From patchwork Thu Mar 1 10:19:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: kpark3469@gmail.com X-Patchwork-Id: 10250843 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 808D660211 for ; Thu, 1 Mar 2018 10:33:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F7ED28EF8 for ; Thu, 1 Mar 2018 10:33:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6440028F02; Thu, 1 Mar 2018 10:33:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 4324728F01 for ; Thu, 1 Mar 2018 10:33:00 +0000 (UTC) Received: (qmail 23575 invoked by uid 550); 1 Mar 2018 10:32:42 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Delivered-To: moderator for kernel-hardening@lists.openwall.com Received: (qmail 13451 invoked from network); 1 Mar 2018 10:22:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dptZ9icm3zCoDQTKQJMVKmj8YmcOQ9b8bZvvtrdgI9A=; b=GYb0Mw4d/zg5iWGrr6DxyS6VsOe1yR7+UzUHWbBcmxsI1TYHYe84leg+KAOeayn1+t wLHhLbUwECsmpLiIRwQCZaMF2XYDs2Q0D4x+0k4Bl9Z71a/ihv+1Bvr1a01efBJ8qZXM 1dxWY75/qZpV2IrZmVhJpPSXUFMGa9vqaGQr0r2cNplaWg2VYGmBITdzgSdohg39PJFb vLcKqzpZzjlYiqhAsF7epojktYp6J+E0psGTAJ5Xcu0wNvbWILNeQjxmxGXHvCS8myO4 4cfqb9nq1Eyc1O0r0EYPUKHUEZ13kGfp3Q7QhAz9phpIGfUxM0SP4M7yJwFbFry2jSQR CCgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dptZ9icm3zCoDQTKQJMVKmj8YmcOQ9b8bZvvtrdgI9A=; b=kEdxnsOPq1FoioOi1SMjYKP75X4LLFRgtyC1ShbQJ70kVp5AKRJVvjCf8JbUgoZmLb v4orWIl7/i6+oT4aTNq3IKxERd9IFK0fTlynytlP8vTpZzOwHjmAi5KtH20Mo75lCGuy Rgu/HggYD0jo1gvoanpeXtn/CV41xzQWTJo4Op9M4aiGg3bb+xGhxuyguVVlSNRMJmtJ IRzhkS1R2fX++SZ1o2K3KFQYBKykI7R6gSlb8RtcoDoLDIGMymwrEbBXEoa6oI9xHYw2 V02hZkzPhVcR97iC+CJLE/1FS5uMMoCyLyPiGT4kLUN2AKzKZuWbwohRjsd8JnueD++O PMSA== X-Gm-Message-State: APf1xPBpv6wYljawNqnoHEw5OX693VCnaJoQljCb4pFqstDxvOKlnU4u SM81XEPROYVlH14z3+tMb1QNaA== X-Google-Smtp-Source: AG47ELsPjptza2RFrZlZqlUXCvHf+EQ50RMEOKNitq2p5X9eGXpMylyCdTL0Uopi7yXmLR+p1lNfbg== X-Received: by 10.80.148.39 with SMTP id p36mr2114240eda.311.1519899759216; Thu, 01 Mar 2018 02:22:39 -0800 (PST) From: kpark3469@gmail.com To: kernel-hardening@lists.openwall.com Cc: keescook@chromium.org, james.morse@arm.com, catalin.marinas@arm.com, will.deacon@arm.com, mark.rutland@arm.com, keun-o.park@darkmatter.ae Subject: [PATCH 4/4] x86: usercopy: reimplement arch_within_stack_frames with unwinder Date: Thu, 1 Mar 2018 14:19:51 +0400 Message-Id: <1519899591-29761-5-git-send-email-kpark3469@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519899591-29761-4-git-send-email-kpark3469@gmail.com> References: <1519899591-29761-1-git-send-email-kpark3469@gmail.com> <1519899591-29761-2-git-send-email-kpark3469@gmail.com> <1519899591-29761-3-git-send-email-kpark3469@gmail.com> <1519899591-29761-4-git-send-email-kpark3469@gmail.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Sahara The old arch_within_stack_frames which used the frame pointer is now reimplemented to use frame pointer unwinder apis. So the main functionality is same as before. Signed-off-by: Sahara --- arch/x86/include/asm/unwind.h | 5 +++ arch/x86/kernel/stacktrace.c | 77 +++++++++++++++++++++++++++++------------- arch/x86/kernel/unwind_frame.c | 4 +-- 3 files changed, 60 insertions(+), 26 deletions(-) diff --git a/arch/x86/include/asm/unwind.h b/arch/x86/include/asm/unwind.h index 1f86e1b..6f04906f 100644 --- a/arch/x86/include/asm/unwind.h +++ b/arch/x86/include/asm/unwind.h @@ -87,6 +87,11 @@ void unwind_init(void); void unwind_module_init(struct module *mod, void *orc_ip, size_t orc_ip_size, void *orc, size_t