usercopy.c 8.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
  4. * which are designed to protect kernel memory from needless exposure
  5. * and overwrite under many unintended conditions. This code is based
  6. * on PAX_USERCOPY, which is:
  7. *
  8. * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
  9. * Security Inc.
  10. */
  11. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  12. #include <linux/mm.h>
  13. #include <linux/highmem.h>
  14. #include <linux/slab.h>
  15. #include <linux/sched.h>
  16. #include <linux/sched/task.h>
  17. #include <linux/sched/task_stack.h>
  18. #include <linux/thread_info.h>
  19. #include <linux/vmalloc.h>
  20. #include <linux/atomic.h>
  21. #include <linux/jump_label.h>
  22. #include <asm/sections.h>
  23. #include "slab.h"
  24. /*
  25. * Checks if a given pointer and length is contained by the current
  26. * stack frame (if possible).
  27. *
  28. * Returns:
  29. * NOT_STACK: not at all on the stack
  30. * GOOD_FRAME: fully within a valid stack frame
  31. * GOOD_STACK: within the current stack (when can't frame-check exactly)
  32. * BAD_STACK: error condition (invalid stack position or bad stack frame)
  33. */
  34. static noinline int check_stack_object(const void *obj, unsigned long len)
  35. {
  36. const void * const stack = task_stack_page(current);
  37. const void * const stackend = stack + THREAD_SIZE;
  38. int ret;
  39. /* Object is not on the stack at all. */
  40. if (obj + len <= stack || stackend <= obj)
  41. return NOT_STACK;
  42. /*
  43. * Reject: object partially overlaps the stack (passing the
  44. * check above means at least one end is within the stack,
  45. * so if this check fails, the other end is outside the stack).
  46. */
  47. if (obj < stack || stackend < obj + len)
  48. return BAD_STACK;
  49. /* Check if object is safely within a valid frame. */
  50. ret = arch_within_stack_frames(stack, stackend, obj, len);
  51. if (ret)
  52. return ret;
  53. /* Finally, check stack depth if possible. */
  54. #ifdef CONFIG_ARCH_HAS_CURRENT_STACK_POINTER
  55. if (IS_ENABLED(CONFIG_STACK_GROWSUP)) {
  56. if ((void *)current_stack_pointer < obj + len)
  57. return BAD_STACK;
  58. } else {
  59. if (obj < (void *)current_stack_pointer)
  60. return BAD_STACK;
  61. }
  62. #endif
  63. return GOOD_STACK;
  64. }
  65. /*
  66. * If these functions are reached, then CONFIG_HARDENED_USERCOPY has found
  67. * an unexpected state during a copy_from_user() or copy_to_user() call.
  68. * There are several checks being performed on the buffer by the
  69. * __check_object_size() function. Normal stack buffer usage should never
  70. * trip the checks, and kernel text addressing will always trip the check.
  71. * For cache objects, it is checking that only the whitelisted range of
  72. * bytes for a given cache is being accessed (via the cache's usersize and
  73. * useroffset fields). To adjust a cache whitelist, use the usercopy-aware
  74. * kmem_cache_create_usercopy() function to create the cache (and
  75. * carefully audit the whitelist range).
  76. */
  77. void __noreturn usercopy_abort(const char *name, const char *detail,
  78. bool to_user, unsigned long offset,
  79. unsigned long len)
  80. {
  81. pr_emerg("Kernel memory %s attempt detected %s %s%s%s%s (offset %lu, size %lu)!\n",
  82. to_user ? "exposure" : "overwrite",
  83. to_user ? "from" : "to",
  84. name ? : "unknown?!",
  85. detail ? " '" : "", detail ? : "", detail ? "'" : "",
  86. offset, len);
  87. /*
  88. * For greater effect, it would be nice to do do_group_exit(),
  89. * but BUG() actually hooks all the lock-breaking and per-arch
  90. * Oops code, so that is used here instead.
