1 // SPDX-License-Identifier: GPL-2.0 1 // SPDX-License-Identifier: GPL-2.0
2 /* 2 /*
3 * This code fills the used part of the kernel 3 * This code fills the used part of the kernel stack with a poison value
4 * before returning to userspace. It's part of 4 * before returning to userspace. It's part of the STACKLEAK feature
5 * ported from grsecurity/PaX. 5 * ported from grsecurity/PaX.
6 * 6 *
7 * Author: Alexander Popov <alex.popov@linux.c 7 * Author: Alexander Popov <alex.popov@linux.com>
8 * 8 *
9 * STACKLEAK reduces the information which ker 9 * STACKLEAK reduces the information which kernel stack leak bugs can
10 * reveal and blocks some uninitialized stack 10 * reveal and blocks some uninitialized stack variable attacks.
11 */ 11 */
12 12
13 #include <linux/stackleak.h> 13 #include <linux/stackleak.h>
14 #include <linux/kprobes.h> 14 #include <linux/kprobes.h>
15 15
16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE 16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
17 #include <linux/jump_label.h> 17 #include <linux/jump_label.h>
18 #include <linux/sysctl.h> 18 #include <linux/sysctl.h>
19 #include <linux/init.h> 19 #include <linux/init.h>
20 20
21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_b 21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
22 22
23 #ifdef CONFIG_SYSCTL 23 #ifdef CONFIG_SYSCTL
24 static int stack_erasing_sysctl(const struct c !! 24 static int stack_erasing_sysctl(struct ctl_table *table, int write,
25 void __user *buffer, s 25 void __user *buffer, size_t *lenp, loff_t *ppos)
26 { 26 {
27 int ret = 0; 27 int ret = 0;
28 int state = !static_branch_unlikely(&s 28 int state = !static_branch_unlikely(&stack_erasing_bypass);
29 int prev_state = state; 29 int prev_state = state;
30 struct ctl_table table_copy = *table; <<
31 30
32 table_copy.data = &state; !! 31 table->data = &state;
33 ret = proc_dointvec_minmax(&table_copy !! 32 table->maxlen = sizeof(int);
>> 33 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
34 state = !!state; 34 state = !!state;
35 if (ret || !write || state == prev_sta 35 if (ret || !write || state == prev_state)
36 return ret; 36 return ret;
37 37
38 if (state) 38 if (state)
39 static_branch_disable(&stack_e 39 static_branch_disable(&stack_erasing_bypass);
40 else 40 else
41 static_branch_enable(&stack_er 41 static_branch_enable(&stack_erasing_bypass);
42 42
43 pr_warn("stackleak: kernel stack erasi 43 pr_warn("stackleak: kernel stack erasing is %s\n",
44 state 44 state ? "enabled" : "disabled");
45 return ret; 45 return ret;
46 } 46 }
47 static struct ctl_table stackleak_sysctls[] = 47 static struct ctl_table stackleak_sysctls[] = {
48 { 48 {
49 .procname = "stack_erasi 49 .procname = "stack_erasing",
50 .data = NULL, 50 .data = NULL,
51 .maxlen = sizeof(int), 51 .maxlen = sizeof(int),
52 .mode = 0600, 52 .mode = 0600,
53 .proc_handler = stack_erasin 53 .proc_handler = stack_erasing_sysctl,
54 .extra1 = SYSCTL_ZERO, 54 .extra1 = SYSCTL_ZERO,
55 .extra2 = SYSCTL_ONE, 55 .extra2 = SYSCTL_ONE,
56 }, 56 },
>> 57 {}
57 }; 58 };
58 59
59 static int __init stackleak_sysctls_init(void) 60 static int __init stackleak_sysctls_init(void)
60 { 61 {
61 register_sysctl_init("kernel", stackle 62 register_sysctl_init("kernel", stackleak_sysctls);
62 return 0; 63 return 0;
63 } 64 }
64 late_initcall(stackleak_sysctls_init); 65 late_initcall(stackleak_sysctls_init);
65 #endif /* CONFIG_SYSCTL */ 66 #endif /* CONFIG_SYSCTL */
66 67
67 #define skip_erasing() static_branch_unlikely 68 #define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
68 #else 69 #else
69 #define skip_erasing() false 70 #define skip_erasing() false
70 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */ 71 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
71 72
72 #ifndef __stackleak_poison !! 73 asmlinkage void noinstr stackleak_erase(void)
73 static __always_inline void __stackleak_poison <<
74 <<
75 <<
76 { 74 {
77 while (erase_low < erase_high) { !! 75 /* It would be nice not to have 'kstack_ptr' and 'boundary' on stack */
78 *(unsigned long *)erase_low = !! 76 unsigned long kstack_ptr = current->lowest_stack;
79 erase_low += sizeof(unsigned l !! 77 unsigned long boundary = (unsigned long)end_of_stack(current);
80 } !! 78 unsigned int poison_count = 0;
81 } !! 79 const unsigned int depth = STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
82 #endif <<
83 80
84 static __always_inline void __stackleak_erase( !! 81 if (skip_erasing())
85 { !! 82 return;
86 const unsigned long task_stack_low = s !! 83
87 const unsigned long task_stack_high = !! 84 /* Check that 'lowest_stack' value is sane */
88 unsigned long erase_low, erase_high; !! 85 if (unlikely(kstack_ptr - boundary >= THREAD_SIZE))
>> 86 kstack_ptr = boundary;
>> 87
>> 88 /* Search for the poison value in the kernel stack */
>> 89 while (kstack_ptr > boundary && poison_count <= depth) {
>> 90 if (*(unsigned long *)kstack_ptr == STACKLEAK_POISON)
>> 91 poison_count++;
>> 92 else
>> 93 poison_count = 0;
89 94
90 erase_low = stackleak_find_top_of_pois !! 95 kstack_ptr -= sizeof(unsigned long);
91 !! 96 }
>> 97
>> 98 /*
>> 99 * One 'long int' at the bottom of the thread stack is reserved and
>> 100 * should not be poisoned (see CONFIG_SCHED_STACK_END_CHECK=y).
