Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4974626ybb; Tue, 24 Mar 2020 08:39:42 -0700 (PDT) X-Google-Smtp-Source: ADFU+vv0KOza76yXLzqhb/aFEItZ2MbZGdTJax0oufpiaWe0OmLOQu6KU9PTL1sCSN/4qLWQPDp/ X-Received: by 2002:a05:6808:14e:: with SMTP id h14mr3979469oie.57.1585064382380; Tue, 24 Mar 2020 08:39:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585064382; cv=none; d=google.com; s=arc-20160816; b=P/xGtQGj+F9gDKk+nGp3JlQSFuv2BGp4Iv75D9FhoTVcdoXBbitJ4W5tWC+ZnGMvgj 1lLJNInB6xCDHrr0lQ3oWH2R1FYQtigUHDBkNthLPrIrPlFoAJ2Exn89EJv26s82z0ZN IKjACaqSITFPLVQ07MUN+sM5d1z/fAjhl44/NBHcAERsdE5UXuAgLqvm4V8ZKIi2KP70 2XhnyBNXO/GF1H3bDb1NwALMeILArOkhT2WW9TXGOIkIVOzT5zVG37HzQpfelKk1Vufj e5sgbaPo+b1spNNqXiJhLuiN0Qa31cwGEAVtvxLuBJq4Vgm04L+pX+7o3XIpnYvTqbF2 hRXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=V/ebNB2Avl+CzjNmFrhL3oYGuk0IzYDhPhSAUHUH+eY=; b=z4/piCJq1EP2GnW2CvB6Wb+aFAfNrbbD24+ePomS6bB9Jjh0ZSdHkzxnNmoHTq0cyw S9KUBPb/kJRgo1r1LrvNodu3fwP2MvS9BoHjfpQwO2NtJJKIoowt8LNj8AQr3ZF1wp3o ht0P8H5DXwHwrOGfrFwdxjz9rfCu+27CA/FWJM6xs9l66ZVhEGP7uAK8g4ktUnphdRy2 yxlW03l4+S+qxKTIku4NqO4sVPExN45nzS/5N95t64KJuv6Ki0CiglH6Wab5x9INkceO mdh/VpnwFSbJdKysPe4XgrXIQIX/O6PPjLP2X7spigFhg2uI/GVqjO0/NkoNJzvIfu1P /WtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qs5aP9nl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a11si8852351oib.154.2020.03.24.08.39.29; Tue, 24 Mar 2020 08:39:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qs5aP9nl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728644AbgCXPha (ORCPT + 99 others); Tue, 24 Mar 2020 11:37:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:60226 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728582AbgCXPhY (ORCPT ); Tue, 24 Mar 2020 11:37:24 -0400 Received: from localhost.localdomain (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 144C620714; Tue, 24 Mar 2020 15:37:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585064243; bh=IuBp/xaFr7ZgC7YM6R2iieq975HLH8RBRdBRFZApg8c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qs5aP9nlEw42QteOwo5uHGgWaCB9jXQ+POKR/d5+1ybu9PSL4TbUOBhTqDTALLGm+ zk2IaxLeINs+m4fwCpIxAI0jpcdDX9udzRb/aAr3L3Owlzm2ln11r8qHBGIkMB0RjB HOLvPVeAOIdvDyDcFqSQpVTf7Nxa4Gk2tMAUsXHI= From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Eric Dumazet , Jann Horn , Kees Cook , Maddie Stone , Marco Elver , "Paul E . McKenney" , Peter Zijlstra , Thomas Gleixner , kernel-team@android.com, kernel-hardening@lists.openwall.com Subject: [RFC PATCH 13/21] list: Add integrity checking to hlist_nulls implementation Date: Tue, 24 Mar 2020 15:36:35 +0000 Message-Id: <20200324153643.15527-14-will@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200324153643.15527-1-will@kernel.org> References: <20200324153643.15527-1-will@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Extend the 'hlist_nulls' implementation so that it can optionally perform integrity checking in a similar fashion to the standard 'list' code when CONFIG_CHECK_INTEGRITY_LIST=y. On architectures without a trap value for ILLEGAL_POINTER_VALUE (i.e. all 32-bit architectures), explicit pointer/poison checks can help to mitigate UAF vulnerabilities such as the one exploited by "pingpongroot" (CVE-2015-3636). Cc: Kees Cook Cc: Paul E. McKenney Cc: Peter Zijlstra Signed-off-by: Will Deacon --- include/linux/list_nulls.h | 23 +++++++++++++++++++ lib/list_debug.c | 47 