From patchwork Mon Aug 14 21:37:31 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 9900185
Return-Path: 
 <kernel-hardening-return-9432-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C897A602D9 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 14 Aug 2017 21:38:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC0B4283FF
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 14 Aug 2017 21:38:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B0AE42873A; Mon, 14 Aug 2017 21:38:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id E1136286E2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 14 Aug 2017 21:38:33 +0000 (UTC)
Received: (qmail 24050 invoked by uid 550); 14 Aug 2017 21:38:20 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 23872 invoked from network); 14 Aug 2017 21:38:18 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=63A4SzacZfbzd4ZnUsaliuccXN6G6UKsSDFPG+AvMS8=;
	b=Ji3Zm5lN58CdKXxvrkT9yIHJwmoJ4Bkrb8SKIWfsgmy3ZxWuY6Bt/lgaZuiBGvY6fv
	jlau0hfhct1n6tdMPjL2coIR9vjLpftaNLN3GswYXROi9uXhlkvwwRZKzVWvSjeCQm5N
	fCaG9Px+aAPmB96vesx7Qm/9g6jM3BZzdhha8eXwgIWbUCXsZKWPxfC0BdMoJnouoN4l
	abSQOP0IklvF9Oym5y7mffUCHG9L1+ecghbNn3BSpGqI3CziffIQsp6q3e5zJFbJ6fvf
	54e++6840hMCSsiJBSjblY14JoUPsNI2qM5VbBMe5Cf7oBjZ7Iuti14dXzuWQyg+PZmw
	R8iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=63A4SzacZfbzd4ZnUsaliuccXN6G6UKsSDFPG+AvMS8=;
	b=afbl89lpqBHeHv5PN8eipxuxvXzRdASbtiDNSBKabphvz7DJDICLhJweoFvUmtjH+a
	SFp/eE5ROHT7phxjI8T6wYoKVLovdlBEZvnbHUZJKLkm3LQjHPub1GTS2fS4WU33WYbv
	wu/t/lPCejg7ppn8fEkO8CL0sarZ8n/u3hkEXrb9GaYwsumBLzbh5C36knIpAtInnAk+
	7uvJ9EqmMP4JxPe2bjviVJUgIUTGdJOgIbgMboakUqB07N9h0ex2NZTPo0I0vFt3fd1Z
	hEdpXdPB1HPj1nfYJI1o3aRNNoLNsU5JkZYzejm36VObzBVaYIW3+rh2sAszx71yTcBF
	cTYQ==
X-Gm-Message-State: AHYfb5jwblfojkOGWvsDzDwpQu5RW/jjU4clQzzLcbY4NqXOCNEK28A3
	eActGkVXVkQJi6Ij
X-Received: by 10.98.43.78 with SMTP id r75mr26071400pfr.269.1502746686231;
	Mon, 14 Aug 2017 14:38:06 -0700 (PDT)
From: Thomas Garnier <thgarnie@google.com>
To: Al Viro <viro@zeniv.linux.org.uk>, Dave Hansen <dave.hansen@intel.com>,
	Arnd Bergmann <arnd@arndb.de>, Thomas Gleixner <tglx@linutronix.de>,
	Thomas Garnier <thgarnie@google.com>, Yonghong Song <yhs@fb.com>,
	David Howells <dhowells@redhat.com>,
	Russell King <linux@armlinux.org.uk>, Kees Cook <keescook@chromium.org>,
	Andy Lutomirski <luto@amacapital.net>, Will Drewry <wad@chromium.org>,
	Dave Martin <Dave.Martin@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will.deacon@arm.com>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com
Date: Mon, 14 Aug 2017 14:37:31 -0700
Message-Id: <20170814213732.104301-3-thgarnie@google.com>
X-Mailer: git-send-email 2.14.1.480.gb18f417b89-goog
In-Reply-To: <20170814213732.104301-1-thgarnie@google.com>
References: <20170814213732.104301-1-thgarnie@google.com>
Subject: [kernel-hardening] [PATCH v3 3/4] arm/syscalls: Optimize address
	limit check
X-Virus-Scanned: ClamAV using ClamSMTP

Disable the generic address limit check in favor of an architecture
specific optimized implementation. The generic implementation using
pending work flags did not work well with ARM and alignment faults.

The address limit is checked on each syscall return path to user-mode
path as well as the irq user-mode return function. If the address limit
was changed, a function is called to report data corruption (stopping
the kernel or process based on configuration).

The address limit check has to be done before any pending work because
they can reset the address limit and the process is killed using a
SIGKILL signal. For example the lkdtm address limit check does not work
because the signal to kill the process will reset the user-mode address
limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Tested-by: Leonard Crestez <leonard.crestez@nxp.com>
---
 arch/arm/kernel/entry-common.S | 11 +++++++++++
 arch/arm/kernel/signal.c       |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index 0b60adf4a5d9..99c908226065 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -12,6 +12,7 @@
 #include <asm/unistd.h>
 #include <asm/ftrace.h>
 #include <asm/unwind.h>
+#include <asm/memory.h>
 #ifdef CONFIG_AEABI
 #include <asm/unistd-oabi.h>
 #endif
@@ -48,10 +49,14 @@ ret_fast_syscall:
  UNWIND(.fnstart	)
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
+
 	/* perform architecture specific actions before user return */
 	arch_ret_to_user r1, lr
 
@@ -74,6 +79,9 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
@@ -106,6 +114,9 @@ ENTRY(ret_to_user)
 ret_slow_syscall:
 	disable_irq_notrace			@ disable interrupts
 ENTRY(ret_to_user_from_irq)
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]
 	tst	r1, #_TIF_WORK_MASK
 	bne	slow_work_pending
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index 5814298ef0b7..b67ae12503f3 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,6 +14,7 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
+#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -673,3 +674,9 @@ struct page *get_signal_page(void)
 
 	return page;
 }
+
+/* Defer to generic check */
+asmlinkage void addr_limit_check_failed(void)
+{
+	addr_limit_user_check();
+}