From patchwork Thu Sep 7 15:30:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9942441 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9A55E6038C for ; Thu, 7 Sep 2017 15:33:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0F9D28720 for ; Thu, 7 Sep 2017 15:33:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 95F8128724; Thu, 7 Sep 2017 15:33:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1C1A028720 for ; Thu, 7 Sep 2017 15:33:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=DtHNe3TIeNklPxNpxo3GJZZ7GmKfd5B/PBmB8LdW/x4=; b=RVtDaju+rdfcZ1oQHkaXfKLBTu OzH5KqWsKl5T7PMTkuyk3KdsiqvWS/PRQVACRNovIzlp34LMEITodaMJemagq7lJd70sWW7ixRrQx lnFW9Gb6mfi4e0qz1pyYeoiyrUr4FX/7BhMUAehvfL5ZN+fUqR5OVI0BW/Z2OMTgXIGwr00fEabJJ Ic1CoW/pn/w1Kfzq7RgTQ76XSv9YsRFY+EaaHt5rW5fJAmUJ/LF2h25k4Qqkb04xhUlYhdzKyT4Ot lfJ3l82aWZPNGYL9gkagfADiu8HqzHK+mR2zgUuDddHj6v8gZOq7SbO7RPeO09l9xYAm9GOISs+4Q 6Bof3IcA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dpyne-0004Cc-GI; Thu, 07 Sep 2017 15:33:02 +0000 Received: from mail-pg0-x22a.google.com ([2607:f8b0:400e:c05::22a]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dpym4-0003BW-33 for linux-arm-kernel@lists.infradead.org; Thu, 07 Sep 2017 15:31:26 +0000 Received: by mail-pg0-x22a.google.com with SMTP id q68so129987pgq.1 for ; Thu, 07 Sep 2017 08:31:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qopEWgeso+3eXogqmI77ezWLFa30x3JHJK56UzpOEvQ=; b=H3jwypmuejTddxaIA7FGY4J914jVH6r65RVTYoQP3Ysi5pNpbi6pPbj7itn7xxQzoG fOcQ19Bi5FiZXNQuTffVHbpylzjONkJz3CWmBsS9/XYUx3gZfxSPlBPlKv23PVUxcm0A oKSW5jQJYAwXtlRGQMOI7S/0legGi/8XBcDeg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qopEWgeso+3eXogqmI77ezWLFa30x3JHJK56UzpOEvQ=; b=CVtjto6p5341/jq3N6tQZRwBuT+St3vgZ8nUkXkLMsPGeI7X2F0N336uFss9YdkOQC XaYzdS+sGDtV3PW1Id4T7r1t5JQ8AwNM7aKprpWP7MkpH3Vb75RLB2h1suq9AJU1EmrA lv7n5/mLqsOBmkuW0z/aGKnJbtVLf8Y+VmiCQTw0SzobACzhWUlXOYHXo9l6fHg5hApZ yy2mz9jl1J5HYS2uhJDdGLwMxWcTFgW63fX4/H/ww8QPGebMg3n/z4TxDqHaSrhnggTw jDTb5oPLmk+Q35GLaN7bcSKG8x/7Q042vLGCsJzCw0N9iaz39c+Kp5ONR6dMZW8FXT4S 1FhA== X-Gm-Message-State: AHPjjUg5hPe+F2tVmW8UEzPKUSbNj+nbq3RPmMQbNRcYO31CQep2sQvU RmqPT3+SHGJyV1QE X-Google-Smtp-Source: ADKCNb7F/heq6IJdbwciFp5DgJnSicFnY+4fqx/m8wH+y+7TLz8kCulvtd8WkaYo4r6Pk+8GN7aZUw== X-Received: by 10.98.9.84 with SMTP id e81mr3098718pfd.133.1504798262049; Thu, 07 Sep 2017 08:31:02 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id j14sm4278988pgs.15.2017.09.07.08.30.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Sep 2017 08:30:59 -0700 (PDT) From: Kees Cook To: Ingo Molnar Subject: [PATCH 3/4] arm/syscalls: Optimize address limit check Date: Thu, 7 Sep 2017 08:30:46 -0700 Message-Id: <1504798247-48833-4-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1504798247-48833-1-git-send-email-keescook@chromium.org> References: <1504798247-48833-1-git-send-email-keescook@chromium.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170907_083124_156252_B9BBC663 X-CRM114-Status: GOOD ( 13.61 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pratyush Anand , linux-kernel@vger.kernel.org, Will Drewry , Kees Cook , Arnd Bergmann , Catalin Marinas , Will Deacon , Russell King , Andy Lutomirski , David Howells , Dave Hansen , Al Viro , linux-api@vger.kernel.org, Yonghong Song , Thomas Gleixner , Thomas Garnier , linux-arm-kernel@lists.infradead.org, Dave Martin MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Thomas Garnier Disable the generic address limit check in favor of an architecture specific optimized implementation. The generic implementation using pending work flags did not work well with ARM and alignment faults. The address limit is checked on each syscall return path to user-mode path as well as the irq user-mode return function. If the address limit was changed, a function is called to report data corruption (stopping the kernel or process based on configuration). The address limit check has to be done before any pending work because they can reset the address limit and the process is killed using a SIGKILL signal. For example the lkdtm address limit check does not work because the signal to kill the process will reset the user-mode address limit. Signed-off-by: Thomas Garnier Reviewed-by: Kees Cook Tested-by: Kees Cook Tested-by: Leonard Crestez Signed-off-by: Kees Cook --- arch/arm/kernel/entry-common.S | 11 +++++++++++ arch/arm/kernel/signal.c | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S index eb5cd77bf1d8..126fafc725bc 100644 --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_AEABI #include #endif @@ -40,10 +41,14 @@ ret_fast_syscall: UNWIND(.fnstart ) UNWIND(.cantunwind ) disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK bne fast_work_pending + /* perform architecture specific actions before user return */ arch_ret_to_user r1, lr @@ -66,6 +71,9 @@ ret_fast_syscall: UNWIND(.cantunwind ) str r0, [sp, #S_R0 + S_OFF]! @ save returned r0 disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK beq no_work_pending @@ -98,6 +106,9 @@ ENTRY(ret_to_user) ret_slow_syscall: disable_irq_notrace @ disable interrupts ENTRY(ret_to_user_from_irq) + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] tst r1, #_TIF_WORK_MASK bne slow_work_pending diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 5814298ef0b7..b67ae12503f3 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -673,3 +674,9 @@ struct page *get_signal_page(void) return page; } + +/* Defer to generic check */ +asmlinkage void addr_limit_check_failed(void) +{ + addr_limit_user_check(); +}