diff options
| -rw-r--r-- | gdb/ChangeLog | 7 | ||||
| -rw-r--r-- | gdb/amd64-tdep.c | 7 | ||||
| -rw-r--r-- | gdb/doc/ChangeLog | 5 | ||||
| -rw-r--r-- | gdb/doc/gdb.texinfo | 29 | ||||
| -rw-r--r-- | gdb/i386-tdep.c | 7 | ||||
| -rw-r--r-- | gdb/i387-tdep.c | 17 | ||||
| -rw-r--r-- | gdb/i387-tdep.h | 4 | ||||
| -rw-r--r-- | gdb/testsuite/ChangeLog | 5 | ||||
| -rw-r--r-- | gdb/testsuite/gdb.arch/i386-mpx-call.c | 131 | ||||
| -rw-r--r-- | gdb/testsuite/gdb.arch/i386-mpx-call.exp | 387 |
10 files changed, 599 insertions, 0 deletions
diff --git a/gdb/ChangeLog b/gdb/ChangeLog index ddfc94f..aa592d5 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,10 @@ +2017-03-07 Walfred Tedeschi <walfred.tedeschi@intel.com> + + * i387-tdep.h (i387_reset_bnd_regs): Add function definition. + * i387-tdep.c (i387_reset_bnd_regs): Add function implementation. + * i386-tdep.c (i386_push_dummy_call): Call i387_reset_bnd_regs. + * amd64-tdep (amd64_push_dummy_call): Call i387_reset_bnd_regs. + 2017-03-06 Simon Marchi <simon.marchi@ericsson.com> * xtensa-linux-nat.c (fetch_gregs): Remove const. diff --git a/gdb/amd64-tdep.c b/gdb/amd64-tdep.c index 4da71e5..98710fe 100644 --- a/gdb/amd64-tdep.c +++ b/gdb/amd64-tdep.c @@ -1004,6 +1004,13 @@ amd64_push_dummy_call (struct gdbarch *gdbarch, struct value *function, enum bfd_endian byte_order = gdbarch_byte_order (gdbarch); gdb_byte buf[8]; + /* BND registers can be in arbitrary values at the moment of the + inferior call. This can cause boundary violations that are not + due to a real bug or even desired by the user. The best to be done + is set the BND registers to allow access to the whole memory, INIT + state, before pushing the inferior call. */ + i387_reset_bnd_regs (gdbarch, regcache); + /* Pass arguments. */ sp = amd64_push_arguments (regcache, nargs, args, sp, struct_return); diff --git a/gdb/doc/ChangeLog b/gdb/doc/ChangeLog index 17cd97f..ed41c05 100644 --- a/gdb/doc/ChangeLog +++ b/gdb/doc/ChangeLog @@ -1,3 +1,8 @@ +2017-03-07 Walfred Tedeschi <walfred.tedeschi@intel.com> + + * Memory Protection Extensions: Add information about inferior + calls. + 2017-02-20 Jan Kratochvil <jan.kratochvil@redhat.com> * gdb.texinfo (Print Settings, Tail Call Frames): Rename DW_OP_GNU_*, diff --git a/gdb/doc/gdb.texinfo b/gdb/doc/gdb.texinfo index f19e80f..ba56ab2 100644 --- a/gdb/doc/gdb.texinfo +++ b/gdb/doc/gdb.texinfo @@ -22552,6 +22552,35 @@ whose bounds are to be changed, @var{lbound} and @var{ubound} are new values for lower and upper bounds respectively. @end table +When you call an inferior function on an Intel MPX enabled program, +GDB sets the inferior's bound registers to the init (disabled) state +before calling the function. As a consequence, bounds checks for the +pointer arguments passed to the function will always pass. + +This is necessary because when you call an inferior function, the +program is usually in the middle of the execution of other function. +Since at that point bound registers are in an arbitrary state, not +clearing them would lead to random bound violations in the called +function. + +You can still examine the influence of the bound registers on the +execution of the called function by stopping the execution of the +called function at its prologue, setting bound registers, and +continuing the execution. For example: + +@smallexample + $ break *upper + Breakpoint 2 at 0x4009de: file i386-mpx-call.c, line 47. + $ print upper (a, b, c, d, 1) + Breakpoint 2, upper (a=0x0, b=0x6e0000005b, c=0x0, d=0x0, len=48).... + $ print $bnd0 + {lbound = 0x0, ubound = ffffffff} : size -1 +@end smallexample + +At this last step the value of bnd0 can be changed for investigation of bound +violations caused along the execution of the call. In order to know how to +set the bound registers or bound table for the call consult the ABI. + @node Alpha @subsection Alpha diff --git a/gdb/i386-tdep.c b/gdb/i386-tdep.c index c81f3e0..ec8b5d3 100644 --- a/gdb/i386-tdep.c +++ b/gdb/i386-tdep.c @@ -2684,6 +2684,13 @@ i386_push_dummy_call (struct gdbarch *gdbarch, struct value *function, int write_pass; int args_space = 0; + /* BND registers can be in arbitrary values at the moment of the + inferior call. This can cause boundary violations that are not + due to a real bug or even desired by the user. The best to be done + is set the BND registers to allow access to the whole memory, INIT + state, before pushing the inferior call. */ + i387_reset_bnd_regs (gdbarch, regcache); + /* Determine the total space required for arguments and struct return address in a first pass (allowing for 16-byte-aligned arguments), then push arguments in a second pass. */ diff --git a/gdb/i387-tdep.c b/gdb/i387-tdep.c index c986e39..9206109 100644 --- a/gdb/i387-tdep.c +++ b/gdb/i387-tdep.c @@ -1860,3 +1860,20 @@ i387_return_value (struct gdbarch *gdbarch, struct regcache *regcache) regcache_raw_write_unsigned (regcache, I387_FTAG_REGNUM (tdep), 0x3fff); } + +/* See i387-tdep.h. */ + +void +i387_reset_bnd_regs (struct gdbarch *gdbarch, struct regcache *regcache) +{ + struct gdbarch_tdep *tdep = gdbarch_tdep (gdbarch); + + if (I387_BND0R_REGNUM (tdep) > 0) + { + gdb_byte bnd_buf[16]; + + memset (bnd_buf, 0, 16); + for (int i = 0; i < I387_NUM_BND_REGS; i++) + regcache_raw_write (regcache, I387_BND0R_REGNUM (tdep) + i, bnd_buf); + } +} diff --git a/gdb/i387-tdep.h b/gdb/i387-tdep.h index 6a97e4f..0455130 100644 --- a/gdb/i387-tdep.h +++ b/gdb/i387-tdep.h @@ -161,4 +161,8 @@ extern void i387_collect_xsave (const struct regcache *regcache, extern void i387_return_value (struct gdbarch *gdbarch, struct regcache *regcache); +/* Set all bnd registers to the INIT state. INIT state means + all memory range can be accessed. */ +extern void i387_reset_bnd_regs (struct gdbarch *gdbarch, + struct regcache *regcache); #endif /* i387-tdep.h */ diff --git a/gdb/testsuite/ChangeLog b/gdb/testsuite/ChangeLog index cb8bf53..33d3b15 100644 --- a/gdb/testsuite/ChangeLog +++ b/gdb/testsuite/ChangeLog @@ -1,3 +1,8 @@ +2017-03-07 Walfred Tedeschi <walfred.tedeschi@intel.com> + + * i386-mpx-call.c: New file. + * i386-mpx-call.exp: New file. + 2017-02-28 Peter Bergner <bergner@vnet.ibm.com> * gdb.arch/powerpc-power.exp: Delete test. diff --git a/gdb/testsuite/gdb.arch/i386-mpx-call.c b/gdb/testsuite/gdb.arch/i386-mpx-call.c new file mode 100644 index 0000000..52e6570 --- /dev/null +++ b/gdb/testsuite/gdb.arch/i386-mpx-call.c @@ -0,0 +1,131 @@ +/* Test for inferior function calls MPX context. + + Copyright (C) 2017 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <stdlib.h> +#include <string.h> +#include "x86-cpuid.h" + +/* Defined size for arrays. */ +#define ARRAY_LENGTH 5 + +unsigned int +have_mpx (void) +{ + unsigned int eax, ebx, ecx, edx; + + if (!