Back to home page

LXR

 
 

    


0001 /*
0002  * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
0003  * which are designed to protect kernel memory from needless exposure
0004  * and overwrite under many unintended conditions. This code is based
0005  * on PAX_USERCOPY, which is:
0006  *
0007  * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
0008  * Security Inc.
0009  *
0010  * This program is free software; you can redistribute it and/or modify
0011  * it under the terms of the GNU General Public License version 2 as
0012  * published by the Free Software Foundation.
0013  *
0014  */
0015 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
0016 
0017 #include <linux/mm.h>
0018 #include <linux/slab.h>
0019 #include <asm/sections.h>
0020 
0021 enum {
0022     BAD_STACK = -1,
0023     NOT_STACK = 0,
0024     GOOD_FRAME,
0025     GOOD_STACK,
0026 };
0027 
0028 /*
0029  * Checks if a given pointer and length is contained by the current
0030  * stack frame (if possible).
0031  *
0032  * Returns:
0033  *  NOT_STACK: not at all on the stack
0034  *  GOOD_FRAME: fully within a valid stack frame
0035  *  GOOD_STACK: fully on the stack (when can't do frame-checking)
0036  *  BAD_STACK: error condition (invalid stack position or bad stack frame)
0037  */
0038 static noinline int check_stack_object(const void *obj, unsigned long len)
0039 {
0040     const void * const stack = task_stack_page(current);
0041     const void * const stackend = stack + THREAD_SIZE;
0042     int ret;
0043 
0044     /* Object is not on the stack at all. */
0045     if (obj + len <= stack || stackend <= obj)
0046         return NOT_STACK;
0047 
0048     /*
0049      * Reject: object partially overlaps the stack (passing the
0050      * the check above means at least one end is within the stack,
0051      * so if this check fails, the other end is outside the stack).
0052      */
0053     if (obj < stack || stackend < obj + len)
0054         return BAD_STACK;
0055 
0056     /* Check if object is safely within a valid frame. */
0057     ret = arch_within_stack_frames(stack, stackend, obj, len);
0058     if (ret)
0059         return ret;
0060 
0061     return GOOD_STACK;
0062 }
0063 
0064 static void report_usercopy(const void *ptr, unsigned long len,
0065                 bool to_user, const char *type)
0066 {
0067     pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
0068         to_user ? "exposure" : "overwrite",
0069         to_user ? "from" : "to", ptr, type ? : "unknown", len);
0070     /*
0071      * For greater effect, it would be nice to do do_group_exit(),
0072      * but BUG() actually hooks all the lock-breaking and per-arch
0073      * Oops code, so that is used here instead.
0074      */
0075     BUG();
0076 }
0077 
0078 /* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */
0079 static bool overlaps(const void *ptr, unsigned long n, unsigned long low,
0080              unsigned long high)
0081 {
0082     unsigned long check_low = (uintptr_t)ptr;
0083     unsigned long check_high = check_low + n;
0084 
0085     /* Does not overlap if entirely above or entirely below. */
0086     if (check_low >= high || check_high <= low)
0087         return false;
0088 
0089     return true;
0090 }
0091 
0092 /* Is this address range in the kernel text area? */
0093 static inline const char *check_kernel_text_object(const void *ptr,
0094                            unsigned long n)
0095 {
0096     unsigned long textlow = (unsigned long)_stext;
0097     unsigned long texthigh = (unsigned long)_etext;
0098     unsigned long textlow_linear, texthigh_linear;
0099 
0100     if (overlaps(ptr, n, textlow, texthigh))
0101         return "<kernel text>";
0102 
0103     /*
0104      * Some architectures have virtual memory mappings with a secondary
0105      * mapping of the kernel text, i.e. there is more than one virtual
0106      * kernel address that points to the kernel image. It is usually
0107      * when there is a separate linear physical memory mapping, in that
0108      * __pa() is not just the reverse of __va(). This can be detected
0109      * and checked:
0110      */
0111     textlow_linear = (unsigned long)__va(__pa(textlow));
0112     /* No different mapping: we're done. */
0113     if (textlow_linear == textlow)
0114         return NULL;
0115 
0116     /* Check the secondary mapping... */
0117     texthigh_linear = (unsigned long)__va(__pa(texthigh));
0118     if (overlaps(ptr, n, textlow_linear, texthigh_linear))
0119         return "<linear kernel text>";
0120 
0121     return NULL;
0122 }
0123 
0124 static inline const char *check_bogus_address(const void *ptr, unsigned long n)
0125 {
0126     /* Reject if object wraps past end of memory. */
0127     if ((unsigned long)ptr + n < (unsigned long)ptr)
0128         return "<wrapped address>";
0129 
0130     /* Reject if NULL or ZERO-allocation. */
0131     if (ZERO_OR_NULL_PTR(ptr))
0132         return "<null>";
0133 
0134     return NULL;
0135 }
0136 
