[linux-2.6-block.git] / kernel / stackleak.c

// SPDX-License-Identifier: GPL-2.0
/*
 * This code fills the used part of the kernel stack with a poison value
 * before returning to userspace. It's part of the STACKLEAK feature
 * ported from grsecurity/PaX.
 *
 * Author: Alexander Popov <alex.popov@linux.com>
 *
 * STACKLEAK reduces the information which kernel stack leak bugs can
 * reveal and blocks some uninitialized stack variable attacks.
 */

#include <linux/stackleak.h>
#include <linux/kprobes.h>

#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
#include <linux/jump_label.h>
#include <linux/sysctl.h>
#include <linux/init.h>

static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);

#ifdef CONFIG_SYSCTL
static int stack_erasing_sysctl(const struct ctl_table *table, int write,
			void __user *buffer, size_t *lenp, loff_t *ppos)
{
	int ret = 0;
	int state = !static_branch_unlikely(&stack_erasing_bypass);
	int prev_state = state;
	struct ctl_table table_copy = *table;

	table_copy.data = &state;
	ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
	state = !!state;
	if (ret || !write || state == prev_state)
		return ret;

	if (state)
		static_branch_disable(&stack_erasing_bypass);
	else
		static_branch_enable(&stack_erasing_bypass);

	pr_warn("stackleak: kernel stack erasing is %s\n",
					state ? "enabled" : "disabled");
	return ret;
}
static struct ctl_table stackleak_sysctls[] = {
	{
		.procname	= "stack_erasing",
		.data		= NULL,
		.maxlen		= sizeof(int),
		.mode		= 0600,
		.proc_handler	= stack_erasing_sysctl,
		.extra1		= SYSCTL_ZERO,
		.extra2		= SYSCTL_ONE,
	},
};

static int __init stackleak_sysctls_init(void)
{
	register_sysctl_init("kernel", stackleak_sysctls);
	return 0;
}
late_initcall(stackleak_sysctls_init);
#endif /* CONFIG_SYSCTL */

#define skip_erasing()	static_branch_unlikely(&stack_erasing_bypass)
#else
#define skip_erasing()	false
#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */

#ifndef __stackleak_poison
static __always_inline void __stackleak_poison(unsigned long erase_low,
					       unsigned long erase_high,
					       unsigned long poison)
{
	while (erase_low < erase_high) {
		*(unsigned long *)erase_low = poison;
		erase_low += sizeof(unsigned long);
	}
}
#endif

static __always_inline void __stackleak_erase(bool on_task_stack)
{
	const unsigned long task_stack_low = stackleak_task_low_bound(current);
	const unsigned long task_stack_high = stackleak_task_high_bound(current);
	unsigned long erase_low, erase_high;

	erase_low = stackleak_find_top_of_poison(task_stack_low,
						 current->lowest_stack);

#ifdef CONFIG_STACKLEAK_METRICS
	current->prev_lowest_stack = erase_low;
#endif

	/*
	 * Write poison to the task's stack between 'erase_low' and
	 * 'erase_high'.
	 *
	 * If we're running on a different stack (e.g. an entry trampoline
	 * stack) we can erase everything below the pt_regs at the top of the
	 * task stack.
	 *
	 * If we're running on the task stack itself, we must not clobber any
	 * stack used by this function and its caller. We assume that this
	 * function has a fixed-size stack frame, and the current stack pointer
	 * doesn't change while we write poison.
	 */
	if (on_task_stack)
		erase_high = current_stack_pointer;
	else
		erase_high = task_stack_high;

	__stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);

	/* Reset the 'lowest_stack' value for the next syscall */
	current->lowest_stack = task_stack_high;
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can be called from the task stack or an entry stack when the task stack is
 * no longer in use.
 */
asmlinkage void noinstr stackleak_erase(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(on_thread_stack());
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can only be called from the task stack.
 */
asmlinkage void noinstr stackleak_erase_on_task_stack(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(true);
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can only be called from a stack other than the task stack.
 */
asmlinkage void noinstr stackleak_erase_off_task_stack(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(false);
}

void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
{
	unsigned long sp = current_stack_pointer;

	/*
	 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
	 * STACKLEAK_SEARCH_DEPTH makes the poison search in
	 * stackleak_erase() unreliable. Let's prevent that.
	 */
	BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);