>> 101 */
>> 102 if (kstack_ptr == boundary)
>> 103 kstack_ptr += sizeof(unsigned long);
92 104
93 #ifdef CONFIG_STACKLEAK_METRICS 105 #ifdef CONFIG_STACKLEAK_METRICS
94 current->prev_lowest_stack = erase_low !! 106 current->prev_lowest_stack = kstack_ptr;
95 #endif 107 #endif
96 108
97 /* 109 /*
98 * Write poison to the task's stack be !! 110 * Now write the poison value to the kernel stack. Start from
99 * 'erase_high'. !! 111 * 'kstack_ptr' and move up till the new 'boundary'. We assume that
100 * !! 112 * the stack pointer doesn't change when we write poison.
101 * If we're running on a different sta <<
102 * stack) we can erase everything belo <<
103 * task stack. <<
104 * <<
105 * If we're running on the task stack <<
106 * stack used by this function and its <<
107 * function has a fixed-size stack fra <<
108 * doesn't change while we write poiso <<
109 */ 113 */
110 if (on_task_stack) !! 114 if (on_thread_stack())
111 erase_high = current_stack_poi !! 115 boundary = current_stack_pointer;
112 else 116 else
113 erase_high = task_stack_high; !! 117 boundary = current_top_of_stack();
114 118
115 __stackleak_poison(erase_low, erase_hi !! 119 while (kstack_ptr < boundary) {
>> 120 *(unsigned long *)kstack_ptr = STACKLEAK_POISON;
>> 121 kstack_ptr += sizeof(unsigned long);
>> 122 }
116 123
117 /* Reset the 'lowest_stack' value for 124 /* Reset the 'lowest_stack' value for the next syscall */
118 current->lowest_stack = task_stack_hig !! 125 current->lowest_stack = current_top_of_stack() - THREAD_SIZE/64;
119 } <<
120 <<
121 /* <<
122 * Erase and poison the portion of the task st <<
123 * Can be called from the task stack or an ent <<
124 * no longer in use. <<
125 */ <<
126 asmlinkage void noinstr stackleak_erase(void) <<
127 { <<
128 if (skip_erasing()) <<
129 return; <<
130 <<
131 __stackleak_erase(on_thread_stack()); <<
132 } <<
133 <<
134 /* <<
135 * Erase and poison the portion of the task st <<
136 * Can only be called from the task stack. <<
137 */ <<
138 asmlinkage void noinstr stackleak_erase_on_tas <<
139 { <<
140 if (skip_erasing()) <<
141 return; <<
142 <<
143 __stackleak_erase(true); <<
144 } <<
145 <<
146 /* <<
147 * Erase and poison the portion of the task st <<
148 * Can only be called from a stack other than <<
149 */ <<
150 asmlinkage void noinstr stackleak_erase_off_ta <<
151 { <<
152 if (skip_erasing()) <<
153 return; <<
154 <<
155 __stackleak_erase(false); <<
156 } 126 }
157 127
158 void __used __no_caller_saved_registers noinst 128 void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
159 { 129 {
160 unsigned long sp = current_stack_point 130 unsigned long sp = current_stack_pointer;
161 131
162 /* 132 /*
163 * Having CONFIG_STACKLEAK_TRACK_MIN_S 133 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
164 * STACKLEAK_SEARCH_DEPTH makes the po 134 * STACKLEAK_SEARCH_DEPTH makes the poison search in
165 * stackleak_erase() unreliable. Let's 135 * stackleak_erase() unreliable. Let's prevent that.
166 */ 136 */
167 BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MI 137 BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
168 138
169 /* 'lowest_stack' should be aligned on 139 /* 'lowest_stack' should be aligned on the register width boundary */
170 sp = ALIGN(sp, sizeof(unsigned long)); 140 sp = ALIGN(sp, sizeof(unsigned long));
171 if (sp < current->lowest_stack && 141 if (sp < current->lowest_stack &&
172 sp >= stackleak_task_low_bound(cur !! 142 sp >= (unsigned long)task_stack_page(current) +
>> 143 sizeof(unsigned long)) {
173 current->lowest_stack = sp; 144 current->lowest_stack = sp;
174 } 145 }
175 } 146 }
176 EXPORT_SYMBOL(stackleak_track_stack); 147 EXPORT_SYMBOL(stackleak_track_stack);
177 148
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.