kernel/stackleak.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * This code fills the used part of the kernel stack with a poison value
   4  * before returning to userspace. It's part of the STACKLEAK feature
   5  * ported from grsecurity/PaX.
   6  *
   7  * Author: Alexander Popov <alex.popov@linux.com>
   8  *
   9  * STACKLEAK reduces the information which kernel stack leak bugs can
  10  * reveal and blocks some uninitialized stack variable attacks.
  11  */
  12
  13 #include <linux/stackleak.h>
  14 #include <linux/kprobes.h>
  15
  16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
  17 #include <linux/jump_label.h>
  18 #include <linux/sysctl.h>
  19 #include <linux/init.h>
  20
  21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
  22
  23 #ifdef CONFIG_SYSCTL
  24 static int stack_erasing_sysctl(struct ctl_table *table, int write,
  25                         void __user *buffer, size_t *lenp, loff_t *ppos)
  26 {
  27         int ret = 0;
  28         int state = !static_branch_unlikely(&stack_erasing_bypass);
  29         int prev_state = state;
  30
  31         table->data = &state;
  32         table->maxlen = sizeof(int);
  33         ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
  34         state = !!state;
  35         if (ret || !write || state == prev_state)
  36                 return ret;
  37
  38         if (state)
  39                 static_branch_disable(&stack_erasing_bypass);
  40         else
  41                 static_branch_enable(&stack_erasing_bypass);
  42
  43         pr_warn("stackleak: kernel stack erasing is %s\n",
  44                                         state ? "enabled" : "disabled");
  45         return ret;
  46 }
  47 static struct ctl_table stackleak_sysctls[] = {
  48         {
  49                 .procname       = "stack_erasing",
  50                 .data           = NULL,
  51                 .maxlen         = sizeof(int),
  52                 .mode           = 0600,
  53                 .proc_handler   = stack_erasing_sysctl,
  54                 .extra1         = SYSCTL_ZERO,
  55                 .extra2         = SYSCTL_ONE,
  56         },
  57         {}
  58 };
  59
  60 static int __init stackleak_sysctls_init(void)
  61 {
  62         register_sysctl_init("kernel", stackleak_sysctls);
  63         return 0;
  64 }
  65 late_initcall(stackleak_sysctls_init);
  66 #endif /* CONFIG_SYSCTL */
  67
  68 #define skip_erasing()  static_branch_unlikely(&stack_erasing_bypass)
  69 #else
  70 #define skip_erasing()  false
  71 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
  72
  73 asmlinkage void noinstr stackleak_erase(void)
  74 {
  75         /* It would be nice not to have 'kstack_ptr' and 'boundary' on stack */
  76         unsigned long kstack_ptr = current->lowest_stack;
  77         unsigned long boundary = (unsigned long)end_of_stack(current);
  78         unsigned int poison_count = 0;
  79         const unsigned int depth = STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
  80
  81         if (skip_erasing())
  82                 return;
  83
  84         /* Check that 'lowest_stack' value is sane */
  85         if (unlikely(kstack_ptr - boundary >= THREAD_SIZE))
  86                 kstack_ptr = boundary;
  87
  88         /* Search for the poison value in the kernel stack */
  89         while (kstack_ptr > boundary && poison_count <= depth) {
  90                 if (*(unsigned long *)kstack_ptr == STACKLEAK_POISON)
  91                         poison_count++;
  92                 else
  93                         poison_count = 0;
  94
  95                 kstack_ptr -= sizeof(unsigned long);
  96         }
  97
  98         /*
  99          * One 'long int' at the bottom of the thread stack is reserved and
 100          * should not be poisoned (see CONFIG_SCHED_STACK_END_CHECK=y).
 101          */
 102         if (kstack_ptr == boundary)
 103                 kstack_ptr += sizeof(unsigned long);
 104
 105 #ifdef CONFIG_STACKLEAK_METRICS
 106         current->prev_lowest_stack = kstack_ptr;
 107 #endif
 108
 109         /*
 110          * Now write the poison value to the kernel stack. Start from
 111          * 'kstack_ptr' and move up till the new 'boundary'. We assume that
 112          * the stack pointer doesn't change when we write poison.
 113          */
 114         if (on_thread_stack())
 115                 boundary = current_stack_pointer;
 116         else
 117                 boundary = current_top_of_stack();
 118
 119         while (kstack_ptr < boundary) {
 120                 *(unsigned long *)kstack_ptr = STACKLEAK_POISON;
 121                 kstack_ptr += sizeof(unsigned long);
 122         }
 123
 124         /* Reset the 'lowest_stack' value for the next syscall */
 125         current->lowest_stack = current_top_of_stack() - THREAD_SIZE/64;
 126 }
 127
 128 void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
 129 {
 130         unsigned long sp = current_stack_pointer;
 131
 132         /*
 133          * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
 134          * STACKLEAK_SEARCH_DEPTH makes the poison search in
 135          * stackleak_erase() unreliable. Let's prevent that.
 136          */
 137         BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
 138
 139         /* 'lowest_stack' should be aligned on the register width boundary */
 140         sp = ALIGN(sp, sizeof(unsigned long));
 141         if (sp < current->lowest_stack &&
 142             sp >= (unsigned long)task_stack_page(current) +
 143                                                 sizeof(unsigned long)) {
 144                 current->lowest_stack = sp;
 145         }
 146 }
 147 EXPORT_SYMBOL(stackleak_track_stack);