Commit | Line | Data |
---|---|---|
afaef01c AP |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * This code fills the used part of the kernel stack with a poison value | |
4 | * before returning to userspace. It's part of the STACKLEAK feature | |
5 | * ported from grsecurity/PaX. | |
6 | * | |
7 | * Author: Alexander Popov <alex.popov@linux.com> | |
8 | * | |
9 | * STACKLEAK reduces the information which kernel stack leak bugs can | |
10 | * reveal and blocks some uninitialized stack variable attacks. | |
11 | */ | |
12 | ||
13 | #include <linux/stackleak.h> | |
ef1a8409 | 14 | #include <linux/kprobes.h> |
afaef01c | 15 | |
964c9dff AP |
16 | #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE |
17 | #include <linux/jump_label.h> | |
18 | #include <linux/sysctl.h> | |
0df8bdd5 | 19 | #include <linux/init.h> |
964c9dff AP |
20 | |
21 | static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass); | |
22 | ||
0df8bdd5 | 23 | #ifdef CONFIG_SYSCTL |
78eb4ea2 | 24 | static int stack_erasing_sysctl(const struct ctl_table *table, int write, |
0df8bdd5 | 25 | void __user *buffer, size_t *lenp, loff_t *ppos) |
964c9dff AP |
26 | { |
27 | int ret = 0; | |
28 | int state = !static_branch_unlikely(&stack_erasing_bypass); | |
29 | int prev_state = state; | |
0e148d3c | 30 | struct ctl_table table_copy = *table; |
964c9dff | 31 | |
0e148d3c TW |
32 | table_copy.data = &state; |
33 | ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); | |
964c9dff AP |
34 | state = !!state; |
35 | if (ret || !write || state == prev_state) | |
36 | return ret; | |
37 | ||
38 | if (state) | |
39 | static_branch_disable(&stack_erasing_bypass); | |
40 | else | |
41 | static_branch_enable(&stack_erasing_bypass); | |
42 | ||
43 | pr_warn("stackleak: kernel stack erasing is %s\n", | |
44 | state ? "enabled" : "disabled"); | |
45 | return ret; | |
46 | } | |
0df8bdd5 XN |
47 | static struct ctl_table stackleak_sysctls[] = { |
48 | { | |
49 | .procname = "stack_erasing", | |
50 | .data = NULL, | |
51 | .maxlen = sizeof(int), | |
52 | .mode = 0600, | |
53 | .proc_handler = stack_erasing_sysctl, | |
54 | .extra1 = SYSCTL_ZERO, | |
55 | .extra2 = SYSCTL_ONE, | |
56 | }, | |
0df8bdd5 XN |
57 | }; |
58 | ||
59 | static int __init stackleak_sysctls_init(void) | |
60 | { | |
61 | register_sysctl_init("kernel", stackleak_sysctls); | |
62 | return 0; | |
63 | } | |
64 | late_initcall(stackleak_sysctls_init); | |
65 | #endif /* CONFIG_SYSCTL */ | |
964c9dff AP |
66 | |
67 | #define skip_erasing() static_branch_unlikely(&stack_erasing_bypass) | |
68 | #else | |
69 | #define skip_erasing() false | |
70 | #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */ | |
71 | ||
491a7866 HC |
72 | #ifndef __stackleak_poison |
73 | static __always_inline void __stackleak_poison(unsigned long erase_low, | |
74 | unsigned long erase_high, | |
75 | unsigned long poison) | |
76 | { | |
77 | while (erase_low < erase_high) { | |
78 | *(unsigned long *)erase_low = poison; | |
79 | erase_low += sizeof(unsigned long); | |
80 | } | |
81 | } | |
82 | #endif | |
83 | ||
8111e67d | 84 | static __always_inline void __stackleak_erase(bool on_task_stack) |
afaef01c | 85 | { |
9ec79840 | 86 | const unsigned long task_stack_low = stackleak_task_low_bound(current); |
0cfa2ccd | 87 | const unsigned long task_stack_high = stackleak_task_high_bound(current); |
77cf2b6d | 88 | unsigned long erase_low, erase_high; |
afaef01c | 89 | |
