123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285 |
- #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
- #include <linux/mm.h>
- #include <linux/highmem.h>
- #include <linux/slab.h>
- #include <asm/sections.h>
- enum {
- BAD_STACK = -1,
- NOT_STACK = 0,
- GOOD_FRAME,
- GOOD_STACK,
- };
- static noinline int check_stack_object(const void *obj, unsigned long len)
- {
- const void * const stack = task_stack_page(current);
- const void * const stackend = stack + THREAD_SIZE;
- int ret;
-
- if (obj + len <= stack || stackend <= obj)
- return NOT_STACK;
-
- if (obj < stack || stackend < obj + len)
- return BAD_STACK;
-
- ret = arch_within_stack_frames(stack, stackend, obj, len);
- if (ret)
- return ret;
- return GOOD_STACK;
- }
- static void report_usercopy(unsigned long len, bool to_user, const char *type)
- {
- pr_emerg("kernel memory %s attempt detected %s '%s' (%lu bytes)\n",
- to_user ? "exposure" : "overwrite",
- to_user ? "from" : "to", type ? : "unknown", len);
-
- BUG();
- }
- static bool overlaps(const void *ptr, unsigned long n, unsigned long low,
- unsigned long high)
- {
- unsigned long check_low = (uintptr_t)ptr;
- unsigned long check_high = check_low + n;
-
- if (check_low >= high || check_high <= low)
- return false;
- return true;
- }
- static inline const char *check_kernel_text_object(const void *ptr,
- unsigned long n)
- {
- unsigned long textlow = (unsigned long)_stext;
- unsigned long texthigh = (unsigned long)_etext;
- unsigned long textlow_linear, texthigh_linear;
- if (overlaps(ptr, n, textlow, texthigh))
- return "<kernel text>";
-
- textlow_linear = (unsigned long)__va(__pa(textlow));
-
- if (textlow_linear == textlow)
- return NULL;
-
- texthigh_linear = (unsigned long)__va(__pa(texthigh));
- if (overlaps(ptr, n, textlow_linear, texthigh_linear))
- return "<linear kernel text>";
- return NULL;
- }
- static inline const char *check_bogus_address(const void *ptr, unsigned long n)
- {
-
- if ((unsigned long)ptr + (n - 1) < (unsigned long)ptr)
- return "<wrapped address>";
-
- if (ZERO_OR_NULL_PTR(ptr))
- return "<null>";
- return NULL;
- }
- static inline const char *check_page_span(const void *ptr, unsigned long n,
- struct page *page, bool to_user)
- {
- #ifdef CONFIG_HARDENED_USERCOPY_PAGESPAN
- const void *end = ptr + n - 1;
- struct page *endpage;
- bool is_reserved, is_cma;
-
-
- if (ptr >= (const void *)__start_rodata &&
- end <= (const void *)__end_rodata) {
- if (!to_user)
- return "<rodata>";
- return NULL;
- }
-
- if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
- return NULL;
-
- if (ptr >= (const void *)__bss_start &&
- end <= (const void *)__bss_stop)
- return NULL;
-
- if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
- ((unsigned long)end & (unsigned long)PAGE_MASK)))
- return NULL;
-
- endpage = virt_to_head_page(end);
- if (likely(endpage == page))
- return NULL;
-
- is_reserved = PageReserved(page);
- is_cma = is_migrate_cma_page(page);
- if (!is_reserved && !is_cma)
- return "<spans multiple pages>";
- for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) {
- page = virt_to_head_page(ptr);
- if (is_reserved && !PageReserved(page))
- return "<spans Reserved and non-Reserved pages>";
- if (is_cma && !is_migrate_cma_page(page))
- return "<spans CMA and non-CMA pages>";
- }
- #endif
- return NULL;
- }
- static inline const char *check_heap_object(const void *ptr, unsigned long n,
- bool to_user)
- {
- struct page *page;
-
- if (is_vmalloc_or_module_addr(ptr))
- return NULL;
- if (!virt_addr_valid(ptr))
- return NULL;
-
- page = compound_head(kmap_to_page((void *)ptr));
-
- if (PageSlab(page))
- return __check_heap_object(ptr, n, page);
-
- return check_page_span(ptr, n, page, to_user);
- }
- void __check_object_size(const void *ptr, unsigned long n, bool to_user)
- {
- const char *err;
-
- if (!n)
- return;
-
- err = check_bogus_address(ptr, n);
- if (err)
- goto report;
-
- err = check_heap_object(ptr, n, to_user);
- if (err)
- goto report;
-
- switch (check_stack_object(ptr, n)) {
- case NOT_STACK:
-
- break;
- case GOOD_FRAME:
- case GOOD_STACK:
-
- return;
- default:
- err = "<process stack>";
- goto report;
- }
-
- err = check_kernel_text_object(ptr, n);
- if (!err)
- return;
- report:
- report_usercopy(n, to_user, err);
- }
- EXPORT_SYMBOL(__check_object_size);
|