xref: /openbmc/linux/mm/usercopy.c (revision 8730046c)
1 /*
2  * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
3  * which are designed to protect kernel memory from needless exposure
4  * and overwrite under many unintended conditions. This code is based
5  * on PAX_USERCOPY, which is:
6  *
7  * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
8  * Security Inc.
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2 as
12  * published by the Free Software Foundation.
13  *
14  */
15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16 
17 #include <linux/mm.h>
18 #include <linux/slab.h>
19 #include <asm/sections.h>
20 
21 enum {
22 	BAD_STACK = -1,
23 	NOT_STACK = 0,
24 	GOOD_FRAME,
25 	GOOD_STACK,
26 };
27 
28 /*
29  * Checks if a given pointer and length is contained by the current
30  * stack frame (if possible).
31  *
32  * Returns:
33  *	NOT_STACK: not at all on the stack
34  *	GOOD_FRAME: fully within a valid stack frame
35  *	GOOD_STACK: fully on the stack (when can't do frame-checking)
36  *	BAD_STACK: error condition (invalid stack position or bad stack frame)
37  */
38 static noinline int check_stack_object(const void *obj, unsigned long len)
39 {
40 	const void * const stack = task_stack_page(current);
41 	const void * const stackend = stack + THREAD_SIZE;
42 	int ret;
43 
44 	/* Object is not on the stack at all. */
45 	if (obj + len <= stack || stackend <= obj)
46 		return NOT_STACK;
47 
48 	/*
49 	 * Reject: object partially overlaps the stack (passing the
50 	 * the check above means at least one end is within the stack,
51 	 * so if this check fails, the other end is outside the stack).
52 	 */
53 	if (obj < stack || stackend < obj + len)
54 		return BAD_STACK;
55 
56 	/* Check if object is safely within a valid frame. */
57 	ret = arch_within_stack_frames(stack, stackend, obj, len);
58 	if (ret)
59 		return ret;
60 
61 	return GOOD_STACK;
62 }
63 
64 static void report_usercopy(const void *ptr, unsigned long len,
65 			    bool to_user, const char *type)
66 {
67 	pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
68 		to_user ? "exposure" : "overwrite",
69 		to_user ? "from" : "to", ptr, type ? : "unknown", len);
70 	/*
71 	 * For greater effect, it would be nice to do do_group_exit(),
72 	 * but BUG() actually hooks all the lock-breaking and per-arch
73 	 * Oops code, so that is used here instead.
74 	 */
75 	BUG();
76 }
77 
78 /* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */
79 static bool overlaps(const void *ptr, unsigned long n, unsigned long low,
80 		     unsigned long high)
81 {
82 	unsigned long check_low = (uintptr_t)ptr;
83 	unsigned long check_high = check_low + n;
84 
85 	/* Does not overlap if entirely above or entirely below. */
86 	if (check_low >= high || check_high <= low)
87 		return false;
88 
89 	return true;
90 }
91 
92 /* Is this address range in the kernel text area? */
93 static inline const char *check_kernel_text_object(const void *ptr,
94 						   unsigned long n)
95 {
96 	unsigned long textlow = (unsigned long)_stext;
97 	unsigned long texthigh = (unsigned long)_etext;
98 	unsigned long textlow_linear, texthigh_linear;
99 
100 	if (overlaps(ptr, n, textlow, texthigh))
101 		return "<kernel text>";
102 
103 	/*
104 	 * Some architectures have virtual memory mappings with a secondary
105 	 * mapping of the kernel text, i.e. there is more than one virtual
106 	 * kernel address that points to the kernel image. It is usually
107 	 * when there is a separate linear physical memory mapping, in that
108 	 * __pa() is not just the reverse of __va(). This can be detected
109 	 * and checked:
110 	 */
111 	textlow_linear = (unsigned long)__va(__pa(textlow));
112 	/* No different mapping: we're done. */
113 	if (textlow_linear == textlow)
114 		return NULL;
115 
116 	/* Check the secondary mapping... */
117 	texthigh_linear = (unsigned long)__va(__pa(texthigh));
118 	if (overlaps(ptr, n, textlow_linear, texthigh_linear))
119 		return "<linear kernel text>";
120 
121 	return NULL;
122 }
123 
124 static inline const char *check_bogus_address(const void *ptr, unsigned long n)
125 {
126 	/* Reject if object wraps past end of memory. */
127 	if ((unsigned long)ptr + n < (unsigned long)ptr)
128 		return "<wrapped address>";
129 
130 	/* Reject if NULL or ZERO-allocation. */
131 	if (ZERO_OR_NULL_PTR(ptr))
132 		return "<null>";
133 
134 	return NULL;
135 }
136 
137 /* Checks for allocs that are marked in some way as spanning multiple pages. */
138 static inline const char *check_page_span(const void *ptr, unsigned long n,
139 					  struct page *page, bool to_user)
140 {
141 #ifdef CONFIG_HARDENED_USERCOPY_PAGESPAN
142 	const void *end = ptr + n - 1;
143 	struct page *endpage;
144 	bool is_reserved, is_cma;
145 
146 	/*
147 	 * Sometimes the kernel data regions are not marked Reserved (see
148 	 * check below). And sometimes [_sdata,_edata) does not cover
149 	 * rodata and/or bss, so check each range explicitly.
