[linux.git] / kernel / stackleak.c

// SPDX-License-Identifier: GPL-2.0
/*
 * This code fills the used part of the kernel stack with a poison value
 * before returning to userspace. It's part of the STACKLEAK feature
 * ported from grsecurity/PaX.
 *
 * Author: Alexander Popov <[email protected]>
 *
 * STACKLEAK reduces the information which kernel stack leak bugs can
 * reveal and blocks some uninitialized stack variable attacks.
 */

#include <linux/stackleak.h>
#include <linux/kprobes.h>

#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
#include <linux/jump_label.h>
#include <linux/sysctl.h>
#include <linux/init.h>

static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);

#ifdef CONFIG_SYSCTL
static int stack_erasing_sysctl(struct ctl_table *table, int write,
			void __user *buffer, size_t *lenp, loff_t *ppos)
{
	int ret = 0;
	int state = !static_branch_unlikely(&stack_erasing_bypass);
	int prev_state = state;

	table->data = &state;
	table->maxlen = sizeof(int);
	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
	state = !!state;
	if (ret || !write || state == prev_state)
		return ret;

	if (state)
		static_branch_disable(&stack_erasing_bypass);
	else
		static_branch_enable(&stack_erasing_bypass);

	pr_warn("stackleak: kernel stack erasing is %s\n",
					state ? "enabled" : "disabled");
	return ret;
}
static struct ctl_table stackleak_sysctls[] = {
	{
		.procname	= "stack_erasing",
		.data		= NULL,
		.maxlen		= sizeof(int),
		.mode		= 0600,
		.proc_handler	= stack_erasing_sysctl,
		.extra1		= SYSCTL_ZERO,
		.extra2		= SYSCTL_ONE,
	},
	{}
};

static int __init stackleak_sysctls_init(void)
{
	register_sysctl_init("kernel", stackleak_sysctls);
	return 0;
}
late_initcall(stackleak_sysctls_init);
#endif /* CONFIG_SYSCTL */

#define skip_erasing()	static_branch_unlikely(&stack_erasing_bypass)
#else
#define skip_erasing()	false
#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */

#ifndef __stackleak_poison
static __always_inline void __stackleak_poison(unsigned long erase_low,
					       unsigned long erase_high,
					       unsigned long poison)
{
	while (erase_low < erase_high) {
		*(unsigned long *)erase_low = poison;
		erase_low += sizeof(unsigned long);
	}
}
#endif

static __always_inline void __stackleak_erase(bool on_task_stack)
{
	const unsigned long task_stack_low = stackleak_task_low_bound(current);
	const unsigned long task_stack_high = stackleak_task_high_bound(current);
	unsigned long erase_low, erase_high;

	erase_low = stackleak_find_top_of_poison(task_stack_low,
						 current->lowest_stack);

#ifdef CONFIG_STACKLEAK_METRICS
	current->prev_lowest_stack = erase_low;
#endif

	/*
	 * Write poison to the task's stack between 'erase_low' and
	 * 'erase_high'.
	 *
	 * If we're running on a different stack (e.g. an entry trampoline
	 * stack) we can erase everything below the pt_regs at the top of the
	 * task stack.
	 *
	 * If we're running on the task stack itself, we must not clobber any
	 * stack used by this function and its caller. We assume that this
	 * function has a fixed-size stack frame, and the current stack pointer
	 * doesn't change while we write poison.
	 */
	if (on_task_stack)
		erase_high = current_stack_pointer;
	else
		erase_high = task_stack_high;

	__stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);

	/* Reset the 'lowest_stack' value for the next syscall */
	current->lowest_stack = task_stack_high;
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can be called from the task stack or an entry stack when the task stack is
 * no longer in use.
 */
asmlinkage void noinstr stackleak_erase(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(on_thread_stack());
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can only be called from the task stack.
 */
asmlinkage void noinstr stackleak_erase_on_task_stack(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(true);
}