  91. */
  92. BUG();
  93. }
  94. /* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */
  95. static bool overlaps(const unsigned long ptr, unsigned long n,
  96. unsigned long low, unsigned long high)
  97. {
  98. const unsigned long check_low = ptr;
  99. unsigned long check_high = check_low + n;
  100. /* Does not overlap if entirely above or entirely below. */
  101. if (check_low >= high || check_high <= low)
  102. return false;
  103. return true;
  104. }
  105. /* Is this address range in the kernel text area? */
  106. static inline void check_kernel_text_object(const unsigned long ptr,
  107. unsigned long n, bool to_user)
  108. {
  109. unsigned long textlow = (unsigned long)_stext;
  110. unsigned long texthigh = (unsigned long)_etext;
  111. unsigned long textlow_linear, texthigh_linear;
  112. if (overlaps(ptr, n, textlow, texthigh))
  113. usercopy_abort("kernel text", NULL, to_user, ptr - textlow, n);
  114. /*
  115. * Some architectures have virtual memory mappings with a secondary
  116. * mapping of the kernel text, i.e. there is more than one virtual
  117. * kernel address that points to the kernel image. It is usually
  118. * when there is a separate linear physical memory mapping, in that
  119. * __pa() is not just the reverse of __va(). This can be detected
  120. * and checked:
  121. */
  122. textlow_linear = (unsigned long)lm_alias(textlow);
  123. /* No different mapping: we're done. */
  124. if (textlow_linear == textlow)
  125. return;
  126. /* Check the secondary mapping... */
  127. texthigh_linear = (unsigned long)lm_alias(texthigh);
  128. if (overlaps(ptr, n, textlow_linear, texthigh_linear))
  129. usercopy_abort("linear kernel text", NULL, to_user,
  130. ptr - textlow_linear, n);
  131. }
  132. static inline void check_bogus_address(const unsigned long ptr, unsigned long n,
  133. bool to_user)
  134. {
  135. /* Reject if object wraps past end of memory. */
  136. if (ptr + (n - 1) < ptr)
  137. usercopy_abort("wrapped address", NULL, to_user, 0, ptr + n);
  138. /* Reject if NULL or ZERO-allocation. */
  139. if (ZERO_OR_NULL_PTR(ptr))
  140. usercopy_abort("null address", NULL, to_user, ptr, n);
  141. }
  142. static inline void check_heap_object(const void *ptr, unsigned long n,
  143. bool to_user)
  144. {
  145. unsigned long addr = (unsigned long)ptr;
  146. unsigned long offset;
  147. struct folio *folio;
  148. if (is_kmap_addr(ptr)) {
  149. offset = offset_in_page(ptr);
  150. if (n > PAGE_SIZE - offset)
  151. usercopy_abort("kmap", NULL, to_user, offset, n);
  152. return;
  153. }
  154. if (is_vmalloc_addr(ptr) && !pagefault_disabled()) {
  155. struct vmap_area *area = find_vmap_area(addr);
  156. if (!area)
  157. usercopy_abort("vmalloc", "no area", to_user, 0, n);
  158. if (n > area->va_end - addr) {
  159. offset = addr - area->va_start;
  160. usercopy_abort("vmalloc", NULL, to_user, offset, n);
  161. }
  162. return;
  163. }
  164. if (!virt_addr_valid(ptr))
  165. return;
  166. folio = virt_to_folio(ptr);
  167. if (folio_test_slab(folio)) {
  168. /* Check slab allocator for flags and size. */
  169. __check_heap_object(ptr, n, folio_slab(folio), to_user);
  170. } else if (folio_test_large(folio)) {
  171. offset = ptr - folio_address(folio);
  172. if (n > folio_size(folio) - offset)
  173. usercopy_abort("page alloc", NULL, to_user, offset, n);
  174. }
  175. }
  176. static DEFINE_STATIC_KEY_FALSE_RO(bypass_usercopy_checks);
  177. /*
  178. * Validates that the given object is:
  179. * - not bogus address
  180. * - fully contained by stack (or stack frame, when available)
  181. * - fully within SLAB object (or object whitelist area, when available)
  182. * - not in kernel text
  183. */
  184. void __check_object_size(const void *ptr, unsigned long n, bool to_user)
  185. {
  186. if (static_branch_unlikely(&bypass_usercopy_checks))
  187. return;
  188. /* Skip all tests if size is zero. */
  189. if (!n)
  190. return;
  191. /* Check for invalid addresses. */
  192. check_bogus_address((const unsigned long)ptr, n, to_user);
  193. /* Check for bad stack object. */
  194. switch (check_stack_object(ptr, n)) {
  195. case NOT_STACK:
  196. /* Object is not touching the current process stack. */
  197. break;
  198. case GOOD_FRAME:
  199. case GOOD_STACK:
  200. /*
  201. * Object is either in the correct frame (when it
  202. * is possible to check) or just generally on the
  203. * process stack (when frame checking not available).
  204. */
  205. return;
  206. default:
  207. usercopy_abort("process stack", NULL, to_user,
  208. #ifdef CONFIG_ARCH_HAS_CURRENT_STACK_POINTER
  209. IS_ENABLED(CONFIG_STACK_GROWSUP) ?
  210. ptr - (void *)current_stack_pointer :
  211. (void *)current_stack_pointer - ptr,
  212. #else
  213. 0,
  214. #endif
  215. n);
  216. }
  217. /* Check for bad heap object. */
  218. check_heap_object(ptr, n, to_user);
  219. /* Check for object in kernel to avoid text exposure. */
  220. check_kernel_text_object((const unsigned long)ptr, n, to_user);
  221. }
  222. EXPORT_SYMBOL(__check_object_size);
  223. static bool enable_checks __initdata = true;
  224. static int __init parse_hardened_usercopy(char *str)
  225. {
  226. if (strtobool(str, &enable_checks))
  227. pr_warn("Invalid option string for hardened_usercopy: '%s'\n",
  228. str);
  229. return 1;
  230. }
  231. __setup("hardened_usercopy=", parse_hardened_usercopy);
  232. static int __init set_hardened_usercopy(void)
  233. {
  234. if (enable_checks == false)
  235. static_branch_enable(&bypass_usercopy_checks);
  236. return 1;
  237. }
  238. late_initcall(set_hardened_usercopy);