__get_cpuid (1, &eax, &ebx, &ecx, &edx)) + return 0; + + if ((ecx & bit_OSXSAVE) == bit_OSXSAVE) + { + if (__get_cpuid_max (0, NULL) < 7) + return 0; + + __cpuid_count (7, 0, eax, ebx, ecx, edx); + + if ((ebx & bit_MPX) == bit_MPX) + return 1; + else + return 0; + } + return 0; +} + + +int +upper (int *a, int *b, int *c, int *d, int len) +{ + int value; + + value = *(a + len); + value = *(b + len); + value = *(c + len); + value = *(d + len); + + value = value - *a + 1; + return value; +} + + +int +lower (int *a, int *b, int *c, int *d, int len) +{ + int value; + + value = *(a - len); + value = *(b - len); + value = *(c - len); + value = *(d - len); + + value = value - *a + 1; + return value; +} + + +char +char_upper (char *str, int length) +{ + char ch; + ch = *(str + length); + + return ch; +} + + +char +char_lower (char *str, int length) +{ + char ch; + ch = *(str - length); + + return ch; +} + + +int +main (void) +{ + if (have_mpx ()) + { + int sa[ARRAY_LENGTH]; + int sb[ARRAY_LENGTH]; + int sc[ARRAY_LENGTH]; + int sd[ARRAY_LENGTH]; + int *x, *a, *b, *c, *d; + char mchar; + char hello[] = "Hello"; + + x = malloc (sizeof (int) * ARRAY_LENGTH); + a = malloc (sizeof (int) * ARRAY_LENGTH); + b = malloc (sizeof (int) * ARRAY_LENGTH); + c = malloc (sizeof (int) * ARRAY_LENGTH); + d = malloc (sizeof (int) * ARRAY_LENGTH); + + *x = upper (sa, sb, sc, sd, 0); /* bkpt 1. */ + *x = lower (a, b, c, d, 0); + + mchar = char_upper (hello, 10); + mchar = char_lower (hello, 10); + + free (x); + free (a); + free (b); + free (c); + free (d); + } + return 0; +} diff --git a/gdb/testsuite/gdb.arch/i386-mpx-call.exp b/gdb/testsuite/gdb.arch/i386-mpx-call.exp new file mode 100644 index 0000000..cd8eec4 --- /dev/null +++ b/gdb/testsuite/gdb.arch/i386-mpx-call.exp @@ -0,0 +1,387 @@ +# Copyright (C) 2017 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + + +if { ![istarget i?86-*-*] && ![istarget x86_64-*-* ] } { + untested "skipping x86 MPX tests." + return +} + +standard_testfile + +set comp_flags "-mmpx -fcheck-pointer-bounds -I${srcdir}/../nat" + +if {[prepare_for_testing "failed to prepare" ${testfile} ${srcfile} \ + [list debug additional_flags=${comp_flags}]] } { + return -1 +} + +if ![runto_main] { + untested "could not run to main" + return -1 +} + +set test "check whether processor supports MPX" +gdb_test_multiple "print have_mpx ()" $test { + -re ".*= 1\r\n$gdb_prompt " { + pass $test + } + -re ".*= 0\r\n$gdb_prompt " { + pass $test + untested "processor does not support MPX; skipping tests" + return + } +} + +# Convenience for returning from an inferior call that causes a BND violation. +# +gdb_test_no_output "set confirm off" + +# Convenience variable. +# +set bound_reg " = \\\{lbound = $hex, ubound = $hex\\\}.*" +set int_braw_reg " = \\\{lbound = 0x0, ubound_raw = 0x0\\\}.*" +set bndcfg_reg " = \\\{raw = $hex, config = \\\{base = $hex, reserved = $hex,\ + preserved = $hex, enabled = $hex\\\}\\\}" +set bndstatus_reg " = \\\{raw = $hex, status = \\\{bde = $hex,\ + error = $hex\\\}\\\}" +set u_fault [multi_line "Program received signal SIGSEGV, Segmentation fault" \ + "Upper bound violation while accessing address $hex" \ + "Bounds: \\\[lower = $hex, upper = $hex\\\]"] + + +# Simplify the tests below. +# +proc sanity_check_bndregs {arglist} { + + global int_braw_reg + + foreach a $arglist { + gdb_test "p /x $a" "$int_braw_reg"\ + "$a" + } +} + +# Set bnd register to have no access to memory. +# +proc remove_memory_access {reg} { + global hex + + sanity_check_bndregs {"\$bnd0raw" "\$bnd1raw" "\$bnd2raw" "\$bnd3raw"} + + gdb_test "p /x $reg.lbound = $reg.ubound" "= $hex"\ + "$reg lower bound set" + gdb_test "p /x $reg.ubound = 0" " = 0x0"\ + "$reg upper bound set" +} + + +# Prepare convenience variables for bndconfig and status +# for posterior comparison. +# +proc prepare_bndcfg_bndstatus {} { + + global bndcfg_reg + global bndstatus_reg + + gdb_test "p /x \$temp_bndcfgu = \$bndcfgu" "$bndcfg_reg"\ + "bndcfgu should not change" + + gdb_test "p /x \$temp_bndstatus = \$bndstatus" "$bndstatus_reg"\ + "bndstatus should not change" +} + +# Compare values set for convenience variables and actual values of bndconfig +# and bndstatus registers. +# +proc compare_bndstatus_with_convenience {} { + + gdb_test "p \$temp_bndcfgu == \$bndcfgu" "= 1"\ + "bndcfgu compare before and after" + gdb_test "p \$temp_bndstatus == \$bndstatus" "= 1"\ + "bndstatus compare before and after" +} + +# Perform an inferior call defined in func. +# +proc perform_a_call {func} { + + global inf_call_stopped + global gdb_prompt + + gdb_test "p /x $func" [multi_line "The program being debugged\ + stopped while in a function called from GDB." \ + "Evaluation of the expression containing the\ + function.*" \ + ] "inferior call stopped" +} + +# Perform an inferior call defined in func. +# +proc check_bound_violation {parm parm_type is_positive} { + + global u_fault + + gdb_test "continue" "$u_fault.*" "continue to a bnd violation" + + set message "access only one position" + if {$is_positive == 1} { + gdb_test "p (((void *)\$_siginfo._sifields._sigfault.si_addr\ + - (void*)$parm))/sizeof($parm_type) == 1"\ + " = 1" $message + } else { + gdb_test "p ((void*)$parm\ + - (void *)\$_siginfo._sifields._sigfault.si_addr)\ + /sizeof($parm_type) == 1"\ + " = 1" $message + } + gdb_test "return" "\\\#.*main.*i386-mpx-call\\\.c:.*" "return from the fault" +} + + +# Start testing! +# + +# Set up for stopping in the middle of main for calling a function in the +# inferior. +# +set break "bkpt 1." +gdb_breakpoint [gdb_get_line_number "${break}"] +gdb_continue_to_breakpoint "${break}" ".*${break}.*" + + +# Consistency: +# default run execution of call should succeed without violations. +# +with_test_prefix "default_run" { + + gdb_test "p \$keep_bnd0_value=\$bnd0" $bound_reg\ + "store bnd0 register in a convenience variable" + + gdb_test "p /x upper (a, b, c, d, 0)" " = $hex"\ + "default inferior call" + + gdb_test "p ((\$bnd0.lbound==\$keep_bnd0_value.lbound) &&\ + (\$bnd0.ubound==\$keep_bnd0_value.ubound))" "= 1" \ + "bnd register value after and before call" +} + +# Consistency: Examine bnd registers values before and after the call. +# +# +with_test_prefix "verify_default_values" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*upper" + perform_a_call "upper (a, b, c, d, 1)" + + sanity_check_bndregs {"\$bnd0raw" "\$bnd1raw" "\$bnd2raw" "\$bnd3raw"} + + compare_bndstatus_with_convenience + + gdb_test_multiple "continue" "inferior call test" { + -re ".*Continuing.