77cf2b6d MR |
90 | erase_low = stackleak_find_top_of_poison(task_stack_low, |
91 | current->lowest_stack); | |
afaef01c | 92 | |
c8d12627 | 93 | #ifdef CONFIG_STACKLEAK_METRICS |
1723d39d | 94 | current->prev_lowest_stack = erase_low; |
c8d12627 AP |
95 | #endif |
96 | ||
afaef01c | 97 | /* |
0cfa2ccd MR |
98 | * Write poison to the task's stack between 'erase_low' and |
99 | * 'erase_high'. | |
100 | * | |
101 | * If we're running on a different stack (e.g. an entry trampoline | |
102 | * stack) we can erase everything below the pt_regs at the top of the | |
103 | * task stack. | |
104 | * | |
105 | * If we're running on the task stack itself, we must not clobber any | |
106 | * stack used by this function and its caller. We assume that this | |
107 | * function has a fixed-size stack frame, and the current stack pointer | |
108 | * doesn't change while we write poison. | |
afaef01c | 109 | */ |
8111e67d | 110 | if (on_task_stack) |
1723d39d | 111 | erase_high = current_stack_pointer; |
afaef01c | 112 | else |
0cfa2ccd | 113 | erase_high = task_stack_high; |
afaef01c | 114 | |
491a7866 | 115 | __stackleak_poison(erase_low, erase_high, STACKLEAK_POISON); |
afaef01c AP |
116 | |
117 | /* Reset the 'lowest_stack' value for the next syscall */ | |
0cfa2ccd | 118 | current->lowest_stack = task_stack_high; |
afaef01c AP |
119 | } |
120 | ||
8111e67d MR |
121 | /* |
122 | * Erase and poison the portion of the task stack used since the last erase. | |
123 | * Can be called from the task stack or an entry stack when the task stack is | |
124 | * no longer in use. | |
125 | */ | |
a12685e2 MR |
126 | asmlinkage void noinstr stackleak_erase(void) |
127 | { | |
128 | if (skip_erasing()) | |
129 | return; | |
130 | ||
8111e67d MR |
131 | __stackleak_erase(on_thread_stack()); |
132 | } | |
133 | ||
134 | /* | |
135 | * Erase and poison the portion of the task stack used since the last erase. | |
136 | * Can only be called from the task stack. | |
137 | */ | |
138 | asmlinkage void noinstr stackleak_erase_on_task_stack(void) | |
139 | { | |
140 | if (skip_erasing()) | |
141 | return; | |
142 | ||
143 | __stackleak_erase(true); | |
144 | } | |
145 | ||
146 | /* | |
147 | * Erase and poison the portion of the task stack used since the last erase. | |
148 | * Can only be called from a stack other than the task stack. | |
149 | */ | |
150 | asmlinkage void noinstr stackleak_erase_off_task_stack(void) | |
151 | { | |
152 | if (skip_erasing()) | |
153 | return; | |
154 | ||
155 | __stackleak_erase(false); | |
a12685e2 MR |
156 | } |
157 | ||
dcb85f85 | 158 | void __used __no_caller_saved_registers noinstr stackleak_track_stack(void) |
10e9ae9f | 159 | { |
feee1b8c | 160 | unsigned long sp = current_stack_pointer; |
10e9ae9f AP |
161 | |
162 | /* | |
163 | * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than | |
164 | * STACKLEAK_SEARCH_DEPTH makes the poison search in | |
165 | * stackleak_erase() unreliable. Let's prevent that. | |
166 | */ | |
167 | BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH); | |
168 | ||
feee1b8c AP |
169 | /* 'lowest_stack' should be aligned on the register width boundary */ |
170 | sp = ALIGN(sp, sizeof(unsigned long)); | |
10e9ae9f | 171 | if (sp < current->lowest_stack && |
9ec79840 | 172 | sp >= stackleak_task_low_bound(current)) { |
10e9ae9f AP |
173 | current->lowest_stack = sp; |
174 | } | |
175 | } | |
176 | EXPORT_SYMBOL(stackleak_track_stack); |