~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/kernel/stackleak.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 /*
  3  * This code fills the used part of the kernel stack with a poison value
  4  * before returning to userspace. It's part of the STACKLEAK feature
  5  * ported from grsecurity/PaX.
  6  *
  7  * Author: Alexander Popov <alex.popov@linux.com>
  8  *
  9  * STACKLEAK reduces the information which kernel stack leak bugs can
 10  * reveal and blocks some uninitialized stack variable attacks.
 11  */
 12 
 13 #include <linux/stackleak.h>
 14 #include <linux/kprobes.h>
 15 
 16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
 17 #include <linux/jump_label.h>
 18 #include <linux/sysctl.h>
 19 #include <linux/init.h>
 20 
 21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
 22 
 23 #ifdef CONFIG_SYSCTL
 24 static int stack_erasing_sysctl(const struct ctl_table *table, int write,
 25                         void __user *buffer, size_t *lenp, loff_t *ppos)
 26 {
 27         int ret = 0;
 28         int state = !static_branch_unlikely(&stack_erasing_bypass);
 29         int prev_state = state;
 30         struct ctl_table table_copy = *table;
 31 
 32         table_copy.data = &state;
 33         ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
 34         state = !!state;
 35         if (ret || !write || state == prev_state)
 36                 return ret;
 37 
 38         if (state)
 39                 static_branch_disable(&stack_erasing_bypass);
 40         else
 41                 static_branch_enable(&stack_erasing_bypass);
 42 
 43         pr_warn("stackleak: kernel stack erasing is %s\n",
 44                                         state ? "enabled" : "disabled");
 45         return ret;
 46 }
 47 static struct ctl_table stackleak_sysctls[] = {
 48         {
 49                 .procname       = "stack_erasing",
 50                 .data           = NULL,
 51                 .maxlen         = sizeof(int),
 52                 .mode           = 0600,
 53                 .proc_handler   = stack_erasing_sysctl,
 54                 .extra1         = SYSCTL_ZERO,
 55                 .extra2         = SYSCTL_ONE,
 56         },
 57 };
 58 
 59 static int __init stackleak_sysctls_init(void)
 60 {
 61         register_sysctl_init("kernel", stackleak_sysctls);
 62         return 0;
 63 }
 64 late_initcall(stackleak_sysctls_init);
 65 #endif /* CONFIG_SYSCTL */
 66 
 67 #define skip_erasing()  static_branch_unlikely(&stack_erasing_bypass)
 68 #else
 69 #define skip_erasing()  false
 70 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
 71 
 72 #ifndef __stackleak_poison
 73 static __always_inline void __stackleak_poison(unsigned long erase_low,
 74                                                unsigned long erase_high,
 75                                                unsigned long poison)
 76 {
 77         while (erase_low < erase_high) {
 78                 *(unsigned long *)erase_low = poison;
 79                 erase_low += sizeof(unsigned long);
 80         }
 81 }
 82 #endif
 83 
 84 static __always_inline void __stackleak_erase(bool on_task_stack)
 85 {
 86         const unsigned long task_stack_low = stackleak_task_low_bound(current);
 87         const unsigned long task_stack_high = stackleak_task_high_bound(current);
 88         unsigned long erase_low, erase_high;
 89 
 90         erase_low = stackleak_find_top_of_poison(task_stack_low,
 91                                                  current->lowest_stack);
 92 
 93 #ifdef CONFIG_STACKLEAK_METRICS
 94         current->prev_lowest_stack = erase_low;
 95 #endif
 96 
 97         /*
 98          * Write poison to the task's stack between 'erase_low' and
 99          * 'erase_high'.
100          *
101          * If we're running on a different stack (e.g. an entry trampoline
102          * stack) we can erase everything below the pt_regs at the top of the
103          * task stack.
104          *
105          * If we're running on the task stack itself, we must not clobber any
106          * stack used by this function and its caller. We assume that this
107          * function has a fixed-size stack frame, and the current stack pointer
108          * doesn't change while we write poison.
109          */
110         if (on_task_stack)
111                 erase_high = current_stack_pointer;
112         else
113                 erase_high = task_stack_high;
114 
115         __stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
116 
117         /* Reset the 'lowest_stack' value for the next syscall */
118         current->lowest_stack = task_stack_high;
119 }
120 
121 /*
122  * Erase and poison the portion of the task stack used since the last erase.
123  * Can be called from the task stack or an entry stack when the task stack is
124  * no longer in use.
125  */
126 asmlinkage void noinstr stackleak_erase(void)
127 {
128         if (skip_erasing())
129                 return;
130 
131         __stackleak_erase(on_thread_stack());
132 }
133 
134 /*
135  * Erase and poison the portion of the task stack used since the last erase.
136  * Can only be called from the task stack.
137  */
138 asmlinkage void noinstr stackleak_erase_on_task_stack(void)
139 {
140         if (skip_erasing())
141                 return;
142 
143         __stackleak_erase(true);
144 }
145 
146 /*
147  * Erase and poison the portion of the task stack used since the last erase.
148  * Can only be called from a stack other than the task stack.
149  */
150 asmlinkage void noinstr stackleak_erase_off_task_stack(void)
151 {
152         if (skip_erasing())
153                 return;
154 
155         __stackleak_erase(false);
156 }
157 
158 void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
159 {
160         unsigned long sp = current_stack_pointer;
161 
162         /*
163          * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
164          * STACKLEAK_SEARCH_DEPTH makes the poison search in
165          * stackleak_erase() unreliable. Let's prevent that.
166          */
167         BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
168 
169         /* 'lowest_stack' should be aligned on the register width boundary */
170         sp = ALIGN(sp, sizeof(unsigned long));
171         if (sp < current->lowest_stack &&
172             sp >= stackleak_task_low_bound(current)) {
173                 current->lowest_stack = sp;
174         }
175 }
176 EXPORT_SYMBOL(stackleak_track_stack);
177 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php