Only run CET verification test if enabled for current process

If hardware enforced shadow stacks are supported and enabled we verify that we crash if we attempt to return to an address that is different from the one stored in the shadow stack. Bug: 1131225 Change-Id: I1df1a20b2ac08405f53d232cc18f28885e7f2240 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2489929Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Vitaly Buka <vitalybuka@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#820000}

Only run CET verification test if enabled for current process
If hardware enforced shadow stacks are supported and enabled we verify that we crash if we attempt to return to an address that is different from the one stored in the shadow stack. Bug: 1131225 Change-Id: I1df1a20b2ac08405f53d232cc18f28885e7f2240 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2489929Reviewed-by: Will Harris <wfh@chromium.org> Reviewed-by: Vitaly Buka <vitalybuka@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#820000}
28648dc6 · Alex Gough · Commit Bot · cdcddc15 · 28648dc6
Commit 28648dc6 authored Oct 22, 2020 by Alex Gough Committed by Commit Bot Oct 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 7 deletions

base/win/cet_shadow_stack_unittest.cc base/win/cet_shadow_stack_unittest.cc +41 -7

No files found.
--- a/base/win/cet_shadow_stack_unittest.cc
+++ b/base/win/cet_shadow_stack_unittest.cc
@@ -5,15 +5,46 @@
 #include <Windows.h>
 #include <intrin.h>

+#include "base/compiler_specific.h"
+#include "base/win/windows_version.h"
 #include "testing/gtest/include/gtest/gtest.h"

 namespace base {
 namespace win {

 namespace {
+
+bool IsHardwareEnforcedShadowStacksEnabled() {
+  // Only supported post Win 10 2004.
+  if (base::win::GetVersion() < base::win::Version::WIN10_20H1)
+    return false;
+
+  auto get_process_mitigation_policy =
+      reinterpret_cast<decltype(&GetProcessMitigationPolicy)>(::GetProcAddress(
+          ::GetModuleHandleA("kernel32.dll"), "GetProcessMitigationPolicy"));
+
+  PROCESS_MITIGATION_USER_SHADOW_STACK_POLICY uss_policy;
+  if (!get_process_mitigation_policy(GetCurrentProcess(),
+                                     ProcessUserShadowStackPolicy, &uss_policy,
+                                     sizeof(uss_policy))) {
+    return false;
+  }
+
+  if (uss_policy.EnableUserShadowStack)
+    return true;
+  else
+    return false;
+}
+
 void* return_address;

-__attribute__((noinline)) void Bug() {
+// Bug() simulates a ROP. The first time we are called we save the
+// address we will return to and return to it (like a normal function
+// call). The second time we return to the saved address. If called
+// from a different function the second time, this redirects control
+// flow and should be different from the return address in the shadow
+// stack.
+NOINLINE void Bug() {
  void* pvAddressOfReturnAddress = _AddressOfReturnAddress();
  if (!return_address)
    return_address = *(void**)pvAddressOfReturnAddress;
@@ -21,19 +52,22 @@ __attribute__((noinline)) void Bug() {
    *(void**)pvAddressOfReturnAddress = return_address;
 }

-__attribute__((noinline)) void A() {
+NOINLINE void A() {
  Bug();
 }

-__attribute__((noinline)) void B() {
+NOINLINE void B() {
  Bug();
 }

+}  // namespace
+
 TEST(CET, ShadowStack) {
-  // TODO(ajgo): Check that it's enabled by OS.
-  A();
-  EXPECT_DEATH(B(), "");
+  if (IsHardwareEnforcedShadowStacksEnabled()) {
+    A();
+    EXPECT_DEATH(B(), "");
+  }
 }
-}  // namespace
+
 }  // namespace win
 }  // namespace base