/*
 * Erase and poison the portion of the task stack used since the last erase.
 * Can only be called from a stack other than the task stack.
 */
asmlinkage void noinstr stackleak_erase_off_task_stack(void)
{
	if (skip_erasing())
		return;

	__stackleak_erase(false);
}

void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
{
	unsigned long sp = current_stack_pointer;

	/*
	 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
	 * STACKLEAK_SEARCH_DEPTH makes the poison search in
	 * stackleak_erase() unreliable. Let's prevent that.
	 */
	BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);

	/* 'lowest_stack' should be aligned on the register width boundary */
	sp = ALIGN(sp, sizeof(unsigned long));
	if (sp < current->lowest_stack &&
	    sp >= stackleak_task_low_bound(current)) {
		current->lowest_stack = sp;
	}
}
EXPORT_SYMBOL(stackleak_track_stack);
Commit	Line	Data
afaef01c AP	1	// SPDX-License-Identifier: GPL-2.0
	2	/*
	3	* This code fills the used part of the kernel stack with a poison value
	4	* before returning to userspace. It's part of the STACKLEAK feature
	5	* ported from grsecurity/PaX.
	6	*
	7	* Author: Alexander Popov <[email protected]>
	8	*
	9	* STACKLEAK reduces the information which kernel stack leak bugs can
	10	* reveal and blocks some uninitialized stack variable attacks.
	11	*/
	12
	13	#include <linux/stackleak.h>
ef1a8409	14	#include <linux/kprobes.h>
afaef01c	15
964c9dff AP	16	#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
	17	#include <linux/jump_label.h>
	18	#include <linux/sysctl.h>
0df8bdd5	19	#include <linux/init.h>
964c9dff AP	20
	21	static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
	22
0df8bdd5 XN	23	#ifdef CONFIG_SYSCTL
	24	static int stack_erasing_sysctl(struct ctl_table *table, int write,
	25	void __user buffer, size_t lenp, loff_t *ppos)
964c9dff AP	26	{
	27	int ret = 0;
	28	int state = !static_branch_unlikely(&stack_erasing_bypass);
	29	int prev_state = state;
	30
	31	table->data = &state;
	32	table->maxlen = sizeof(int);
	33	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
	34	state = !!state;
	35	if (ret \|\| !write \|\| state == prev_state)
	36	return ret;
	37
	38	if (state)
	39	static_branch_disable(&stack_erasing_bypass);
	40	else
	41	static_branch_enable(&stack_erasing_bypass);
	42
	43	pr_warn("stackleak: kernel stack erasing is %s\n",
	44	state ? "enabled" : "disabled");
	45	return ret;
	46	}
0df8bdd5 XN	47	static struct ctl_table stackleak_sysctls[] = {
	48	{
	49	.procname = "stack_erasing",
	50	.data = NULL,
	51	.maxlen = sizeof(int),
	52	.mode = 0600,
	53	.proc_handler = stack_erasing_sysctl,
	54	.extra1 = SYSCTL_ZERO,
	55	.extra2 = SYSCTL_ONE,
	56	},
	57	{}
	58	};
	59
	60	static int __init stackleak_sysctls_init(void)
	61	{
	62	register_sysctl_init("kernel", stackleak_sysctls);
	63	return 0;
	64	}
	65	late_initcall(stackleak_sysctls_init);
	66	#endif /* CONFIG_SYSCTL */
964c9dff AP	67
	68	#define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
	69	#else
	70	#define skip_erasing() false
	71	#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
	72
491a7866 HC	73	#ifndef __stackleak_poison
	74	static __always_inline void __stackleak_poison(unsigned long erase_low,
	75	unsigned long erase_high,
	76	unsigned long poison)
	77	{
	78	while (erase_low < erase_high) {
	79	(unsigned long )erase_low = poison;
	80	erase_low += sizeof(unsigned long);