orc_size); #else +#ifdef CONFIG_UNWINDER_FRAME_POINTER +#define FRAME_HEADER_SIZE (sizeof(long) * 2) +size_t regs_size(struct pt_regs *regs); +#endif + static inline void unwind_init(void) {} static inline void unwind_module_init(struct module *mod, void *orc_ip, size_t orc_ip_size, diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c index f433a33..c26eb55 100644 --- a/arch/x86/kernel/stacktrace.c +++ b/arch/x86/kernel/stacktrace.c @@ -12,6 +12,37 @@ #include +static inline void *get_cur_frame(struct unwind_state *state) +{ + void *frame = NULL; + +#if defined(CONFIG_UNWINDER_ORC) +#elif defined(CONFIG_UNWINDER_FRAME_POINTER) + if (state->regs) + frame = (void *)state->regs; + else + frame = (void *)state->bp; +#else +#endif + return frame; +} + +static inline void *get_frame_end(struct unwind_state *state) +{ + void *frame_end = NULL; + +#if defined(CONFIG_UNWINDER_ORC) +#elif defined(CONFIG_UNWINDER_FRAME_POINTER) + if (state->regs) { + frame_end = (void *)state->regs + regs_size(state->regs); + } else { + frame_end = (void *)state->bp + FRAME_HEADER_SIZE; + } +#else +#endif + return frame_end; +} + /* * Walks up the stack frames to make sure that the specified object is * entirely contained by a single stack frame. @@ -25,31 +56,31 @@ int arch_within_stack_frames(const void * const stack, const void * const stackend, const void *obj, unsigned long len) { -#if defined(CONFIG_FRAME_POINTER) - const void *frame = NULL; - const void *oldframe; - - oldframe = __builtin_frame_address(2); - if (oldframe) - frame = __builtin_frame_address(3); +#if defined(CONFIG_UNWINDER_FRAME_POINTER) + struct unwind_state state; + void *prev_frame_end = NULL; /* - * low ----------------------------------------------> high - * [saved bp][saved ip][args][local vars][saved bp][saved ip] - * ^----------------^ - * allow copies only within here + * Skip 3 non-inlined frames: arch_within_stack_frames(), + * check_stack_object() and __check_object_size(). + * */ - while (stack <= frame && frame < stackend) { - /* - * If obj + len extends past the last frame, this - * check won't pass and the next frame will be 0, - * causing us to bail out and correctly report - * the copy as invalid. - */ - if (obj + len <= frame) - return obj >= oldframe + 2 * sizeof(void *) ? - GOOD_FRAME : BAD_STACK; - oldframe = frame; - frame = *(const void * const *)frame; + unsigned int discard_frames = 3; + + for (unwind_start(&state, current, NULL, NULL); !unwind_done(&state); + unwind_next_frame(&state)) { + if (discard_frames) { + discard_frames--; + } else { + void *frame = get_cur_frame(&state); + + if (!frame || !prev_frame_end) + return NOT_STACK; + if (obj + len <= frame) + return obj >= prev_frame_end ? + GOOD_FRAME : BAD_STACK; + } + /* save current frame end before move to next frame */ + prev_frame_end = get_frame_end(&state); } return BAD_STACK; #else diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c index 3dc26f9..c8bfa5c 100644 --- a/arch/x86/kernel/unwind_frame.c +++ b/arch/x86/kernel/unwind_frame.c @@ -8,8 +8,6 @@ #include #include -#define FRAME_HEADER_SIZE (sizeof(long) * 2) - unsigned long unwind_get_return_address(struct unwind_state *state) { if (unwind_done(state)) @@ -69,7 +67,7 @@ static void unwind_dump(struct unwind_state *state) } } -static size_t regs_size(struct pt_regs *regs) +size_t regs_size(struct pt_regs *regs) { /* x86_32 regs from kernel mode are two words shorter: */ if (IS_ENABLED(CONFIG_X86_32) && !user_mode(regs))