[linux-block.git] / mm / kasan / tags.c

/*
 * This file contains core tag-based KASAN code.
 *
 * Copyright (c) 2018 Google, Inc.
 * Author: Andrey Konovalov <andreyknvl@google.com>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#define DISABLE_BRANCH_PROFILING

#include <linux/export.h>
#include <linux/interrupt.h>
#include <linux/init.h>
#include <linux/kasan.h>
#include <linux/kernel.h>
#include <linux/kmemleak.h>
#include <linux/linkage.h>
#include <linux/memblock.h>
#include <linux/memory.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/printk.h>
#include <linux/random.h>
#include <linux/sched.h>
#include <linux/sched/task_stack.h>
#include <linux/slab.h>
#include <linux/stacktrace.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/vmalloc.h>
#include <linux/bug.h>

#include "kasan.h"
#include "../slab.h"

static DEFINE_PER_CPU(u32, prng_state);

void kasan_init_tags(void)
{
	int cpu;

	for_each_possible_cpu(cpu)
		per_cpu(prng_state, cpu) = get_random_u32();
}

/*
 * If a preemption happens between this_cpu_read and this_cpu_write, the only
 * side effect is that we'll give a few allocated in different contexts objects
 * the same tag. Since tag-based KASAN is meant to be used a probabilistic
 * bug-detection debug feature, this doesn't have significant negative impact.
 *
 * Ideally the tags use strong randomness to prevent any attempts to predict
 * them during explicit exploit attempts. But strong randomness is expensive,
 * and we did an intentional trade-off to use a PRNG. This non-atomic RMW
 * sequence has in fact positive effect, since interrupts that randomly skew
 * PRNG at unpredictable points do only good.
 */
u8 random_tag(void)
{
	u32 state = this_cpu_read(prng_state);

	state = 1664525 * state + 1013904223;
	this_cpu_write(prng_state, state);

	return (u8)(state % (KASAN_TAG_MAX + 1));
}

void *kasan_reset_tag(const void *addr)
{
	return reset_tag(addr);
}

void check_memory_region(unsigned long addr, size_t size, bool write,
				unsigned long ret_ip)
{
	u8 tag;
	u8 *shadow_first, *shadow_last, *shadow;
	void *untagged_addr;

	if (unlikely(size == 0))
		return;

	tag = get_tag((const void *)addr);

	/*
	 * Ignore accesses for pointers tagged with 0xff (native kernel
	 * pointer tag) to suppress false positives caused by kmap.
	 *
	 * Some kernel code was written to account for archs that don't keep
	 * high memory mapped all the time, but rather map and unmap particular
	 * pages when needed. Instead of storing a pointer to the kernel memory,
	 * this code saves the address of the page structure and offset within
	 * that page for later use. Those pages are then mapped and unmapped
	 * with kmap/kunmap when necessary and virt_to_page is used to get the
	 * virtual address of the page. For arm64 (that keeps the high memory
	 * mapped all the time), kmap is turned into a page_address call.

	 * The issue is that with use of the page_address + virt_to_page
	 * sequence the top byte value of the original pointer gets lost (gets
	 * set to KASAN_TAG_KERNEL (0xFF)).
	 */
	if (tag == KASAN_TAG_KERNEL)
		return;

	untagged_addr = reset_tag((const void *)addr);
	if (unlikely(untagged_addr <
			kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
		kasan_report(addr, size, write, ret_ip);
		return;
	}
	shadow_first = kasan_mem_to_shadow(untagged_addr);
	shadow_last = kasan_mem_to_shadow(untagged_addr + size - 1);
	for (shadow = shadow_first; shadow <= shadow_last; shadow++) {
		if (*shadow != tag) {
			kasan_report(addr, size, write, ret_ip);
			return;
		}
	}
}

