1 /* 2 * This implements the various checks for CONFIG_HARDENED_USERCOPY*, 3 * which are designed to protect kernel memory from needless exposure 4 * and overwrite under many unintended conditions. This code is based 5 * on PAX_USERCOPY, which is: 6 * 7 * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source 8 * Security Inc. 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License version 2 as 12 * published by the Free Software Foundation. 13 * 14 */ 15 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 16 17 #include <linux/mm.h> 18 #include <linux/slab.h> 19 #include <asm/sections.h> 20 21 enum { 22 BAD_STACK = -1, 23 NOT_STACK = 0, 24 GOOD_FRAME, 25 GOOD_STACK, 26 }; 27 28 /* 29 * Checks if a given pointer and length is contained by the current 30 * stack frame (if possible). 31 * 32 * Returns: 33 * NOT_STACK: not at all on the stack 34 * GOOD_FRAME: fully within a valid stack frame 35 * GOOD_STACK: fully on the stack (when can't do frame-checking) 36 * BAD_STACK: error condition (invalid stack position or bad stack frame) 37 */ 38 static noinline int check_stack_object(const void *obj, unsigned long len) 39 { 40 const void * const stack = task_stack_page(current); 41 const void * const stackend = stack + THREAD_SIZE; 42 int ret; 43 44 /* Object is not on the stack at all. */ 45 if (obj + len <= stack || stackend <= obj) 46 return NOT_STACK; 47 48 /* 49 * Reject: object partially overlaps the stack (passing the 50 * the check above means at least one end is within the stack, 51 * so if this check fails, the other end is outside the stack). 52 */ 53 if (obj < stack || stackend < obj + len) 54 return BAD_STACK; 55 56 /* Check if object is safely within a valid frame. */ 57 ret = arch_within_stack_frames(stack, stackend, obj, len); 58 if (ret) 59 return ret; 60 61 return GOOD_STACK; 62 } 63 64 static void report_usercopy(const void *ptr, unsigned long len, 65 bool to_user, const char *type) 66 { 67 pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", 68 to_user ? "exposure" : "overwrite", 69 to_user ? "from" : "to", ptr, type ? : "unknown", len); 70 /* 71 * For greater effect, it would be nice to do do_group_exit(), 72 * but BUG() actually hooks all the lock-breaking and per-arch 73 * Oops code, so that is used here instead. 74 */ 75 BUG(); 76 } 77 78 /* Returns true if any portion of [ptr,ptr+n) over laps with [low,high). */ 79 static bool overlaps(const void *ptr, unsigned long n, unsigned long low, 80 unsigned long high) 81 { 82 unsigned long check_low = (uintptr_t)ptr; 83 unsigned long check_high = check_low + n; 84 85 /* Does not overlap if entirely above or entirely below. */ 86 if (check_low >= high || check_high <= low) 87 return false; 88 89 return true; 90 } 91 92 /* Is this address range in the kernel text area? */ 93 static inline const char *check_kernel_text_object(const void *ptr, 94 unsigned long n) 95 { 96 unsigned long textlow = (unsigned long)_stext; 97 unsigned long texthigh = (unsigned long)_etext; 98 unsigned long textlow_linear, texthigh_linear; 99 100 if (overlaps(ptr, n, textlow, texthigh)) 101 return "<kernel text>"; 102 103 /* 104 * Some architectures have virtual memory mappings with a secondary 105 * mapping of the kernel text, i.e. there is more than one virtual 106 * kernel address that points to the kernel image. It is usually 107 * when there is a separate linear physical memory mapping, in that 108 * __pa() is not just the reverse of __va(). This can be detected 109 * and checked: 110 */ 111 textlow_linear = (unsigned long)__va(__pa(textlow)); 112 /* No different mapping: we're done. */ 113 if (textlow_linear == textlow) 114 return NULL; 115 116 /* Check the secondary mapping... */ 117 texthigh_linear = (unsigned long)__va(__pa(texthigh)); 118 if (overlaps(ptr, n, textlow_linear, texthigh_linear)) 119 return "<linear kernel text>"; 120 121 return NULL; 122 } 123 124 static inline const char *check_bogus_address(const void *ptr, unsigned long n) 125 { 126 /* Reject if object wraps past end of memory. */ 127 if ((unsigned long)ptr + n < (unsigned long)ptr) 128 return "<wrapped address>"; 129 130 /* Reject if NULL or ZERO-allocation. */ 131 if (ZERO_OR_NULL_PTR(ptr)) 132 return "<null>"; 133 134 return NULL; 135 } 136 137 /* Checks for allocs that are marked in some way as spanning multiple pages. */ 138 static inline const char *check_page_span(const void *ptr, unsigned long n, 139 struct page *page, bool to_user) 140 { 141 #ifdef CONFIG_HARDENED_USERCOPY_PAGESPAN 142 const void *end = ptr + n - 1; 143 struct page *endpage; 144 bool is_reserved, is_cma; 145 146 /* 147 * Sometimes the kernel data regions are not marked Reserved (see 148 * check below). And sometimes [_sdata,_edata) does not cover 149 * rodata and/or bss, so check each range explicitly. 