Received: by 10.213.65.68 with SMTP id h4csp3562981imn; Tue, 10 Apr 2018 00:35:00 -0700 (PDT) X-Google-Smtp-Source: AIpwx49HAHis0ebXeLOYhroM5ZCpXBiH6O377A7KW8373cvxT4VT6ejf+gRjWqOFMGM844I8Uczl X-Received: by 10.98.178.76 with SMTP id x73mr1827516pfe.193.1523345700495; Tue, 10 Apr 2018 00:35:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523345700; cv=none; d=google.com; s=arc-20160816; b=nAgfN4a77e+j/QEppgZXE1MEQ5HffofDuAZ1fePhAnA2RuN3UzQOLhiR800C2iL7mW Sg1EHWSW3uCPp5/wXjm6v3wZrotzEDLZ88bzWLrH5oZ5JSupzsFP/59952qGmqmIF1rk kEHiGFpPcvFf3sUdWWM4h19VC5r67MON+CUc/TJ4guTth3FpcwH4UYpvxCJ7W9chIoOW iw/pXBY7WBvyXDCZR+VrDFN43OJpCUd0OHtXNlz7rcnSBFBLvvVVk+Kguh5HGbFL0kVG 0PpVIAOObuez22zvRloF6l2Lp5XQ5MRZjRpQpBa2lIcqUaw6Y3Txr+wa+0+wqG57y5KC 6eeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=NzoZuc+DdjRY93JGvBryC2MtxBtRt5tGrF7yypD1BLw=; b=MQkWKWliCjSBdmORLRpLXEOm4YSnGSvpO1KUWwsd8AEPu4V1EFf+NtGSUC8Polc+AC Qkx4kNmLjvLF+wHOngD/c/uXHszk9A8GDigZxWKHyMQCGs72Ldj5+BGIANrsO+NbH7Yh khvIVZoPZut5jXpW4Qdo+iEKec1MdElv1V6XGhoSUvfe0BCYEW7mn2gE1FkFTa656p09 dpyT0nQKii7eIYod9058RaS6NEZHaxaVk4PmLUiJxOadugEk4T514jWjznCYWPHovtuk P7e5SUrXUwiYh1XHgcc+d90P0JSKxzQFPvyaFY6WjWTerTlV7RB33cxx/bCQ5Hla3lc4 uHyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZhfAR9aU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k21-v6si2094087pll.299.2018.04.10.00.34.23; Tue, 10 Apr 2018 00:35:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZhfAR9aU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752297AbeDJHbY (ORCPT + 99 others); Tue, 10 Apr 2018 03:31:24 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:32848 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752246AbeDJHbW (ORCPT ); Tue, 10 Apr 2018 03:31:22 -0400 Received: by mail-wm0-f65.google.com with SMTP id o23so20430559wmf.0 for ; Tue, 10 Apr 2018 00:31:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=NzoZuc+DdjRY93JGvBryC2MtxBtRt5tGrF7yypD1BLw=; b=ZhfAR9aUk98y5ZEyPrB/nlQzdYCOcBzoJ4fAvFZ1674vnjuj7010zXPhBZ1V3EFC+F gY6d+aVNwQR3jxfsD+R+EKluDxZNloiOMZy4UFfqzEYlrXL9PbT7ZR3/vVqJLQtvd5nm PgNfbjfSveTfZdjLvZIsvGWkEhM+AOYYaRywtDfq0+zEl/xaUoCWD1pjV4iaAly8YUTU DjWB7S+duUL90YawNN6/xH/KTWHPGX9DUzCnapjEDt0dL8okn/+RQkV7RmL3pm0rvSv0 hU7vbr+0dBTzk7QaQ1fBqkSRLrmmnc17WUICJpA/oSPSmGL+WAt6Gb85qMegQE3H2hRV 0vqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=NzoZuc+DdjRY93JGvBryC2MtxBtRt5tGrF7yypD1BLw=; b=H7gCyn4JN+L+BwNLlr+E87fld4H2rIk00IJCVWOKdyG6jvAjnxBKQlEY1l3k1lnNtA lZ+EUwisWQ/i2h/+pJ0KHiLnSW4XJOMwuvZkLKuuKHxsVm1ZunRd/QM8RW0axIosJdKi F0ymUrroAuVjYVCkkZkDfRbJxOehhtTueE4LLK7NvIjj+FNyYYLbXJZSPr/il9umyW5z C2rbp32H6Oo2+PpwPEbL5yzRvHzA32gxB8hlkX6sEBArku5xilYDG4RKI4APEF/4RUsm Jl4atRUg3uhYlB+MxJPLYNfrgQ3CJ/Nh1YNeK95fiqUZAB1EUMX8ZpDowI3h8bJ+CLeI mzkA== X-Gm-Message-State: ALQs6tDixP1n/XFqGHIAgPvaYQvV6LkIQX1U6C6R7aiG0jpwQ4S7YLfV zEzBwjapiTPpJIYTLmdKDfE= X-Received: by 10.28.5.198 with SMTP id 189mr692839wmf.155.1523345480869; Tue, 10 Apr 2018 00:31:20 -0700 (PDT) Received: from sahara-mac.darkmatter.uae (bba421079.alshamil.net.ae. [83.110.21.201]) by smtp.gmail.com with ESMTPSA id r8sm2339516wmg.44.2018.04.10.00.31.