#define DEFINE_HWASAN_LOAD_STORE(size)					\
	void __hwasan_load##size##_noabort(unsigned long addr)		\
	{								\
		check_memory_region(addr, size, false, _RET_IP_);	\
	}								\
	EXPORT_SYMBOL(__hwasan_load##size##_noabort);			\
	void __hwasan_store##size##_noabort(unsigned long addr)		\
	{								\
		check_memory_region(addr, size, true, _RET_IP_);	\
	}								\
	EXPORT_SYMBOL(__hwasan_store##size##_noabort)

DEFINE_HWASAN_LOAD_STORE(1);
DEFINE_HWASAN_LOAD_STORE(2);
DEFINE_HWASAN_LOAD_STORE(4);
DEFINE_HWASAN_LOAD_STORE(8);
DEFINE_HWASAN_LOAD_STORE(16);

void __hwasan_loadN_noabort(unsigned long addr, unsigned long size)
{
	check_memory_region(addr, size, false, _RET_IP_);
}
EXPORT_SYMBOL(__hwasan_loadN_noabort);

void __hwasan_storeN_noabort(unsigned long addr, unsigned long size)
{
	check_memory_region(addr, size, true, _RET_IP_);
}
EXPORT_SYMBOL(__hwasan_storeN_noabort);