150 	 */
151 
152 	/* Allow reads of kernel rodata region (if not marked as Reserved). */
153 	if (ptr >= (const void *)__start_rodata &&
154 	    end <= (const void *)__end_rodata) {
155 		if (!to_user)
156 			return "<rodata>";
157 		return NULL;
158 	}
159 
160 	/* Allow kernel data region (if not marked as Reserved). */
161 	if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
162 		return NULL;
163 
164 	/* Allow kernel bss region (if not marked as Reserved). */
165 	if (ptr >= (const void *)__bss_start &&
166 	    end <= (const void *)__bss_stop)
167 		return NULL;
168 
169 	/* Is the object wholly within one base page? */
170 	if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
171 		   ((unsigned long)end & (unsigned long)PAGE_MASK)))
172 		return NULL;
173 
174 	/* Allow if fully inside the same compound (__GFP_COMP) page. */
175 	endpage = virt_to_head_page(end);
176 	if (likely(endpage == page))
177 		return NULL;
178 
179 	/*
180 	 * Reject if range is entirely either Reserved (i.e. special or
181 	 * device memory), or CMA. Otherwise, reject since the object spans
182 	 * several independently allocated pages.
183 	 */
184 	is_reserved = PageReserved(page);
185 	is_cma = is_migrate_cma_page(page);
186 	if (!is_reserved && !is_cma)
187 		return "<spans multiple pages>";
188 
189 	for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) {
190 		page = virt_to_head_page(ptr);
191 		if (is_reserved && !PageReserved(page))
192 			return "<spans Reserved and non-Reserved pages>";
193 		if (is_cma && !is_migrate_cma_page(page))
194 			return "<spans CMA and non-CMA pages>";
195 	}
196 #endif
197 
198 	return NULL;
199 }
200 
201 static inline const char *check_heap_object(const void *ptr, unsigned long n,
202 					    bool to_user)
203 {
204 	struct page *page;
205 
206 	/*
207 	 * Some architectures (arm64) return true for virt_addr_valid() on
208 	 * vmalloced addresses. Work around this by checking for vmalloc
209 	 * first.
210 	 *
211 	 * We also need to check for module addresses explicitly since we
212 	 * may copy static data from modules to userspace
213 	 */
214 	if (is_vmalloc_or_module_addr(ptr))
215 		return NULL;
216 
217 	if (!virt_addr_valid(ptr))
218 		return NULL;
219 
220 	page = virt_to_head_page(ptr);
221 
222 	/* Check slab allocator for flags and size. */
223 	if (PageSlab(page))
224 		return __check_heap_object(ptr, n, page);
225 
226 	/* Verify object does not incorrectly span multiple pages. */
227 	return check_page_span(ptr, n, page, to_user);
228 }
229 
230 /*
231  * Validates that the given object is:
232  * - not bogus address
233  * - known-safe heap or stack object
234  * - not in kernel text
235  */
236 void __check_object_size(const void *ptr, unsigned long n, bool to_user)
237 {
238 	const char *err;
239 
240 	/* Skip all tests if size is zero. */
241 	if (!n)
242 		return;
243 
244 	/* Check for invalid addresses. */
245 	err = check_bogus_address(ptr, n);
246 	if (err)
247 		goto report;
248 
249 	/* Check for bad heap object. */
250 	err = check_heap_object(ptr, n, to_user);
251 	if (err)
252 		goto report;
253 
254 	/* Check for bad stack object. */
255 	switch (check_stack_object(ptr, n)) {
256 	case NOT_STACK:
257 		/* Object is not touching the current process stack. */
258 		break;
259 	case GOOD_FRAME:
260 	case GOOD_STACK:
261 		/*
262 		 * Object is either in the correct frame (when it
263 		 * is possible to check) or just generally on the
264 		 * process stack (when frame checking not available).
265 		 */
266 		return;
267 	default:
268 		err = "<process stack>";
269 		goto report;
270 	}
271 
272 	/* Check for object in kernel to avoid text exposure. */
273 	err = check_kernel_text_object(ptr, n);
274 	if (!err)
275 		return;
276 
277 report:
278 	report_usercopy(ptr, n, to_user, err);
279 }
280 EXPORT_SYMBOL(__check_object_size);
281