kernel/stackleak.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * This code fills the used part of the kernel stack with a poison value
   4  * before returning to userspace. It's part of the STACKLEAK feature
   5  * ported from grsecurity/PaX.
   6  *
   7  * Author: Alexander Popov <alex.popov@linux.com>
   8  *
   9  * STACKLEAK reduces the information which kernel stack leak bugs can
  10  * reveal and blocks some uninitialized stack variable attacks.
  11  */
  12
  13 #include <linux/stackleak.h>
  14 #include <linux/kprobes.h>
  15
  16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
  17 #include <linux/jump_label.h>
  18 #include <linux/sysctl.h>
  19 #include <linux/init.h>
  20
  21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
  22
  23 #ifdef CONFIG_SYSCTL
  24 static int stack_erasing_sysctl(struct ctl_table *table, int write,
  25                         void __user *buffer, size_t *lenp, loff_t *ppos)
  26 {
  27         int ret = 0;
  28         int state = !static_branch_unlikely(&stack_erasing_bypass);
  29         int prev_state = state;
  30         struct ctl_table table_copy = *table;
  31
  32         table_copy.data = &state;
  33         ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
  34         state = !!state;
  35         if (ret || !write || state == prev_state)
  36                 return ret;
  37
  38         if (state)
  39                 static_branch_disable(&stack_erasing_bypass);
  40         else
  41                 static_branch_enable(&stack_erasing_bypass);
  42
  43         pr_warn("stackleak: kernel stack erasing is %s\n",
  44                                         state ? "enabled" : "disabled");
  45         return ret;
  46 }
  47 static struct ctl_table stackleak_sysctls[] = {
  48         {
  49                 .procname       = "stack_erasing",
  50                 .data           = NULL,
  51                 .maxlen         = sizeof(int),
  52                 .mode           = 0600,
  53                 .proc_handler   = stack_erasing_sysctl,
  54                 .extra1         = SYSCTL_ZERO,
  55                 .extra2         = SYSCTL_ONE,
  56         },
  57 };
  58
  59 static int __init stackleak_sysctls_init(void)
  60 {
  61         register_sysctl_init("kernel", stackleak_sysctls);
  62         return 0;
  63 }
  64 late_initcall(stackleak_sysctls_init);
  65 #endif /* CONFIG_SYSCTL */
  66
  67 #define skip_erasing()  static_branch_unlikely(&stack_erasing_bypass)
  68 #else
  69 #define skip_erasing()  false
  70 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
  71
  72 #ifndef __stackleak_poison
  73 static __always_inline void __stackleak_poison(unsigned long erase_low,
  74                                                unsigned long erase_high,
  75                                                unsigned long poison)
  76 {
  77         while (erase_low < erase_high) {
  78                 *(unsigned long *)erase_low = poison;
  79                 erase_low += sizeof(unsigned long);
  80         }
  81 }
  82 #endif
  83
  84 static __always_inline void __stackleak_erase(bool on_task_stack)
  85 {
  86         const unsigned long task_stack_low = stackleak_task_low_bound(current);
  87         const unsigned long task_stack_high = stackleak_task_high_bound(current);
  88         unsigned long erase_low, erase_high;
  89
  90         erase_low = stackleak_find_top_of_poison(task_stack_low,
  91                                                  current->lowest_stack);
  92
  93 #ifdef CONFIG_STACKLEAK_METRICS
  94         current->prev_lowest_stack = erase_low;
  95 #endif
  96
  97         /*
  98          * Write poison to the task's stack between 'erase_low' and
  99          * 'erase_high'.
 100          *
 101          * If we're running on a different stack (e.g. an entry trampoline
 102          * stack) we can erase everything below the pt_regs at the top of the
 103          * task stack.
 104          *
 105          * If we're running on the task stack itself, we must not clobber any
 106          * stack used by this function and its caller. We assume that this
 107          * function has a fixed-size stack frame, and the current stack pointer
 108          * doesn't change while we write poison.
 109          */
 110         if (on_task_stack)
 111                 erase_high = current_stack_pointer;
 112         else
 113                 erase_high = task_stack_high;
 114
 115         __stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
 116
 117         /* Reset the 'lowest_stack' value for the next syscall */
 118         current->lowest_stack = task_stack_high;
 119 }
 120
 121 /*
 122  * Erase and poison the portion of the task stack used since the last erase.
 123  * Can be called from the task stack or an entry stack when the task stack is
 124  * no longer in use.
 125  */
 126 asmlinkage void noinstr stackleak_erase(void)
 127 {
 128         if (skip_erasing())
 129                 return;
 130
 131         __stackleak_erase(on_thread_stack());
 132 }
 133
 134 /*
 135  * Erase and poison the portion of the task stack used since the last erase.
 136  * Can only be called from the task stack.
 137  */
 138 asmlinkage void noinstr stackleak_erase_on_task_stack(void)
 139 {
 140         if (skip_erasing())
 141                 return;
 142
 143         __stackleak_erase(true);
 144 }
 145
 146 /*
 147  * Erase and poison the portion of the task stack used since the last erase.
 148  * Can only be called from a stack other than the task stack.
 149  */
 150 asmlinkage void noinstr stackleak_erase_off_task_stack(void)
 151 {
 152         if (skip_erasing())
 153                 return;
 154
 155         __stackleak_erase(false);
 156 }
 157
 158 void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
 159 {
 160         unsigned long sp = current_stack_pointer;
 161
 162         /*
 163          * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
 164          * STACKLEAK_SEARCH_DEPTH makes the poison search in
 165          * stackleak_erase() unreliable. Let's prevent that.
 166          */
 167         BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
 168
 169         /* 'lowest_stack' should be aligned on the register width boundary */
 170         sp = ALIGN(sp, sizeof(unsigned long));
 171         if (sp < current->lowest_stack &&
 172             sp >= stackleak_task_low_bound(current)) {
 173                 current->lowest_stack = sp;
 174         }
 175 }
 176 EXPORT_SYMBOL(stackleak_track_stack);