forked from Minki/linux
94cd97af69
When running with a local patch which moves the '_stext' symbol to the
very beginning of the kernel text area, I got the following panic with
CONFIG_HARDENED_USERCOPY:
usercopy: kernel memory exposure attempt detected from ffff88103dfff000 (<linear kernel text>) (4096 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:79!
invalid opcode: 0000 [#1] SMP
...
CPU: 0 PID: 4800 Comm: cp Not tainted 4.8.0-rc3.after+ #1
Hardware name: Dell Inc. PowerEdge R720/0X3D66, BIOS 2.5.4 01/22/2016
task: ffff880817444140 task.stack: ffff880816274000
RIP: 0010:[<ffffffff8121c796>] __check_object_size+0x76/0x413
RSP: 0018:ffff880816277c40 EFLAGS: 00010246
RAX: 000000000000006b RBX: ffff88103dfff000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88081f80dfa8 RDI: ffff88081f80dfa8
RBP: ffff880816277c90 R08: 000000000000054c R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000006 R12: 0000000000001000
R13: ffff88103e000000 R14: ffff88103dffffff R15: 0000000000000001
FS: 00007fb9d1750800(0000) GS:ffff88081f800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000021d2000 CR3: 000000081a08f000 CR4: 00000000001406f0
Stack:
ffff880816277cc8 0000000000010000 000000043de07000 0000000000000000
0000000000001000 ffff880816277e60 0000000000001000 ffff880816277e28
000000000000c000 0000000000001000 ffff880816277ce8 ffffffff8136c3a6
Call Trace:
[<ffffffff8136c3a6>] copy_page_to_iter_iovec+0xa6/0x1c0
[<ffffffff8136e766>] copy_page_to_iter+0x16/0x90
[<ffffffff811970e3>] generic_file_read_iter+0x3e3/0x7c0
[<ffffffffa06a738d>] ? xfs_file_buffered_aio_write+0xad/0x260 [xfs]
[<ffffffff816e6262>] ? down_read+0x12/0x40
[<ffffffffa06a61b1>] xfs_file_buffered_aio_read+0x51/0xc0 [xfs]
[<ffffffffa06a6692>] xfs_file_read_iter+0x62/0xb0 [xfs]
[<ffffffff812224cf>] __vfs_read+0xdf/0x130
[<ffffffff81222c9e>] vfs_read+0x8e/0x140
[<ffffffff81224195>] SyS_read+0x55/0xc0
[<ffffffff81003a47>] do_syscall_64+0x67/0x160
[<ffffffff816e8421>] entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:[<00007fb9d0c33c00>] 0x7fb9d0c33c00
RSP: 002b:00007ffc9c262f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: fffffffffff8ffff RCX: 00007fb9d0c33c00
RDX: 0000000000010000 RSI: 00000000021c3000 RDI: 0000000000000004
RBP: 00000000021c3000 R08: 0000000000000000 R09: 00007ffc9c264d6c
R10: 00007ffc9c262c50 R11: 0000000000000246 R12: 0000000000010000
R13: 00007ffc9c2630b0 R14: 0000000000000004 R15: 0000000000010000
Code: 81 48 0f 44 d0 48 c7 c6 90 4d a3 81 48 c7 c0 bb b3 a2 81 48 0f 44 f0 4d 89 e1 48 89 d9 48 c7 c7 68 16 a3 81 31 c0 e8 f4 57 f7 ff <0f> 0b 48 8d 90 00 40 00 00 48 39 d3 0f 83 22 01 00 00 48 39 c3
RIP [<ffffffff8121c796>] __check_object_size+0x76/0x413
RSP <ffff880816277c40>
The checked object's range [ffff88103dfff000, ffff88103e000000) is
valid, so there shouldn't have been a BUG. The hardened usercopy code
got confused because the range's ending address is the same as the
kernel's text starting address at 0xffff88103e000000. The overlap check
is slightly off.