void __hwasan_tag_memory(unsigned long addr, u8 tag, unsigned long size)
{
	kasan_poison_shadow((void *)addr, size, tag);
}
EXPORT_SYMBOL(__hwasan_tag_memory);
Commit	Line	Data
2bd926b4 AK	1	/*
	2	* This file contains core tag-based KASAN code.
	3	*
	4	* Copyright (c) 2018 Google, Inc.
	5	* Author: Andrey Konovalov <andreyknvl@google.com>
	6	*
	7	* This program is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License version 2 as
	9	* published by the Free Software Foundation.
	10	*
	11	*/
	12
	13	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
	14	#define DISABLE_BRANCH_PROFILING
	15
	16	#include <linux/export.h>
	17	#include <linux/interrupt.h>
	18	#include <linux/init.h>
	19	#include <linux/kasan.h>
	20	#include <linux/kernel.h>
	21	#include <linux/kmemleak.h>
	22	#include <linux/linkage.h>
	23	#include <linux/memblock.h>
	24	#include <linux/memory.h>
	25	#include <linux/mm.h>
	26	#include <linux/module.h>
	27	#include <linux/printk.h>
	28	#include <linux/random.h>
	29	#include <linux/sched.h>
	30	#include <linux/sched/task_stack.h>
	31	#include <linux/slab.h>
	32	#include <linux/stacktrace.h>
	33	#include <linux/string.h>
	34	#include <linux/types.h>
	35	#include <linux/vmalloc.h>
	36	#include <linux/bug.h>
	37
	38	#include "kasan.h"
	39	#include "../slab.h"
	40
3c9e3aa1 AK	41	static DEFINE_PER_CPU(u32, prng_state);
	42
	43	void kasan_init_tags(void)
	44	{
	45	int cpu;
	46
	47	for_each_possible_cpu(cpu)
	48	per_cpu(prng_state, cpu) = get_random_u32();
	49	}
	50
	51	/*
	52	* If a preemption happens between this_cpu_read and this_cpu_write, the only
	53	* side effect is that we'll give a few allocated in different contexts objects
	54	* the same tag. Since tag-based KASAN is meant to be used a probabilistic
	55	* bug-detection debug feature, this doesn't have significant negative impact.
	56	*
	57	* Ideally the tags use strong randomness to prevent any attempts to predict
	58	* them during explicit exploit attempts. But strong randomness is expensive,
	59	* and we did an intentional trade-off to use a PRNG. This non-atomic RMW
	60	* sequence has in fact positive effect, since interrupts that randomly skew
	61	* PRNG at unpredictable points do only good.
	62	*/
	63	u8 random_tag(void)
	64	{
	65	u32 state = this_cpu_read(prng_state);
	66
	67	state = 1664525 * state + 1013904223;
	68	this_cpu_write(prng_state, state);
	69
	70	return (u8)(state % (KASAN_TAG_MAX + 1));
	71	}
	72
	73	void kasan_reset_tag(const void addr)
	74	{
	75	return reset_tag(addr);
	76	}
	77
2bd926b4 AK	78	void check_memory_region(unsigned long addr, size_t size, bool write,
	79	unsigned long ret_ip)
	80	{
7f94ffbc AK	81	u8 tag;
	82	u8 shadow_first, shadow_last, *shadow;
	83	void *untagged_addr;
	84
	85	if (unlikely(size == 0))
	86	return;
	87
	88	tag = get_tag((const void *)addr);
	89
	90	/*
	91	* Ignore accesses for pointers tagged with 0xff (native kernel
	92	* pointer tag) to suppress false positives caused by kmap.
	93	*
	94	* Some kernel code was written to account for archs that don't keep
	95	* high memory mapped all the time, but rather map and unmap particular
	96	* pages when needed. Instead of storing a pointer to the kernel memory,
	97	* this code saves the address of the page structure and offset within
	98	* that page for later use. Those pages are then mapped and unmapped
	99	* with kmap/kunmap when necessary and virt_to_page is used to get the
	100	* virtual address of the page. For arm64 (that keeps the high memory
	101	* mapped all the time), kmap is turned into a page_address call.
	102
	103	* The issue is that with use of the page_address + virt_to_page
	104	* sequence the top byte value of the original pointer gets lost (gets
	105	* set to KASAN_TAG_KERNEL (0xFF)).
	106	*/
	107	if (tag == KASAN_TAG_KERNEL)
	108	return;
	109
	110	untagged_addr = reset_tag((const void *)addr);
	111	if (unlikely(untagged_addr <
	112	kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
	113	kasan_report(addr, size, write, ret_ip);
	114	return;
	115	}
	116	shadow_first = kasan_mem_to_shadow(untagged_addr);
	117	shadow_last = kasan_mem_to_shadow(untagged_addr + size - 1);
	118	for (shadow = shadow_first; shadow <= shadow_last; shadow++) {
	119	if (*shadow != tag) {
	120	kasan_report(addr, size, write, ret_ip);
	121	return;
	122	}
	123	}
2bd926b4 AK	124	}
	125
	126	#define DEFINE_HWASAN_LOAD_STORE(size) \
	127	void __hwasan_load##size##_noabort(unsigned long addr) \
	128	{ \
7f94ffbc	129	check_memory_region(addr, size, false, _RET_IP_); \
2bd926b4 AK	130	} \
	131	EXPORT_SYMBOL(__hwasan_load##size##_noabort); \
	132	void __hwasan_store##size##_noabort(unsigned long addr) \
	133	{ \
7f94ffbc	134	check_memory_region(addr, size, true, _RET_IP_); \
2bd926b4 AK	135	} \
	136	EXPORT_SYMBOL(__hwasan_store##size##_noabort)
	137
	138	DEFINE_HWASAN_LOAD_STORE(1);
	139	DEFINE_HWASAN_LOAD_STORE(2);
	140	DEFINE_HWASAN_LOAD_STORE(4);
	141	DEFINE_HWASAN_LOAD_STORE(8);
	142	DEFINE_HWASAN_LOAD_STORE(16);
	143
	144	void __hwasan_loadN_noabort(unsigned long addr, unsigned long size)
	145	{
7f94ffbc	146	check_memory_region(addr, size, false, _RET_IP_);
2bd926b4 AK	147	}
	148	EXPORT_SYMBOL(__hwasan_loadN_noabort);
	149
	150	void __hwasan_storeN_noabort(unsigned long addr, unsigned long size)
	151	{
7f94ffbc	152	check_memory_region(addr, size, true, _RET_IP_);
2bd926b4 AK	153	}
	154	EXPORT_SYMBOL(__hwasan_storeN_noabort);
	155
	156	void __hwasan_tag_memory(unsigned long addr, u8 tag, unsigned long size)
	157	{
7f94ffbc	158	kasan_poison_shadow((void *)addr, size, tag);
2bd926b4 AK	159	}
2bd926b4 AK	160	EXPORT_SYMBOL(__hwasan_tag_memory);