1 /* SPDX-License-Identifier: GPL-2.0-only */ 1 /* SPDX-License-Identifier: GPL-2.0-only */
2 #ifndef _LINUX_RANDOMIZE_KSTACK_H 2 #ifndef _LINUX_RANDOMIZE_KSTACK_H
3 #define _LINUX_RANDOMIZE_KSTACK_H 3 #define _LINUX_RANDOMIZE_KSTACK_H
4 4
5 #ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET <<
6 #include <linux/kernel.h> 5 #include <linux/kernel.h>
7 #include <linux/jump_label.h> 6 #include <linux/jump_label.h>
8 #include <linux/percpu-defs.h> 7 #include <linux/percpu-defs.h>
9 8
10 DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTA 9 DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
11 randomize_kstack_offs 10 randomize_kstack_offset);
12 DECLARE_PER_CPU(u32, kstack_offset); 11 DECLARE_PER_CPU(u32, kstack_offset);
13 12
14 /* 13 /*
15 * Do not use this anywhere else in the kernel 14 * Do not use this anywhere else in the kernel. This is used here because
16 * it provides an arch-agnostic way to grow th 15 * it provides an arch-agnostic way to grow the stack with correct
17 * alignment. Also, since this use is being ex 16 * alignment. Also, since this use is being explicitly masked to a max of
18 * 10 bits, stack-clash style attacks are unli 17 * 10 bits, stack-clash style attacks are unlikely. For more details see
19 * "VLAs" in Documentation/process/deprecated. 18 * "VLAs" in Documentation/process/deprecated.rst
20 * 19 *
21 * The normal __builtin_alloca() is initialize 20 * The normal __builtin_alloca() is initialized with INIT_STACK_ALL (currently
22 * only with Clang and not GCC). Initializing 21 * only with Clang and not GCC). Initializing the unused area on each syscall
23 * entry is expensive, and generating an impli 22 * entry is expensive, and generating an implicit call to memset() may also be
24 * problematic (such as in noinstr functions). 23 * problematic (such as in noinstr functions). Therefore, if the compiler
25 * supports it (which it should if it initiali 24 * supports it (which it should if it initializes allocas), always use the
26 * "uninitialized" variant of the builtin. 25 * "uninitialized" variant of the builtin.
27 */ 26 */
28 #if __has_builtin(__builtin_alloca_uninitializ 27 #if __has_builtin(__builtin_alloca_uninitialized)
29 #define __kstack_alloca __builtin_alloca_unini 28 #define __kstack_alloca __builtin_alloca_uninitialized
30 #else 29 #else
31 #define __kstack_alloca __builtin_alloca 30 #define __kstack_alloca __builtin_alloca
32 #endif 31 #endif
33 32
34 /* 33 /*
35 * Use, at most, 6 bits of entropy (on 64-bit; !! 34 * Use, at most, 10 bits of entropy. We explicitly cap this to keep the
36 * to keep the "VLA" from being unbounded (see !! 35 * "VLA" from being unbounded (see above). 10 bits leaves enough room for
37 * the bottom 4 bits (on 64-bit systems, 2 for !! 36 * per-arch offset masks to reduce entropy (by removing higher bits, since
38 * alignment will always be at least word size !! 37 * high entropy may overly constrain usable stack space), and for
39 * code gen better when it is applying the act !! 38 * compiler/arch-specific stack alignment to remove the lower bits.
40 * the final offset. The resulting randomness <<
41 * constraining usable stack space. <<
42 */ 39 */
43 #ifdef CONFIG_64BIT !! 40 #define KSTACK_OFFSET_MAX(x) ((x) & 0x3FF)
44 #define KSTACK_OFFSET_MAX(x) ((x) & 0b11111 <<
45 #else <<
46 #define KSTACK_OFFSET_MAX(x) ((x) & 0b11111 <<
47 #endif <<
48 41
49 /** !! 42 /*
50 * add_random_kstack_offset - Increase stack u !! 43 * These macros must be used during syscall entry when interrupts and
51 * chosen random of <<
52 * <<
53 * This should be used in the syscall entry pa <<
54 * preempt are disabled, and after user regist 44 * preempt are disabled, and after user registers have been stored to
55 * the stack. For testing the resulting entrop !! 45 * the stack.
56 * tools/testing/selftests/lkdtm/stack-entropy <<
57 */ 46 */
58 #define add_random_kstack_offset() do { 47 #define add_random_kstack_offset() do { \
59 if (static_branch_maybe(CONFIG_RANDOMI 48 if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
60 &randomize_kst 49 &randomize_kstack_offset)) { \
61 u32 offset = raw_cpu_read(ksta 50 u32 offset = raw_cpu_read(kstack_offset); \
62 u8 *ptr = __kstack_alloca(KSTA 51 u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \
63 /* Keep allocation even after 52 /* Keep allocation even after "ptr" loses scope. */ \
64 asm volatile("" :: "r"(ptr) : 53 asm volatile("" :: "r"(ptr) : "memory"); \
65 } 54 } \
66 } while (0) 55 } while (0)
67 56
68 /** <<
69 * choose_random_kstack_offset - Choose the ra <<
70 * add_random_ks <<
71 * <<
72 * This should only be used during syscall exi <<
73 * preempt are disabled. This position in the <<
74 * frustrate attacks from userspace attempting <<
75 * - Maximize the timing uncertainty visible f <<
76 * offset is chosen at syscall entry, usersp <<
77 * over the timing between choosing offsets. <<
78 * kernel mode?" tends to be more difficult <<
79 * will we be in user mode?" <<
80 * - Reduce the lifetime of the new offset sit <<
81 * kernel mode execution. Exposure of "threa <<
82 * (e.g. current, percpu, etc) tends to be e <<
83 * location memory exposure. <<
84 */ <<
85 #define choose_random_kstack_offset(rand) do { 57 #define choose_random_kstack_offset(rand) do { \
86 if (static_branch_maybe(CONFIG_RANDOMI 58 if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
87 &randomize_kst 59 &randomize_kstack_offset)) { \
88 u32 offset = raw_cpu_read(ksta 60 u32 offset = raw_cpu_read(kstack_offset); \
89 offset = ror32(offset, 5) ^ (r !! 61 offset ^= (rand); \
90 raw_cpu_write(kstack_offset, o 62 raw_cpu_write(kstack_offset, offset); \
91 } 63 } \
92 } while (0) 64 } while (0)
93 #else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ <<
94 #define add_random_kstack_offset() <<
95 #define choose_random_kstack_offset(rand) <<
96 #endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ <<
97 65
98 #endif 66 #endif
99 67
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.