1"\
"bndcfgu compare before and after"
gdb_test "p \$temp_bndstatus == \$bndstatus" "= 1"\
"bndstatus compare before and after"
}
# Perform an inferior call defined in func.
#
proc perform_a_call {func} {
global inf_call_stopped
global gdb_prompt
gdb_test "p /x $func" [multi_line "The program being debugged\
stopped while in a function called from GDB." \
"Evaluation of the expression containing the\
function.*" \
] "inferior call stopped"
}
# Perform an inferior call defined in func.
#
proc check_bound_violation {parm parm_type is_positive} {
global u_fault bounds_table
set have_bnd_violation 0
gdb_test_multiple "continue" "continue to a bnd violation" {
-re -wrap "Continuing\." {
if { $bounds_table } {
pass $gdb_test_name
} else {
fail $gdb_test_name
}
}
-re -wrap "$u_fault.*" {
pass $gdb_test_name
set have_bnd_violation 1
}
}
if { ! $have_bnd_violation } {
return
}
set message "access only one position"
if {$is_positive == 1} {
gdb_test "p (((void *)\$_siginfo._sifields._sigfault.si_addr\
- (void*)$parm))/sizeof($parm_type) == 1"\
" = 1" $message
} else {
gdb_test "p ((void*)$parm\
- (void *)\$_siginfo._sifields._sigfault.si_addr)\
/sizeof($parm_type) == 1"\
" = 1" $message
}
gdb_test "return" "\\\#.*main.*i386-mpx-call\\\.c:.*" "return from the fault"
}
# Start testing!
#
# Set up for stopping in the middle of main for calling a function in the
# inferior.
#
set break "bkpt 1."
gdb_breakpoint [gdb_get_line_number "${break}"]
gdb_continue_to_breakpoint "${break}" ".*${break}.*"
# Consistency:
# default run execution of call should succeed without violations.
#
with_test_prefix "default_run" {
gdb_test "p \$keep_bnd0_value=\$bnd0" $bound_reg\
"store bnd0 register in a convenience variable"
gdb_test "p /x upper (a, b, c, d, 0)" " = $hex"\
"default inferior call"
gdb_test "p ((\$bnd0.lbound==\$keep_bnd0_value.lbound) &&\
(\$bnd0.ubound==\$keep_bnd0_value.ubound))" "= 1" \
"bnd register value after and before call"
}
# Consistency: Examine bnd registers values before and after the call.
#
#
with_test_prefix "verify_default_values" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*upper"
perform_a_call "upper (a, b, c, d, 1)"
sanity_check_bndregs {"\$bnd0raw" "\$bnd1raw" "\$bnd2raw" "\$bnd3raw"}
compare_bndstatus_with_convenience
gdb_test_multiple "continue" "inferior call test" {
-re ".*Continuing.\r\n$gdb_prompt " {
pass "inferior call performed"
}
}
}
# Examine: Cause an upper bound violation changing BND0.
#
#
with_test_prefix "upper_bnd0" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*upper"
perform_a_call "upper (a, b, c, d, 1)"
remove_memory_access "\$bnd0"
compare_bndstatus_with_convenience
check_bound_violation "a" "int" 1
}
# Examine: Cause an upper bound violation changing BND1.
#
#
with_test_prefix "upper_bnd1" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*upper"
perform_a_call "upper (a, b, c, d, 1)"
remove_memory_access "\$bnd1"
compare_bndstatus_with_convenience
check_bound_violation "b" "int" 1
}
# Examine: Cause an upper bound violation changing BND2.
#
#
with_test_prefix "upper_bnd2" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*upper"
perform_a_call "upper (a, b, c, d, 1)"
remove_memory_access "\$bnd2"
compare_bndstatus_with_convenience
check_bound_violation "c" "int" 1
}
# Examine: Cause an upper bound violation changing BND3.
#
#
with_test_prefix "upper_bnd3" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*upper"
perform_a_call "upper (a, b, c, d, 1)"
remove_memory_access "\$bnd3"
compare_bndstatus_with_convenience
check_bound_violation "d" "int" 1
}
# Examine: Cause a lower bound violation changing BND0.
#
#
with_test_prefix "lower_bnd0" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*lower"
perform_a_call "lower (a, b, c, d, 1)"
remove_memory_access "\$bnd0"
compare_bndstatus_with_convenience
check_bound_violation "a" "int" 0
}
# Examine: Cause a lower bound violation changing BND1.
#
#
with_test_prefix "lower_bnd1" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*lower"
perform_a_call "lower (a, b, c, d, 1)"
remove_memory_access "\$bnd1"
compare_bndstatus_with_convenience
check_bound_violation "b" "int" 0
}
# Examine: Cause a lower bound violation changing BND2.
#
#
with_test_prefix "lower_bnd2" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*lower"
perform_a_call "lower (a, b, c, d, 1)"
remove_memory_access "\$bnd2"
compare_bndstatus_with_convenience
check_bound_violation "c" "int" 0
}
# Examine: Cause a lower bound violation changing BND3.
#
#
with_test_prefix "lower_bnd3" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*lower"
perform_a_call "lower (a, b, c, d, 1)"
remove_memory_access "\$bnd3"
compare_bndstatus_with_convenience
check_bound_violation "d" "int" 0
}
# Examine: String causing a upper bound violation changing BND0.
#
#
with_test_prefix "chars_up" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*char_upper"
perform_a_call "char_upper (hello, 1)"
remove_memory_access "\$bnd0"
compare_bndstatus_with_convenience
check_bound_violation "str" "char" 1
}
# Examine: String causing an lower bound violation changing BND0.
#
#
with_test_prefix "chars_low" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*char_lower"
perform_a_call "char_lower (hello, 1)"
remove_memory_access "\$bnd0"
compare_bndstatus_with_convenience
check_bound_violation "str" "char" 0
}
# Examine: String causing an lower bound violation changing BND0.
#
#
with_test_prefix "chars_low_adhoc_parm" {
prepare_bndcfg_bndstatus
gdb_breakpoint "*char_lower"
perform_a_call "char_lower (\"tryme\", 1)"
remove_memory_access "\$bnd0"
compare_bndstatus_with_convenience
check_bound_violation "str" "char" 0
}
Reference in New Issue View Git Blame Copy Permalink