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 10 Apr 2018 00:31:20 -0700 (PDT) From: kpark3469@gmail.com To: kernel-hardening@lists.openwall.com Cc: catalin.marinas@arm.com, keescook@chromium.org, will.deacon@arm.com, mark.rutland@arm.com, james.morse@arm.com, panand@redhat.com, keun-o.park@darkmatter.ae, psodagud@codeaurora.org, jpoimboe@redhat.com, mingo@kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 2/3] arm64: usercopy: implement arch_within_stack_frames Date: Tue, 10 Apr 2018 11:30:46 +0400 Message-Id: <1523345447-10725-3-git-send-email-kpark3469@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1523345447-10725-2-git-send-email-kpark3469@gmail.com> References: <1523345447-10725-1-git-send-email-kpark3469@gmail.com> <1523345447-10725-2-git-send-email-kpark3469@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Morse This implements arch_within_stack_frames() for arm64 that should validate if a given object is contained by a kernel stack frame. Signed-off-by: James Morse Reviewed-by: Sahara Reviewed-by: Kees Cook --- arch/arm64/Kconfig | 1 + arch/arm64/kernel/stacktrace.c | 76 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index eb2cf49..4498ff4 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -128,6 +128,7 @@ config ARM64 select HAVE_SYSCALL_TRACEPOINTS select HAVE_KPROBES select HAVE_KRETPROBES + select HAVE_ARCH_WITHIN_STACK_FRAMES select IOMMU_DMA if IOMMU_SUPPORT select IRQ_DOMAIN select IRQ_FORCED_THREADING diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c index d5718a0..5eb3784 100644 --- a/arch/arm64/kernel/stacktrace.c +++ b/arch/arm64/kernel/stacktrace.c @@ -27,6 +27,11 @@ #include #include +#define FAKE_FRAME(frame, my_func) do { \ + frame.fp = (unsigned long)__builtin_frame_address(0); \ + frame.pc = (unsigned long)my_func; \ +} while (0) + /* * AArch64 PCS assigns the frame pointer to x29. * @@ -100,6 +105,77 @@ void notrace walk_stackframe(struct task_struct *tsk, struct stackframe *frame, } } +struct check_frame_arg { + unsigned long obj_start; + unsigned long obj_end; + unsigned long frame_start; + int discard_frames; + int err; +}; + +static int check_frame(struct stackframe *frame, void *d) +{ + struct check_frame_arg *arg = d; + unsigned long frame_end = frame->fp; + + /* object overlaps multiple frames */ + if (arg->obj_start < frame->fp && frame->fp < arg->obj_end) { + arg->err = BAD_STACK; + return 1; + } + + /* + * Discard frames and check object is in a frame written early + * enough. + */ + if (arg->discard_frames) + arg->discard_frames--; + else if ((arg->frame_start <= arg->obj_start && + arg->obj_start < frame_end) && + (arg->frame_start < arg->obj_end && arg->obj_end <= frame_end)) + return 1; + + /* object exists in a previous frame */ + if (arg->obj_end < arg->frame_start) { + arg->err = BAD_STACK; + return 1; + } + + arg->frame_start = frame_end + 0x10; + + return 0; +} + +/* Check obj doesn't overlap a stack frame record */ +int arch_within_stack_frames(const void *stack, + const void *stack_end, + const void *obj, unsigned long obj_len) +{ + struct stackframe frame; + struct check_frame_arg arg; + + if (!IS_ENABLED(CONFIG_FRAME_POINTER)) + return NOT_STACK; + + arg.err = GOOD_FRAME; + arg.obj_start = (unsigned long)obj; + arg.obj_end = arg.obj_start + obj_len; + + FAKE_FRAME(frame, arch_within_stack_frames); + arg.frame_start = frame.fp; + + /* + * Skip 4 non-inlined frames: , + * arch_within_stack_frames(), check_stack_object() and + * __check_object_size(). + */ + arg.discard_frames = 4; + + walk_stackframe(current, &frame, check_frame, &arg); + + return arg.err; +} + #ifdef CONFIG_STACKTRACE struct stack_trace_data { struct stack_trace *trace; -- 2.7.4