Fixes: f5509cc18d
("mm: Hardened usercopy")
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
269 lines
7.2 KiB
C
269 lines
7.2 KiB
C
/*
|
|
* This implements the various checks for CONFIG_HARDENED_USERCOPY*,
|
|
* which are designed to protect kernel memory from needless exposure
|
|
* and overwrite under many unintended conditions. This code is based
|
|
* on PAX_USERCOPY, which is:
|
|
*
|
|
* Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
|
|
* Security Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
*/
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/slab.h>
|
|
#include <asm/sections.h>
|
|
|
|
enum {
|
|
BAD_STACK = -1,
|
|
NOT_STACK = 0,
|
|
GOOD_FRAME,
|
|
GOOD_STACK,
|
|
};
|
|
|
|
/*
|
|
* Checks if a given pointer and length is contained by the current
|
|
* stack frame (if possible).
|
|
*
|
|
* Returns:
|
|
* NOT_STACK: not at all on the stack
|
|
* GOOD_FRAME: fully within a valid stack frame
|
|
* GOOD_STACK: fully on the stack (when can't do frame-checking)
|
|
* BAD_STACK: error condition (invalid stack position or bad stack frame)
|
|
*/
|
|
static noinline int check_stack_object(const void *obj, unsigned long len)
|
|
{
|
|
const void * const stack = task_stack_page(current);
|
|
const void * const stackend = stack + THREAD_SIZE;
|
|
int ret;
|
|
|
|
/* Object is not on the stack at all. */
|
|
if (obj + len <= stack || stackend <= obj)
|
|
return NOT_STACK;
|
|
|
|
/*
|
|
* Reject: object partially overlaps the stack (passing the
|
|
* the check above means at least one end is within the stack,
|
|
* so if this check fails, the other end is outside the stack).
|
|
*/
|
|
if (obj < stack || stackend < obj + len)
|
|
return BAD_STACK;
|
|
|
|
/* Check if object is safely within a valid frame. */
|
|
ret = arch_within_stack_frames(stack, stackend, obj, len);
|
|
if (ret)
|
|
return ret;
|
|
|
|
return GOOD_STACK;
|
|
}
|
|
|
|
static void report_usercopy(const void *ptr, unsigned long len,
|
|
bool to_user, const char *type)
|
|
{
|
|
pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
|
|
to_user ? "exposure" : "overwrite",
|
|
to_user ? "from" : "to", ptr, type ? : "unknown", len);
|
|
/*
|
|
* For greater effect, it would be nice to do do_group_exit(),
|
|
* but BUG() actually hooks all the lock-breaking and per-arch
|
|
* Oops code, so that is used here instead.
|
|
*/
|
|
BUG();
|
|
}
|
|
|
|
/* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */
|
|
static bool overlaps(const void *ptr, unsigned long n, unsigned long low,
|
|
unsigned long high)
|
|
{
|
|
unsigned long check_low = (uintptr_t)ptr;
|
|
unsigned long check_high = check_low + n;
|
|
|
|
/* Does not overlap if entirely above or entirely below. */
|
|
if (check_low >= high || check_high <= low)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
/* Is this address range in the kernel text area? */
|
|
static inline const char *check_kernel_text_object(const void *ptr,
|
|
unsigned long n)
|
|
{
|
|
unsigned long textlow = (unsigned long)_stext;
|
|
unsigned long texthigh = (unsigned long)_etext;
|
|
unsigned long textlow_linear, texthigh_linear;
|
|
|
|
if (overlaps(ptr, n, textlow, texthigh))
|
|
return "<kernel text>";
|
|
|
|
/*
|
|
* Some architectures have virtual memory mappings with a secondary
|
|
* mapping of the kernel text, i.e. there is more than one virtual
|
|
* kernel address that points to the kernel image. It is usually
|
|
* when there is a separate linear physical memory mapping, in that
|
|
* __pa() is not just the reverse of __va(). This can be detected
|
|
* and checked:
|
|
*/
|
|
textlow_linear = (unsigned long)__va(__pa(textlow));
|
|
/* No different mapping: we're done. */
|
|
if (textlow_linear == textlow)
|
|
return NULL;
|
|
|
|
/* Check the secondary mapping... */
|
|
texthigh_linear = (unsigned long)__va(__pa(texthigh));
|
|
if (overlaps(ptr, n, textlow_linear, texthigh_linear))
|
|
return "<linear kernel text>";
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static inline const char *check_bogus_address(const void *ptr, unsigned long n)
|
|
{
|
|
/* Reject if object wraps past end of memory. */
|
|
if ((unsigned long)ptr + n < (unsigned long)ptr)
|
|
return "<wrapped address>";
|
|
|
|
/* Reject if NULL or ZERO-allocation. */
|
|
if (ZERO_OR_NULL_PTR(ptr))
|
|
return "<null>";
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static inline const char *check_heap_object(const void *ptr, unsigned long n,
|
|
bool to_user)
|
|
{
|
|
struct page *page, *endpage;
|
|
const void *end = ptr + n - 1;
|
|
bool is_reserved, is_cma;
|
|
|
|
/*
|
|
* Some architectures (arm64) return true for virt_addr_valid() on
|
|
* vmalloced addresses. Work around this by checking for vmalloc
|
|
* first.