	81	}
	82	}
	83	#endif
	84
8111e67d	85	static __always_inline void __stackleak_erase(bool on_task_stack)
afaef01c	86	{
9ec79840	87	const unsigned long task_stack_low = stackleak_task_low_bound(current);
0cfa2ccd	88	const unsigned long task_stack_high = stackleak_task_high_bound(current);
77cf2b6d	89	unsigned long erase_low, erase_high;
afaef01c	90
77cf2b6d MR	91	erase_low = stackleak_find_top_of_poison(task_stack_low,
77cf2b6d MR	92	current->lowest_stack);
afaef01c	93
c8d12627	94	#ifdef CONFIG_STACKLEAK_METRICS
1723d39d	95	current->prev_lowest_stack = erase_low;
c8d12627 AP	96	#endif
c8d12627 AP	97
afaef01c	98	/*
0cfa2ccd MR	99	* Write poison to the task's stack between 'erase_low' and
	100	* 'erase_high'.
	101	*
	102	* If we're running on a different stack (e.g. an entry trampoline
	103	* stack) we can erase everything below the pt_regs at the top of the
	104	* task stack.
	105	*
	106	* If we're running on the task stack itself, we must not clobber any
	107	* stack used by this function and its caller. We assume that this
	108	* function has a fixed-size stack frame, and the current stack pointer
	109	* doesn't change while we write poison.
afaef01c	110	*/
8111e67d	111	if (on_task_stack)
1723d39d	112	erase_high = current_stack_pointer;
afaef01c	113	else
0cfa2ccd	114	erase_high = task_stack_high;
afaef01c	115
491a7866	116	__stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
afaef01c AP	117
afaef01c AP	118	/* Reset the 'lowest_stack' value for the next syscall */
0cfa2ccd	119	current->lowest_stack = task_stack_high;
afaef01c AP	120	}
afaef01c AP	121
8111e67d MR	122	/*
	123	* Erase and poison the portion of the task stack used since the last erase.
	124	* Can be called from the task stack or an entry stack when the task stack is
	125	* no longer in use.
	126	*/
a12685e2 MR	127	asmlinkage void noinstr stackleak_erase(void)
	128	{
	129	if (skip_erasing())
	130	return;
	131
8111e67d MR	132	__stackleak_erase(on_thread_stack());
	133	}
	134
	135	/*
	136	* Erase and poison the portion of the task stack used since the last erase.
	137	* Can only be called from the task stack.
	138	*/
	139	asmlinkage void noinstr stackleak_erase_on_task_stack(void)
	140	{
	141	if (skip_erasing())
	142	return;
	143
	144	__stackleak_erase(true);
	145	}
	146
	147	/*
	148	* Erase and poison the portion of the task stack used since the last erase.
	149	* Can only be called from a stack other than the task stack.
	150	*/
	151	asmlinkage void noinstr stackleak_erase_off_task_stack(void)
	152	{
	153	if (skip_erasing())
	154	return;
	155
	156	__stackleak_erase(false);
a12685e2 MR	157	}
a12685e2 MR	158
dcb85f85	159	void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
10e9ae9f	160	{
feee1b8c	161	unsigned long sp = current_stack_pointer;
10e9ae9f AP	162
	163	/*
	164	* Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
	165	* STACKLEAK_SEARCH_DEPTH makes the poison search in
	166	* stackleak_erase() unreliable. Let's prevent that.
	167	*/
	168	BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
	169
feee1b8c AP	170	/* 'lowest_stack' should be aligned on the register width boundary */
feee1b8c AP	171	sp = ALIGN(sp, sizeof(unsigned long));
10e9ae9f	172	if (sp < current->lowest_stack &&
9ec79840	173	sp >= stackleak_task_low_bound(current)) {
10e9ae9f AP	174	current->lowest_stack = sp;
	175	}
	176	}
	177	EXPORT_SYMBOL(stackleak_track_stack);