[linux.git] / mm / kasan / tags.c

// SPDX-License-Identifier: GPL-2.0
/*
 * This file contains core tag-based KASAN code.
 *
 * Copyright (c) 2018 Google, Inc.
 * Author: Andrey Konovalov <[email protected]>
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/export.h>
#include <linux/interrupt.h>
#include <linux/init.h>
#include <linux/kasan.h>
#include <linux/kernel.h>
#include <linux/kmemleak.h>
#include <linux/linkage.h>
#include <linux/memblock.h>
#include <linux/memory.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/printk.h>
#include <linux/random.h>
#include <linux/sched.h>
#include <linux/sched/task_stack.h>
#include <linux/slab.h>
#include <linux/stacktrace.h>
#include <linux/string.h>
#include <linux/types.h>
#include <linux/vmalloc.h>
#include <linux/bug.h>

#include "kasan.h"
#include "../slab.h"

static DEFINE_PER_CPU(u32, prng_state);

void kasan_init_tags(void)
{
	int cpu;

	for_each_possible_cpu(cpu)
		per_cpu(prng_state, cpu) = (u32)get_cycles();
}

/*
 * If a preemption happens between this_cpu_read and this_cpu_write, the only
 * side effect is that we'll give a few allocated in different contexts objects
 * the same tag. Since tag-based KASAN is meant to be used a probabilistic
 * bug-detection debug feature, this doesn't have significant negative impact.
 *
 * Ideally the tags use strong randomness to prevent any attempts to predict
 * them during explicit exploit attempts. But strong randomness is expensive,
 * and we did an intentional trade-off to use a PRNG. This non-atomic RMW
 * sequence has in fact positive effect, since interrupts that randomly skew
 * PRNG at unpredictable points do only good.
 */
u8 random_tag(void)
{
	u32 state = this_cpu_read(prng_state);

	state = 1664525 * state + 1013904223;
	this_cpu_write(prng_state, state);

	return (u8)(state % (KASAN_TAG_MAX + 1));
}

void *kasan_reset_tag(const void *addr)
{
	return reset_tag(addr);
}

bool check_memory_region(unsigned long addr, size_t size, bool write,
				unsigned long ret_ip)
{
	u8 tag;
	u8 *shadow_first, *shadow_last, *shadow;
	void *untagged_addr;

	if (unlikely(size == 0))
		return true;

	if (unlikely(addr + size < addr))
		return !kasan_report(addr, size, write, ret_ip);

	tag = get_tag((const void *)addr);

	/*
	 * Ignore accesses for pointers tagged with 0xff (native kernel
	 * pointer tag) to suppress false positives caused by kmap.
	 *
	 * Some kernel code was written to account for archs that don't keep
	 * high memory mapped all the time, but rather map and unmap particular
	 * pages when needed. Instead of storing a pointer to the kernel memory,
	 * this code saves the address of the page structure and offset within
	 * that page for later use. Those pages are then mapped and unmapped
	 * with kmap/kunmap when necessary and virt_to_page is used to get the
	 * virtual address of the page. For arm64 (that keeps the high memory
	 * mapped all the time), kmap is turned into a page_address call.

	 * The issue is that with use of the page_address + virt_to_page
	 * sequence the top byte value of the original pointer gets lost (gets
	 * set to KASAN_TAG_KERNEL (0xFF)).
	 */
	if (tag == KASAN_TAG_KERNEL)
		return true;

	untagged_addr = reset_tag((const void *)addr);
	if (unlikely(untagged_addr <
			kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
		return !kasan_report(addr, size, write, ret_ip);
	}
	shadow_first = kasan_mem_to_shadow(untagged_addr);
	shadow_last = kasan_mem_to_shadow(untagged_addr + size - 1);
	for (shadow = shadow_first; shadow <= shadow_last; shadow++) {
		if (*shadow != tag) {
			return !kasan_report(addr, size, write, ret_ip);
		}
	}

	return true;
}

#define DEFINE_HWASAN_LOAD_STORE(size)					\
	void __hwasan_load##size##_noabort(unsigned long addr)		\
	{								\
		check_memory_region(addr, size, false, _RET_IP_);	\
	}								\
	EXPORT_SYMBOL(__hwasan_load##size##_noabort);			\
	void __hwasan_store##size##_noabort(unsigned long addr)		\
	{								\
		check_memory_region(addr, size, true, _RET_IP_);	\
	}								\
	EXPORT_SYMBOL(__hwasan_store##size##_noabort)

DEFINE_HWASAN_LOAD_STORE(1);
DEFINE_HWASAN_LOAD_STORE(2);
DEFINE_HWASAN_LOAD_STORE(4);
DEFINE_HWASAN_LOAD_STORE(8);
DEFINE_HWASAN_LOAD_STORE(16);

void __hwasan_loadN_noabort(unsigned long addr, unsigned long size)
{
	check_memory_region(addr, size, false, _RET_IP_);
}
EXPORT_SYMBOL(__hwasan_loadN_noabort);

void __hwasan_storeN_noabort(unsigned long addr, unsigned long size)
{
	check_memory_region(addr, size, true, _RET_IP_);
}
EXPORT_SYMBOL(__hwasan_storeN_noabort);

void __hwasan_tag_memory(unsigned long addr, u8 tag, unsigned long size)
{
	poison_range((void *)addr, size, tag);
}
EXPORT_SYMBOL(__hwasan_tag_memory);

void kasan_set_free_info(struct kmem_cache *cache,
				void *object, u8 tag)
{
	struct kasan_alloc_meta *alloc_meta;
	u8 idx = 0;

	alloc_meta = get_alloc_info(cache, object);