150 */ 151 152 /* Allow reads of kernel rodata region (if not marked as Reserved). */ 153 if (ptr >= (const void *)__start_rodata && 154 end <= (const void *)__end_rodata) { 155 if (!to_user) 156 return "<rodata>"; 157 return NULL; 158 } 159 160 /* Allow kernel data region (if not marked as Reserved). */ 161 if (ptr >= (const void *)_sdata && end <= (const void *)_edata) 162 return NULL; 163 164 /* Allow kernel bss region (if not marked as Reserved). */ 165 if (ptr >= (const void *)__bss_start && 166 end <= (const void *)__bss_stop) 167 return NULL; 168 169 /* Is the object wholly within one base page? */ 170 if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) == 171 ((unsigned long)end & (unsigned long)PAGE_MASK))) 172 return NULL; 173 174 /* Allow if fully inside the same compound (__GFP_COMP) page. */ 175 endpage = virt_to_head_page(end); 176 if (likely(endpage == page)) 177 return NULL; 178 179 /* 180 * Reject if range is entirely either Reserved (i.e. special or 181 * device memory), or CMA. Otherwise, reject since the object spans 182 * several independently allocated pages. 183 */ 184 is_reserved = PageReserved(page); 185 is_cma = is_migrate_cma_page(page); 186 if (!is_reserved && !is_cma) 187 return "<spans multiple pages>"; 188 189 for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) { 190 page = virt_to_head_page(ptr); 191 if (is_reserved && !PageReserved(page)) 192 return "<spans Reserved and non-Reserved pages>"; 193 if (is_cma && !is_migrate_cma_page(page)) 194 return "<spans CMA and non-CMA pages>"; 195 } 196 #endif 197 198 return NULL; 199 } 200 201 static inline const char *check_heap_object(const void *ptr, unsigned long n, 202 bool to_user) 203 { 204 struct page *page; 205 206 /* 207 * Some architectures (arm64) return true for virt_addr_valid() on 208 * vmalloced addresses. Work around this by checking for vmalloc 209 * first. 210 * 211 * We also need to check for module addresses explicitly since we 212 * may copy static data from modules to userspace 213 */ 214 if (is_vmalloc_or_module_addr(ptr)) 215 return NULL; 216 217 if (!virt_addr_valid(ptr)) 218 return NULL; 219 220 page = virt_to_head_page(ptr); 221 222 /* Check slab allocator for flags and size. */ 223 if (PageSlab(page)) 224 return __check_heap_object(ptr, n, page); 225 226 /* Verify object does not incorrectly span multiple pages. */ 227 return check_page_span(ptr, n, page, to_user); 228 } 229 230 /* 231 * Validates that the given object is: 232 * - not bogus address 233 * - known-safe heap or stack object 234 * - not in kernel text 235 */ 236 void __check_object_size(const void *ptr, unsigned long n, bool to_user) 237 { 238 const char *err; 239 240 /* Skip all tests if size is zero. */ 241 if (!n) 242 return; 243 244 /* Check for invalid addresses. */ 245 err = check_bogus_address(ptr, n); 246 if (err) 247 goto report; 248 249 /* Check for bad heap object. */ 250 err = check_heap_object(ptr, n, to_user); 251 if (err) 252 goto report; 253 254 /* Check for bad stack object. */ 255 switch (check_stack_object(ptr, n)) { 256 case NOT_STACK: 257 /* Object is not touching the current process stack. */ 258 break; 259 case GOOD_FRAME: 260 case GOOD_STACK: 261 /* 262 * Object is either in the correct frame (when it 263 * is possible to check) or just generally on the 264 * process stack (when frame checking not available). 265 */ 266 return; 267 default: 268 err = "<process stack>"; 269 goto report; 270 } 271 272 /* Check for object in kernel to avoid text exposure. */ 273 err = check_kernel_text_object(ptr, n); 274 if (!err) 275 return; 276 277 report: 278 report_usercopy(ptr, n, to_user, err); 279 } 280 EXPORT_SYMBOL(__check_object_size); 281