From patchwork Wed Jul 26 17:00:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Garnier X-Patchwork-Id: 9865423 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 41376602B1 for ; Wed, 26 Jul 2017 17:02:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3262E28795 for ; Wed, 26 Jul 2017 17:02:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 273522879C; Wed, 26 Jul 2017 17:02:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, DKIM_VALID, RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CAB5528795 for ; Wed, 26 Jul 2017 17:02:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=hSqvz+/e/6GqAXUQCFu/c4J+EcOwQAFcjQEcSLYhqIM=; b=G4N5Wr3I/uR53p1ilauBvgp2IV rQdfnZhRcl9GrRDU2yqi5GJ1c2U2q7Ad6NOcxPs5aDr5kfg2Iq7vzwfP/NurRvvPUkTcM7mmuD2Wl YTrpQbPM0jpdHGRaJUlSRZkuVtP7ydILYN+dkn+3OfCWNS6crqy+JbjXhT5o9VehCO8h0YyW5F171 doneYK8P0/AcotQnhWCfCQ9oYGYTty3FKwvbAdXL0JkOFQ/Nj5MOiDLrDG6mlaoZFt1ulN72qSEJP 2O5xucBu3P5L6EV6KyMlNaelA0khiQdLqJiJwx+IGSd0D2Jp6fTr/IGsGzOSiSMz3HW6Dl0gCxwWO 9cprzPJg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1daPhh-0002oS-K2; Wed, 26 Jul 2017 17:02:33 +0000 Received: from mail-pf0-x230.google.com ([2607:f8b0:400e:c00::230]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1daPgv-0001vc-PL for linux-arm-kernel@lists.infradead.org; Wed, 26 Jul 2017 17:01:52 +0000 Received: by mail-pf0-x230.google.com with SMTP id z129so33732293pfb.3 for ; Wed, 26 Jul 2017 10:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ai5uMNSpq7iRftRnzR8BH2MaItho9E5aA4UJxZP+AJA=; b=U9I5ltxmv16h2ScZhXH/MfyH3y19xDgEvQk/2lYACwz/GaEYczECGNc0GX5cUIxI/c 5X1OOoPZ5ETL92Zlg93VSBWPzbps2WL/IlGRWPF6l4+ZQL9bkjtNz0ZkZ0rJjGXi1xJL he3yY4pE4qxk38lMrvMZST8N1WudeWz5CQIvom1TK3Fg/NSxYTqDW6Ng9HgH/O/ab0eo xzANam/QbcyCAtZkpNE9BrYmOdm8PtpJT35Qr6QBwGce3CjRrFLrorvxIvF8BfNxP9HH BHscb4uNWABsbYx9SFJpR39s/RiFVI1HBa+svpAC1ZUmCDRfQaLkbs4T82XraXr2/uSE e8yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ai5uMNSpq7iRftRnzR8BH2MaItho9E5aA4UJxZP+AJA=; b=dtheWeUsfE7CvqMmlBQCdWuWJsq2zoBc+Qq3zGhAr/Px80nBrnMcfTvVcxxqccL8NU U4Pf2kW7i4HURIdOJuH/5AQy8nvxpvhpgghdvcOrhSipBJ+UL8SxrWkRPZ/FxZ2gJBkS b172KKl0vRwKlyVURy5wd8PI6/AVP0Wc7gl4XFlygYI/PFTXf116c6eEZiyDjqDJ0YhS Gm/7zSbrWx6WD4pEavevz28KKCpRg0Uqpk2eAFymMS+DKpW8tIikBLI4qEJE0hcsxc91 n3W0K8I3OeQU/NTg4ujIinYpz4yS92VTgyK0tEr11uYh81woozlBsd9aO+wdZU2krrDo KR3w== X-Gm-Message-State: AIVw110tEq3r/7cofucstaz19TPAvfxn1QcSOEzdJ5R6l0hP3LUjCqLV +1/RvnN+05M3cFgV X-Received: by 10.99.96.196 with SMTP id u187mr1542351pgb.348.1501088484664; Wed, 26 Jul 2017 10:01:24 -0700 (PDT) Received: from skynet.sea.corp.google.com ([172.31.92.33]) by smtp.gmail.com with ESMTPSA id m65sm3392641pfi.94.2017.07.26.10.01.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Jul 2017 10:01:23 -0700 (PDT) From: Thomas Garnier To: Russell King , Kees Cook , Andy Lutomirski , Will Drewry , Thomas Garnier , Thomas Gleixner , Al Viro , Dave Martin , Catalin Marinas , Will Deacon , Pratyush Anand , Chris Metcalf , leonard.crestez@nxp.com Subject: [PATCH v2 2/3] arm/syscalls: Optimize address limit check Date: Wed, 26 Jul 2017 10:00:50 -0700 Message-Id: <20170726170051.28328-2-thgarnie@google.com> X-Mailer: git-send-email 2.14.0.rc0.400.g1c36432dff-goog In-Reply-To: <20170726170051.28328-1-thgarnie@google.com> References: <20170726170051.28328-1-thgarnie@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170726_100146_526523_23981BE5 X-CRM114-Status: GOOD ( 12.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Disable the generic address limit check in favor of an architecture specific optimized implementation. The generic implementation using pending work flags did not work well with ARM and alignment faults. The address limit is checked on each syscall return path to user-mode path as well as the irq user-mode return function. If the address limit was changed, a function is called to stop the kernel with an explicit message. The address limit check has to be done before any pending work because they can reset the address limit. For example the lkdtm address limit check does not work because the signal to kill the process will reset the user-mode address limit. Signed-off-by: Thomas Garnier --- arch/arm/kernel/entry-common.S | 11 +++++++++++ arch/arm/kernel/signal.c | 5 +++++ 2 files changed, 16 insertions(+) diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S index 0b60adf4a5d9..99c908226065 100644 --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -12,6 +12,7 @@ #include #include #include +#include #ifdef CONFIG_AEABI #include #endif @@ -48,10 +49,14 @@ ret_fast_syscall: UNWIND(.fnstart ) UNWIND(.cantunwind ) disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK bne fast_work_pending + /* perform architecture specific actions before user return */ arch_ret_to_user r1, lr @@ -74,6 +79,9 @@ ret_fast_syscall: UNWIND(.cantunwind ) str r0, [sp, #S_R0 + S_OFF]! @ save returned r0 disable_irq_notrace @ disable interrupts + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK beq no_work_pending @@ -106,6 +114,9 @@ ENTRY(ret_to_user) ret_slow_syscall: disable_irq_notrace @ disable interrupts ENTRY(ret_to_user_from_irq) + ldr r2, [tsk, #TI_ADDR_LIMIT] + cmp r2, #TASK_SIZE + blne addr_limit_check_failed ldr r1, [tsk, #TI_FLAGS] tst r1, #_TIF_WORK_MASK bne slow_work_pending diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 5814298ef0b7..5769c15cff89 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -673,3 +673,8 @@ struct page *get_signal_page(void) return page; } + +asmlinkage void addr_limit_check_failed(void) +{ + panic("Incorrect address limit while returning to user-mode."); +}