\r\n$gdb_prompt " { + pass "inferior call performed" + } + } +} + +# Examine: Cause an upper bound violation changing BND0. +# +# +with_test_prefix "upper_bnd0" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*upper" + perform_a_call "upper (a, b, c, d, 1)" + + remove_memory_access "\$bnd0" + + compare_bndstatus_with_convenience + + check_bound_violation "a" "int" 1 +} + +# Examine: Cause an upper bound violation changing BND1. +# +# +with_test_prefix "upper_bnd1" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*upper" + perform_a_call "upper (a, b, c, d, 1)" + + remove_memory_access "\$bnd1" + + compare_bndstatus_with_convenience + + check_bound_violation "b" "int" 1 +} + +# Examine: Cause an upper bound violation changing BND2. +# +# +with_test_prefix "upper_bnd2" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*upper" + perform_a_call "upper (a, b, c, d, 1)" + + remove_memory_access "\$bnd2" + + compare_bndstatus_with_convenience + + check_bound_violation "c" "int" 1 +} + +# Examine: Cause an upper bound violation changing BND3. +# +# +with_test_prefix "upper_bnd3" { + prepare_bndcfg_bndstatus + + gdb_breakpoint "*upper" + perform_a_call "upper (a, b, c, d, 1)" + + remove_memory_access "\$bnd3" + + compare_bndstatus_with_convenience + + check_bound_violation "d" "int" 1 +} + +# Examine: Cause a lower bound violation changing BND0. +# +# +with_test_prefix "lower_bnd0" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*lower" + perform_a_call "lower (a, b, c, d, 1)" + + remove_memory_access "\$bnd0" + + compare_bndstatus_with_convenience + + check_bound_violation "a" "int" 0 +} + +# Examine: Cause a lower bound violation changing BND1. +# +# +with_test_prefix "lower_bnd1" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*lower" + perform_a_call "lower (a, b, c, d, 1)" + + remove_memory_access "\$bnd1" + + compare_bndstatus_with_convenience + + check_bound_violation "b" "int" 0 +} + +# Examine: Cause a lower bound violation changing BND2. +# +# +with_test_prefix "lower_bnd2" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*lower" + perform_a_call "lower (a, b, c, d, 1)" + + remove_memory_access "\$bnd2" + + compare_bndstatus_with_convenience + + check_bound_violation "c" "int" 0 +} + +# Examine: Cause a lower bound violation changing BND3. +# +# +with_test_prefix "lower_bnd3" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*lower" + perform_a_call "lower (a, b, c, d, 1)" + + remove_memory_access "\$bnd3" + + compare_bndstatus_with_convenience + + check_bound_violation "d" "int" 0 +} + +# Examine: String causing a upper bound violation changing BND0. +# +# +with_test_prefix "chars_up" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*char_upper" + perform_a_call "char_upper (hello, 1)" + + remove_memory_access "\$bnd0" + + compare_bndstatus_with_convenience + + check_bound_violation "str" "char" 1 +} + + +# Examine: String causing an lower bound violation changing BND0. +# +# +with_test_prefix "chars_low" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*char_lower" + perform_a_call "char_lower (hello, 1)" + + remove_memory_access "\$bnd0" + + compare_bndstatus_with_convenience + + check_bound_violation "str" "char" 0 +} + +# Examine: String causing an lower bound violation changing BND0. +# +# +with_test_prefix "chars_low_adhoc_parm" { + + prepare_bndcfg_bndstatus + + gdb_breakpoint "*char_lower" + perform_a_call "char_lower (\"tryme\", 1)" + + remove_memory_access "\$bnd0" + + compare_bndstatus_with_convenience + + check_bound_violation "str" "char" 0 +} |