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/include/linux/list_nulls.h b/include/linux/list_nulls.h index 48f33ae16381..379e097e92b0 100644 --- a/include/linux/list_nulls.h +++ b/include/linux/list_nulls.h @@ -35,6 +35,23 @@ struct hlist_nulls_node { ({ typeof(ptr) ____ptr = (ptr); \ !is_a_nulls(____ptr) ? hlist_nulls_entry(____ptr, type, member) : NULL; \ }) + +#ifdef CONFIG_CHECK_INTEGRITY_LIST +extern bool __hlist_nulls_add_head_valid(struct hlist_nulls_node *new, + struct hlist_nulls_head *head); +extern bool __hlist_nulls_del_valid(struct hlist_nulls_node *node); +#else +static inline bool __hlist_nulls_add_head_valid(struct hlist_nulls_node *new, + struct hlist_nulls_head *head) +{ + return true; +} +static inline bool __hlist_nulls_del_valid(struct hlist_nulls_node *node) +{ + return true; +} +#endif + /** * ptr_is_a_nulls - Test if a ptr is a nulls * @ptr: ptr to be tested @@ -79,6 +96,9 @@ static inline void hlist_nulls_add_head(struct hlist_nulls_node *n, { struct hlist_nulls_node *first = h->first; + if (!__hlist_nulls_add_head_valid(n, h)) + return; + n->next = first; n->pprev = &h->first; h->first = n; @@ -91,6 +111,9 @@ static inline void __hlist_nulls_del(struct hlist_nulls_node *n) struct hlist_nulls_node *next = n->next; struct hlist_nulls_node **pprev = n->pprev; + if (!__hlist_nulls_del_valid(n)) + return; + WRITE_ONCE(*pprev, next); if (!is_a_nulls(next)) WRITE_ONCE(next->pprev, pprev); diff --git a/lib/list_debug.c b/lib/list_debug.c index 03234ebd18c9..b3560de4accc 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c @@ -10,6 +10,7 @@ #include #include #include +#include /* * Check that the data structures for the list manipulations are reasonably @@ -139,3 +140,49 @@ bool __hlist_del_valid(struct hlist_node *node) return true; } EXPORT_SYMBOL(__hlist_del_valid); + +bool __hlist_nulls_add_head_valid(struct hlist_nulls_node *new, + struct hlist_nulls_head *head) +{ + struct hlist_nulls_node *first = head->first; + + if (CHECK_DATA_CORRUPTION(!is_a_nulls(first) && + first->pprev != &head->first, + "hlist_nulls_add_head corruption: first->pprev should be &head->first (%px), but was %px (first=%px)", + &head->first, first->pprev, first) || + CHECK_DATA_CORRUPTION(new == first, + "hlist_nulls_add_head double add: new (%px) == first (%px)", + new, first)) + return false; + + return true; +} +EXPORT_SYMBOL(__hlist_nulls_add_head_valid); + +bool __hlist_nulls_del_valid(struct hlist_nulls_node *node) +{ + struct hlist_nulls_node *prev, *next = node->next; + + if (CHECK_DATA_CORRUPTION(next == LIST_POISON1, + "hlist_nulls_del corruption: %px->next is LIST_POISON1 (%px)\n", + node, LIST_POISON1) || + CHECK_DATA_CORRUPTION(node->pprev == LIST_POISON2, + "hlist_nulls_del corruption: %px->pprev is LIST_POISON2 (%px)\n", + node, LIST_POISON2)) + return false; + + BUILD_BUG_ON(offsetof(struct hlist_nulls_node, next) != + offsetof(struct hlist_nulls_head, first)); + prev = container_of(node->pprev, struct hlist_nulls_node, next); + if (CHECK_DATA_CORRUPTION(prev->next != node, + "hlist_nulls_del corruption: prev->next should be %px, but was %px\n", + node, prev->next) || + CHECK_DATA_CORRUPTION(!is_a_nulls(next) && + next->pprev != &node->next, + "hlist_nulls_del corruption: next->pprev should be %px, but was %px\n", + &node->next, next->pprev)) + return false; + + return true; +} +EXPORT_SYMBOL(__hlist_nulls_del_valid); -- 2.20.1