From patchwork Mon Aug 14 21:37:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Garnier X-Patchwork-Id: 9900195 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 38792602D9 for ; Mon, 14 Aug 2017 21:39:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B54B28722 for ; Mon, 14 Aug 2017 21:39:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1FDDC2873A; Mon, 14 Aug 2017 21:39:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_LOW autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BCD3C28722 for ; Mon, 14 Aug 2017 21:39:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=5TtgGADL32y+zzUr/hao+0Xbkp1aqAovYsshPUBWhs0=; b=LY4LXpr9ZX+HQ79/DvcnEwEoRF Zwr8XyOzgjAc7RIRFvq2qlzvtAml4qnuyEac8GQY3GzcdFqhzQkEuuutIDxR3Yy6EBwVVHrXgZfzi olxfNGoBrMuJDXpI1UgICS480DpcSvSsm7fNRtlROs9ihyM4gPRoQtuVAibFcFtOypZ3l2Loc1xcE n4i2r6Wia6iYegZYGk8JoaQtVfujUJAJDaBXq44Y30RBKd+WItlRr+rpZAB7GY5FcippIU+rU/TKn J78S7dOxE1L9EAqHojS2jTCrSZlN++im/fxOKYJVhhQz0w1cqJSMklHRAg9W0VTHdKQDRYPEplx5S mHTH4FgQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1dhN4m-0000xO-Pv; Mon, 14 Aug 2017 21:39:08 +0000 Received: from mail-pg0-x22d.google.com ([2607:f8b0:400e:c05::22d]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dhN47-0000He-IW for linux-arm-kernel@lists.infradead.org; Mon, 14 Aug 2017 21:38:29 +0000 Received: by mail-pg0-x22d.google.com with SMTP id u185so54862370pgb.1 for ; Mon, 14 Aug 2017 14:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=63A4SzacZfbzd4ZnUsaliuccXN6G6UKsSDFPG+AvMS8=; b=Ji3Zm5lN58CdKXxvrkT9yIHJwmoJ4Bkrb8SKIWfsgmy3ZxWuY6Bt/lgaZuiBGvY6fv jlau0hfhct1n6tdMPjL2coIR9vjLpftaNLN3GswYXROi9uXhlkvwwRZKzVWvSjeCQm5N fCaG9Px+aAPmB96vesx7Qm/9g6jM3BZzdhha8eXwgIWbUCXsZKWPxfC0BdMoJnouoN4l abSQOP0IklvF9Oym5y7mffUCHG9L1+ecghbNn3BSpGqI3CziffIQsp6q3e5zJFbJ6fvf 54e++6840hMCSsiJBSjblY14JoUPsNI2qM5VbBMe5Cf7oBjZ7Iuti14dXzuWQyg+PZmw R8iA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=63A4SzacZfbzd4ZnUsaliuccXN6G6UKsSDFPG+AvMS8=; b=k1Zl8rI403GwBr0k3MUufge+yEsgxIbXeTIohyQQQRqK94/N3Cyum+G6Q/eSxpv/iG x7S9QMPjzrUdaWe89iptUvpL5I+jc1CPxpVLuMJYsflN5NdKUCyaLZHA4/snfHdkCHNO 6M6NgbPEA5xQUUqH0qtz7Dx9VqFYQff3oAuKDO68YxjACkN5BbsL2r9KSY428Eoq3tNc B2APZNOlqUsmkt+Co6Btr4iGlVfmSSxNQQCn5TFNRt1kkK7Jjz/1RXGae/VSxdgXyc3D K2inLfrYQJQhGILTo6xWfJ3rGgm7KZRDmvOXD/SVKHtdciYTTcpqPK5IVCL58GzB5R0I QEJA== X-Gm-Message-State: AHYfb5hP5VFYqgcdCLuVl8dXcEiYNLuaZGPic97d+IXgmlX7a8fZ4sDE OfoWaV7t3spIrVTj X-Received: by 10.98.43.78 with SMTP id r75mr26071400pfr.269.1502746686231; Mon, 14 Aug 2017 14:38:06 -0700 (PDT) Received: from skynet.sea.corp.google.com ([172.31.92.33]) by smtp.gmail.com with ESMTPSA id l2sm14619184pgc.27.2017.08.14.14.38.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 14 Aug 2017 14:38:05 -0700 (PDT) From: Thomas Garnier To: Al Viro , Dave Hansen , Arnd Bergmann , Thomas Gleixner , Thomas Garnier , Yonghong Song , David Howells , Russell King , Kees Cook , Andy Lutomirski , Will Drewry , Dave Martin , Catalin Marinas , Will Deacon Subject: [PATCH v3 3/4] arm/syscalls: Optimize address limit check Date: Mon, 14 Aug 2017 14:37:31 -0700 Message-Id: <20170814213732.104301-3-thgarnie@google.com> X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog In-Reply-To: <20170814213732.104301-1-thgarnie@google.com> References: <20170814213732.104301-1-thgarnie@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170814_143827_644242_A1E8D7AF X-CRM114-Status: GOOD ( 12.14 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Disable the generic address limit check in favor of an architecture specific optimized implementation. The generic implementation using pending work flags did not work well with ARM and alignment faults. The address limit is checked on each syscall return path to user-mode path as well as the irq user-mode return function. If the address limit was changed, a function is called to report data corruption (stopping the kernel or process based on configuration). The address limit check has to be done before any pending work because they can reset the address limit and the process is killed using a SIGKILL signal. For example the lkdtm address limit check does not work because the signal to kill the process will reset the user-mode address limit. Signed-off-by: Thomas Garnier Reviewed-by: Kees Cook Tested-by: Kees Cook Tested-by: Leonard Crestez --- arch/arm/kernel/entry-common.S | 11 +++++++++++ arch/arm/kernel/signal.c | 7 +++++++ 2 files changed, 18 insertions(+) diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S index 0b60adf4a5d9..99c908226065 100644 --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_AEABI #include #endif @@ -48,10 +49,14 @@ ret_fast_syscall: UNWIND(.fnstart ) UNWIND(.cantunwind ) disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK bne fast_work_pending + /* perform architecture specific actions before user return */ arch_ret_to_user r1, lr @@ -74,6 +79,9 @@ ret_fast_syscall: UNWIND(.cantunwind ) str r0, [sp, #S_R0 + S_OFF]! @ save returned r0 disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK beq no_work_pending @@ -106,6 +114,9 @@ ENTRY(ret_to_user) ret_slow_syscall: disable_irq_notrace @ disable interrupts ENTRY(ret_to_user_from_irq) + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] tst r1, #_TIF_WORK_MASK bne slow_work_pending diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 5814298ef0b7..b67ae12503f3 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -673,3 +674,9 @@ struct page *get_signal_page(void) return page; } + +/* Defer to generic check */ +asmlinkage void addr_limit_check_failed(void) +{ + addr_limit_user_check(); +}