	/* 'lowest_stack' should be aligned on the register width boundary */
	sp = ALIGN(sp, sizeof(unsigned long));
	if (sp < current->lowest_stack &&
	    sp >= stackleak_task_low_bound(current)) {
		current->lowest_stack = sp;
	}
}
EXPORT_SYMBOL(stackleak_track_stack);
Commit	Line	Data
	1	// SPDX-License-Identifier: GPL-2.0
	2	/*
	3	* This code fills the used part of the kernel stack with a poison value
	4	* before returning to userspace. It's part of the STACKLEAK feature
	5	* ported from grsecurity/PaX.
	6	*
	7	* Author: Alexander Popov <alex.popov@linux.com>
	8	*
	9	* STACKLEAK reduces the information which kernel stack leak bugs can
	10	* reveal and blocks some uninitialized stack variable attacks.
	11	*/
	12
	13	#include <linux/stackleak.h>
	14	#include <linux/kprobes.h>
	15
	16	#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
	17	#include <linux/jump_label.h>
	18	#include <linux/sysctl.h>
	19	#include <linux/init.h>
	20
	21	static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
	22
	23	#ifdef CONFIG_SYSCTL
	24	static int stack_erasing_sysctl(const struct ctl_table *table, int write,
	25	void __user buffer, size_t lenp, loff_t *ppos)
	26	{
	27	int ret = 0;
	28	int state = !static_branch_unlikely(&stack_erasing_bypass);
	29	int prev_state = state;
	30	struct ctl_table table_copy = *table;
	31
	32	table_copy.data = &state;
	33	ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
	34	state = !!state;
	35	if (ret \|\| !write \|\| state == prev_state)
	36	return ret;
	37
	38	if (state)
	39	static_branch_disable(&stack_erasing_bypass);
	40	else
	41	static_branch_enable(&stack_erasing_bypass);
	42
	43	pr_warn("stackleak: kernel stack erasing is %s\n",
	44	state ? "enabled" : "disabled");
	45	return ret;
	46	}
	47	static struct ctl_table stackleak_sysctls[] = {
	48	{
	49	.procname = "stack_erasing",
	50	.data = NULL,
	51	.maxlen = sizeof(int),
	52	.mode = 0600,
	53	.proc_handler = stack_erasing_sysctl,
	54	.extra1 = SYSCTL_ZERO,
	55	.extra2 = SYSCTL_ONE,
	56	},
	57	};
	58
	59	static int __init stackleak_sysctls_init(void)
	60	{
	61	register_sysctl_init("kernel", stackleak_sysctls);
	62	return 0;
	63	}
	64	late_initcall(stackleak_sysctls_init);
	65	#endif /* CONFIG_SYSCTL */
	66
	67	#define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
	68	#else
	69	#define skip_erasing() false
	70	#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
	71
	72	#ifndef __stackleak_poison
	73	static __always_inline void __stackleak_poison(unsigned long erase_low,
	74	unsigned long erase_high,
	75	unsigned long poison)
	76	{
	77	while (erase_low < erase_high) {
	78	(unsigned long )erase_low = poison;
	79	erase_low += sizeof(unsigned long);
	80	}
	81	}
	82	#endif
	83
	84	static __always_inline void __stackleak_erase(bool on_task_stack)
	85	{
	86	const unsigned long task_stack_low = stackleak_task_low_bound(current);
	87	const unsigned long task_stack_high = stackleak_task_high_bound(current);
	88	unsigned long erase_low, erase_high;
	89
	90	erase_low = stackleak_find_top_of_poison(task_stack_low,
	91	current->lowest_stack);
	92
	93	#ifdef CONFIG_STACKLEAK_METRICS
	94	current->prev_lowest_stack = erase_low;
	95	#endif
	96
	97	/*
	98	* Write poison to the task's stack between 'erase_low' and
	99	* 'erase_high'.
	100	*
	101	* If we're running on a different stack (e.g. an entry trampoline
	102	* stack) we can erase everything below the pt_regs at the top of the
	103	* task stack.
	104	*
	105	* If we're running on the task stack itself, we must not clobber any
	106	* stack used by this function and its caller. We assume that this
	107	* function has a fixed-size stack frame, and the current stack pointer
	108	* doesn't change while we write poison.
	109	*/
	110	if (on_task_stack)
	111	erase_high = current_stack_pointer;
	112	else
	113	erase_high = task_stack_high;
	114
	115	__stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
	116
	117	/* Reset the 'lowest_stack' value for the next syscall */
	118	current->lowest_stack = task_stack_high;
	119	}
	120
	121	/*
	122	* Erase and poison the portion of the task stack used since the last erase.
	123	* Can be called from the task stack or an entry stack when the task stack is
	124	* no longer in use.
	125	*/
	126	asmlinkage void noinstr stackleak_erase(void)
	127	{
	128	if (skip_erasing())
	129	return;
	130
	131	__stackleak_erase(on_thread_stack());
	132	}
	133
	134	/*
	135	* Erase and poison the portion of the task stack used since the last erase.
	136	* Can only be called from the task stack.
	137	*/
	138	asmlinkage void noinstr stackleak_erase_on_task_stack(void)
	139	{
	140	if (skip_erasing())
	141	return;
	142
	143	__stackleak_erase(true);
	144	}
	145
	146	/*
	147	* Erase and poison the portion of the task stack used since the last erase.
	148	* Can only be called from a stack other than the task stack.
	149	*/
	150	asmlinkage void noinstr stackleak_erase_off_task_stack(void)
	151	{
	152	if (skip_erasing())
	153	return;
	154
	155	__stackleak_erase(false);
	156	}
	157
	158	void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
	159	{
	160	unsigned long sp = current_stack_pointer;
	161
	162	/*
	163	* Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
	164	* STACKLEAK_SEARCH_DEPTH makes the poison search in
	165	* stackleak_erase() unreliable. Let's prevent that.
	166	*/
	167	BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
	168
	169	/* 'lowest_stack' should be aligned on the register width boundary */
	170	sp = ALIGN(sp, sizeof(unsigned long));
	171	if (sp < current->lowest_stack &&
	172	sp >= stackleak_task_low_bound(current)) {
	173	current->lowest_stack = sp;
	174	}
	175	}
	176	EXPORT_SYMBOL(stackleak_track_stack);