|
|
*/
|
|
if (is_vmalloc_addr(ptr))
|
|
return NULL;
|
|
|
|
if (!virt_addr_valid(ptr))
|
|
return NULL;
|
|
|
|
page = virt_to_head_page(ptr);
|
|
|
|
/* Check slab allocator for flags and size. */
|
|
if (PageSlab(page))
|
|
return __check_heap_object(ptr, n, page);
|
|
|
|
/*
|
|
* Sometimes the kernel data regions are not marked Reserved (see
|
|
* check below). And sometimes [_sdata,_edata) does not cover
|
|
* rodata and/or bss, so check each range explicitly.
|
|
*/
|
|
|
|
/* Allow reads of kernel rodata region (if not marked as Reserved). */
|
|
if (ptr >= (const void *)__start_rodata &&
|
|
end <= (const void *)__end_rodata) {
|
|
if (!to_user)
|
|
return "<rodata>";
|
|
return NULL;
|
|
}
|
|
|
|
/* Allow kernel data region (if not marked as Reserved). */
|
|
if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
|
|
return NULL;
|
|
|
|
/* Allow kernel bss region (if not marked as Reserved). */
|
|
if (ptr >= (const void *)__bss_start &&
|
|
end <= (const void *)__bss_stop)
|
|
return NULL;
|
|
|
|
/* Is the object wholly within one base page? */
|
|
if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
|
|
((unsigned long)end & (unsigned long)PAGE_MASK)))
|
|
return NULL;
|
|
|
|
/* Allow if start and end are inside the same compound page. */
|
|
endpage = virt_to_head_page(end);
|
|
if (likely(endpage == page))
|
|
return NULL;
|
|
|
|
/*
|
|
* Reject if range is entirely either Reserved (i.e. special or
|
|
* device memory), or CMA. Otherwise, reject since the object spans
|
|
* several independently allocated pages.
|
|
*/
|
|
is_reserved = PageReserved(page);
|
|
is_cma = is_migrate_cma_page(page);
|
|
if (!is_reserved && !is_cma)
|
|
goto reject;
|
|
|
|
for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) {
|
|
page = virt_to_head_page(ptr);
|
|
if (is_reserved && !PageReserved(page))
|
|
goto reject;
|
|
if (is_cma && !is_migrate_cma_page(page))
|
|
goto reject;
|
|
}
|
|
|
|
return NULL;
|
|
|
|
reject:
|
|
return "<spans multiple pages>";
|
|
}
|
|
|
|
/*
|
|
* Validates that the given object is:
|
|
* - not bogus address
|
|
* - known-safe heap or stack object
|
|
* - not in kernel text
|
|
*/
|
|
void __check_object_size(const void *ptr, unsigned long n, bool to_user)
|
|
{
|
|
const char *err;
|
|
|
|
/* Skip all tests if size is zero. */
|
|
if (!n)
|
|
return;
|
|
|
|
/* Check for invalid addresses. */
|
|
err = check_bogus_address(ptr, n);
|
|
if (err)
|
|
goto report;
|
|
|
|
/* Check for bad heap object. */
|
|
err = check_heap_object(ptr, n, to_user);
|
|
if (err)
|
|
goto report;
|
|
|
|
/* Check for bad stack object. */
|
|
switch (check_stack_object(ptr, n)) {
|
|
case NOT_STACK:
|
|
/* Object is not touching the current process stack. */
|
|
break;
|
|
case GOOD_FRAME:
|
|
case GOOD_STACK:
|
|
/*
|
|
* Object is either in the correct frame (when it
|
|
* is possible to check) or just generally on the
|
|
* process stack (when frame checking not available).
|
|
*/
|
|
return;
|
|
default:
|
|
err = "<process stack>";
|
|
goto report;
|
|
}
|
|
|
|
/* Check for object in kernel to avoid text exposure. */
|
|
err = check_kernel_text_object(ptr, n);
|
|
if (!err)
|
|
return;
|
|
|
|
report:
|
|
report_usercopy(ptr, n, to_user, err);
|
|
}
|
|
EXPORT_SYMBOL(__check_object_size);
|