#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
	idx = alloc_meta->free_track_idx;
	alloc_meta->free_pointer_tag[idx] = tag;
	alloc_meta->free_track_idx = (idx + 1) % KASAN_NR_FREE_STACKS;
#endif

	kasan_set_track(&alloc_meta->free_track[idx], GFP_NOWAIT);
}

struct kasan_track *kasan_get_free_track(struct kmem_cache *cache,
				void *object, u8 tag)
{
	struct kasan_alloc_meta *alloc_meta;
	int i = 0;

	alloc_meta = get_alloc_info(cache, object);

#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
	for (i = 0; i < KASAN_NR_FREE_STACKS; i++) {
		if (alloc_meta->free_pointer_tag[i] == tag)
			break;
	}
	if (i == KASAN_NR_FREE_STACKS)
		i = alloc_meta->free_track_idx;
#endif

	return &alloc_meta->free_track[i];
}
Commit	Line	Data
e886bf9d	1	// SPDX-License-Identifier: GPL-2.0
2bd926b4 AK	2	/*
	3	* This file contains core tag-based KASAN code.
	4	*
	5	* Copyright (c) 2018 Google, Inc.
	6	* Author: Andrey Konovalov <[email protected]>
2bd926b4 AK	7	*/
	8
	9	#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2bd926b4 AK	10
	11	#include <linux/export.h>
	12	#include <linux/interrupt.h>
	13	#include <linux/init.h>
	14	#include <linux/kasan.h>
	15	#include <linux/kernel.h>
	16	#include <linux/kmemleak.h>
	17	#include <linux/linkage.h>
	18	#include <linux/memblock.h>
	19	#include <linux/memory.h>
	20	#include <linux/mm.h>
	21	#include <linux/module.h>
	22	#include <linux/printk.h>
	23	#include <linux/random.h>
	24	#include <linux/sched.h>
	25	#include <linux/sched/task_stack.h>
	26	#include <linux/slab.h>
	27	#include <linux/stacktrace.h>
	28	#include <linux/string.h>
	29	#include <linux/types.h>
	30	#include <linux/vmalloc.h>
	31	#include <linux/bug.h>
	32
	33	#include "kasan.h"
	34	#include "../slab.h"
	35
3c9e3aa1 AK	36	static DEFINE_PER_CPU(u32, prng_state);
	37
	38	void kasan_init_tags(void)
	39	{
	40	int cpu;
	41
	42	for_each_possible_cpu(cpu)
3f41b609	43	per_cpu(prng_state, cpu) = (u32)get_cycles();
3c9e3aa1 AK	44	}
	45
	46	/*
	47	* If a preemption happens between this_cpu_read and this_cpu_write, the only
	48	* side effect is that we'll give a few allocated in different contexts objects
	49	* the same tag. Since tag-based KASAN is meant to be used a probabilistic
	50	* bug-detection debug feature, this doesn't have significant negative impact.
	51	*
	52	* Ideally the tags use strong randomness to prevent any attempts to predict
	53	* them during explicit exploit attempts. But strong randomness is expensive,
	54	* and we did an intentional trade-off to use a PRNG. This non-atomic RMW
	55	* sequence has in fact positive effect, since interrupts that randomly skew
	56	* PRNG at unpredictable points do only good.
	57	*/
	58	u8 random_tag(void)
	59	{
	60	u32 state = this_cpu_read(prng_state);
	61
	62	state = 1664525 * state + 1013904223;
	63	this_cpu_write(prng_state, state);
	64
	65	return (u8)(state % (KASAN_TAG_MAX + 1));
	66	}
	67
	68	void kasan_reset_tag(const void addr)
	69	{
	70	return reset_tag(addr);
	71	}
	72
b5f6e0fc	73	bool check_memory_region(unsigned long addr, size_t size, bool write,
2bd926b4 AK	74	unsigned long ret_ip)
2bd926b4 AK	75	{
7f94ffbc AK	76	u8 tag;
	77	u8 shadow_first, shadow_last, *shadow;
	78	void *untagged_addr;
	79
	80	if (unlikely(size == 0))
b5f6e0fc	81	return true;
7f94ffbc	82
8cceeff4 WW	83	if (unlikely(addr + size < addr))
	84	return !kasan_report(addr, size, write, ret_ip);
	85
7f94ffbc AK	86	tag = get_tag((const void *)addr);
	87
	88	/*
	89	* Ignore accesses for pointers tagged with 0xff (native kernel
	90	* pointer tag) to suppress false positives caused by kmap.
	91	*
	92	* Some kernel code was written to account for archs that don't keep