0137 /* Checks for allocs that are marked in some way as spanning multiple pages. */
0138 static inline const char *check_page_span(const void *ptr, unsigned long n,
0139                       struct page *page, bool to_user)
0140 {
0141 #ifdef CONFIG_HARDENED_USERCOPY_PAGESPAN
0142     const void *end = ptr + n - 1;
0143     struct page *endpage;
0144     bool is_reserved, is_cma;
0145 
0146     /*
0147      * Sometimes the kernel data regions are not marked Reserved (see
0148      * check below). And sometimes [_sdata,_edata) does not cover
0149      * rodata and/or bss, so check each range explicitly.
0150      */
0151 
0152     /* Allow reads of kernel rodata region (if not marked as Reserved). */
0153     if (ptr >= (const void *)__start_rodata &&
0154         end <= (const void *)__end_rodata) {
0155         if (!to_user)
0156             return "<rodata>";
0157         return NULL;
0158     }
0159 
0160     /* Allow kernel data region (if not marked as Reserved). */
0161     if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
0162         return NULL;
0163 
0164     /* Allow kernel bss region (if not marked as Reserved). */
0165     if (ptr >= (const void *)__bss_start &&
0166         end <= (const void *)__bss_stop)
0167         return NULL;
0168 
0169     /* Is the object wholly within one base page? */
0170     if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
0171            ((unsigned long)end & (unsigned long)PAGE_MASK)))
0172         return NULL;
0173 
0174     /* Allow if fully inside the same compound (__GFP_COMP) page. */
0175     endpage = virt_to_head_page(end);
0176     if (likely(endpage == page))
0177         return NULL;
0178 
0179     /*
0180      * Reject if range is entirely either Reserved (i.e. special or
0181      * device memory), or CMA. Otherwise, reject since the object spans
0182      * several independently allocated pages.
0183      */
0184     is_reserved = PageReserved(page);
0185     is_cma = is_migrate_cma_page(page);
0186     if (!is_reserved && !is_cma)
0187         return "<spans multiple pages>";
0188 
0189     for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) {
0190         page = virt_to_head_page(ptr);
0191         if (is_reserved && !PageReserved(page))
0192             return "<spans Reserved and non-Reserved pages>";
0193         if (is_cma && !is_migrate_cma_page(page))
0194             return "<spans CMA and non-CMA pages>";
0195     }
0196 #endif
0197 
0198     return NULL;
0199 }
0200 
0201 static inline const char *check_heap_object(const void *ptr, unsigned long n,
0202                         bool to_user)
0203 {
0204     struct page *page;
0205 
0206     /*
0207      * Some architectures (arm64) return true for virt_addr_valid() on
0208      * vmalloced addresses. Work around this by checking for vmalloc
0209      * first.
0210      *
0211      * We also need to check for module addresses explicitly since we
0212      * may copy static data from modules to userspace
0213      */
0214     if (is_vmalloc_or_module_addr(ptr))
0215         return NULL;
0216 
0217     if (!virt_addr_valid(ptr))
0218         return NULL;
0219 
0220     page = virt_to_head_page(ptr);
0221 
0222     /* Check slab allocator for flags and size. */
0223     if (PageSlab(page))
0224         return __check_heap_object(ptr, n, page);
0225 
0226     /* Verify object does not incorrectly span multiple pages. */
0227     return check_page_span(ptr, n, page, to_user);
0228 }
0229 
0230 /*
0231  * Validates that the given object is:
0232  * - not bogus address
0233  * - known-safe heap or stack object
0234  * - not in kernel text
0235  */
0236 void __check_object_size(const void *ptr, unsigned long n, bool to_user)
0237 {
0238     const char *err;
0239 
0240     /* Skip all tests if size is zero. */
0241     if (!n)
0242         return;
0243 
0244     /* Check for invalid addresses. */
0245     err = check_bogus_address(ptr, n);
0246     if (err)
0247         goto report;
0248 
0249     /* Check for bad heap object. */
0250     err = check_heap_object(ptr, n, to_user);
0251     if (err)
0252         goto report;
0253 
0254     /* Check for bad stack object. */
0255     switch (check_stack_object(ptr, n)) {
0256     case NOT_STACK:
0257         /* Object is not touching the current process stack. */
0258         break;
0259     case GOOD_FRAME:
0260     case GOOD_STACK:
0261         /*
0262          * Object is either in the correct frame (when it
0263          * is possible to check) or just generally on the
0264          * process stack (when frame checking not available).
0265          */
0266         return;
0267     default:
0268         err = "<process stack>";
0269         goto report;
0270     }
0271 
0272     /* Check for object in kernel to avoid text exposure. */
0273     err = check_kernel_text_object(ptr, n);
0274     if (!err)
0275         return;
0276 
0277 report:
0278     report_usercopy(ptr, n, to_user, err);
0279 }
0280 EXPORT_SYMBOL(__check_object_size);