	93	* high memory mapped all the time, but rather map and unmap particular
	94	* pages when needed. Instead of storing a pointer to the kernel memory,
	95	* this code saves the address of the page structure and offset within
	96	* that page for later use. Those pages are then mapped and unmapped
	97	* with kmap/kunmap when necessary and virt_to_page is used to get the
	98	* virtual address of the page. For arm64 (that keeps the high memory
	99	* mapped all the time), kmap is turned into a page_address call.
	100
	101	* The issue is that with use of the page_address + virt_to_page
	102	* sequence the top byte value of the original pointer gets lost (gets
	103	* set to KASAN_TAG_KERNEL (0xFF)).
	104	*/
	105	if (tag == KASAN_TAG_KERNEL)
b5f6e0fc	106	return true;
7f94ffbc AK	107
	108	untagged_addr = reset_tag((const void *)addr);
	109	if (unlikely(untagged_addr <
	110	kasan_shadow_to_mem((void *)KASAN_SHADOW_START))) {
8cceeff4	111	return !kasan_report(addr, size, write, ret_ip);
7f94ffbc AK	112	}
	113	shadow_first = kasan_mem_to_shadow(untagged_addr);
	114	shadow_last = kasan_mem_to_shadow(untagged_addr + size - 1);
	115	for (shadow = shadow_first; shadow <= shadow_last; shadow++) {
	116	if (*shadow != tag) {
8cceeff4	117	return !kasan_report(addr, size, write, ret_ip);
7f94ffbc AK	118	}
7f94ffbc AK	119	}
b5f6e0fc ME	120
b5f6e0fc ME	121	return true;
2bd926b4 AK	122	}
	123
	124	#define DEFINE_HWASAN_LOAD_STORE(size) \
	125	void __hwasan_load##size##_noabort(unsigned long addr) \
	126	{ \
7f94ffbc	127	check_memory_region(addr, size, false, _RET_IP_); \
2bd926b4 AK	128	} \
	129	EXPORT_SYMBOL(__hwasan_load##size##_noabort); \
	130	void __hwasan_store##size##_noabort(unsigned long addr) \
	131	{ \
7f94ffbc	132	check_memory_region(addr, size, true, _RET_IP_); \
2bd926b4 AK	133	} \
	134	EXPORT_SYMBOL(__hwasan_store##size##_noabort)
	135
	136	DEFINE_HWASAN_LOAD_STORE(1);
	137	DEFINE_HWASAN_LOAD_STORE(2);
	138	DEFINE_HWASAN_LOAD_STORE(4);
	139	DEFINE_HWASAN_LOAD_STORE(8);
	140	DEFINE_HWASAN_LOAD_STORE(16);
	141
	142	void __hwasan_loadN_noabort(unsigned long addr, unsigned long size)
	143	{
7f94ffbc	144	check_memory_region(addr, size, false, _RET_IP_);
2bd926b4 AK	145	}
	146	EXPORT_SYMBOL(__hwasan_loadN_noabort);
	147
	148	void __hwasan_storeN_noabort(unsigned long addr, unsigned long size)
	149	{
7f94ffbc	150	check_memory_region(addr, size, true, _RET_IP_);
2bd926b4 AK	151	}
	152	EXPORT_SYMBOL(__hwasan_storeN_noabort);
	153
	154	void __hwasan_tag_memory(unsigned long addr, u8 tag, unsigned long size)
	155	{
cebd0eb2	156	poison_range((void *)addr, size, tag);
2bd926b4 AK	157	}
2bd926b4 AK	158	EXPORT_SYMBOL(__hwasan_tag_memory);
e4b7818b WW	159
	160	void kasan_set_free_info(struct kmem_cache *cache,
	161	void *object, u8 tag)
	162	{
	163	struct kasan_alloc_meta *alloc_meta;
	164	u8 idx = 0;
	165
	166	alloc_meta = get_alloc_info(cache, object);
	167
	168	#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
	169	idx = alloc_meta->free_track_idx;
	170	alloc_meta->free_pointer_tag[idx] = tag;
	171	alloc_meta->free_track_idx = (idx + 1) % KASAN_NR_FREE_STACKS;
	172	#endif
	173
	174	kasan_set_track(&alloc_meta->free_track[idx], GFP_NOWAIT);
	175	}
	176
	177	struct kasan_track kasan_get_free_track(struct kmem_cache cache,
	178	void *object, u8 tag)
	179	{
	180	struct kasan_alloc_meta *alloc_meta;
	181	int i = 0;
	182
	183	alloc_meta = get_alloc_info(cache, object);
	184
	185	#ifdef CONFIG_KASAN_SW_TAGS_IDENTIFY
	186	for (i = 0; i < KASAN_NR_FREE_STACKS; i++) {
	187	if (alloc_meta->free_pointer_tag[i] == tag)
	188	break;
	189	}
	190	if (i == KASAN_NR_FREE_STACKS)
	191	i = alloc_meta->free_track_idx;
	192	#endif
	193
	194	return &alloc_meta->free_track[i];
	195	}