iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2792d84e6d
linux/arch/arm64
History
Kees Cook 2792d84e6d usercopy: Check valid lifetime via stack depth 
One of the things that CONFIG_HARDENED_USERCOPY sanity-checks is whether
an object that is about to be copied to/from userspace is overlapping
the stack at all. If it is, it performs a number of inexpensive
bounds checks. One of the finer-grained checks is whether an object
crosses stack frames within the stack region. Doing this on x86 with
CONFIG_FRAME_POINTER was cheap/easy. Doing it with ORC was deemed too
heavy, and was left out (a while ago), leaving the courser whole-stack
check.

The LKDTM tests USERCOPY_STACK_FRAME_TO and USERCOPY_STACK_FRAME_FROM
try to exercise these cross-frame cases to validate the defense is
working. They have been failing ever since ORC was added (which was
expected). While Muhammad was investigating various LKDTM failures[1],
he asked me for additional details on them, and I realized that when
exact stack frame boundary checking is not available (i.e. everything
except x86 with FRAME_POINTER), it could check if a stack object is at
least "current depth valid", in the sense that any object within the
stack region but not between start-of-stack and current_stack_pointer
should be considered unavailable (i.e. its lifetime is from a call no
longer present on the stack).

Introduce ARCH_HAS_CURRENT_STACK_POINTER to track which architectures
have actually implemented the common global register alias.

Additionally report usercopy bounds checking failures with an offset
from current_stack_pointer, which may assist with diagnosing failures.

The LKDTM USERCOPY_STACK_FRAME_TO and USERCOPY_STACK_FRAME_FROM tests
(once slightly adjusted in a separate patch) pass again with this fixed.

[1] https://github.com/kernelci/kernelci-project/issues/84

Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v1: https://lore.kernel.org/lkml/20220216201449.2087956-1-keescook@chromium.org
v2: https://lore.kernel.org/lkml/20220224060342.1855457-1-keescook@chromium.org
v3: https://lore.kernel.org/lkml/20220225173345.3358109-1-keescook@chromium.org
v4: - improve commit log (akpm)
2022-02-25 18:20:11 -08:00
..
boot sound updates for 5.17-rc1 2022-01-14 14:55:38 +01:00
configs arm64: defconfig: Enable Samsung I2C driver 2021-12-21 12:18:44 +01:00
crypto arm64: Add macro version of the BTI instruction 2021-12-14 18:12:58 +00:00
hyperv
include coresight: trbe: Workaround Cortex-A510 erratas 2022-01-28 16:14:06 +00:00
kernel arm64: cpufeature: List early Cortex-A510 parts as having broken dbm 2022-01-28 16:15:46 +00:00
kvm Two larger x86 series: 2022-01-28 19:00:26 +02:00
lib Merge branches 'for-next/misc', 'for-next/cache-ops-dzp', 'for-next/stacktrace', 'for-next/xor-neon', 'for-next/kasan', 'for-next/armv8_7-fp', 'for-next/atomics', 'for-next/bti', 'for-next/sve', 'for-next/kselftest' and 'for-next/kcsan', remote-tracking branch 'arm64/for-next/perf' into for-next/core 2022-01-05 18:14:32 +00:00
mm arm64: extable: fix load_unaligned_zeropad() reg indices 2022-01-26 18:58:12 +00:00
net bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC 2022-01-05 20:43:08 +01:00
tools arm64: errata: Add detection for TRBE trace data corruption 2022-01-27 12:01:53 -07:00
xen xen: allow pv-only hypercalls only with CONFIG_XEN_PV 2021-11-02 08:11:01 -05:00
Kbuild kbuild: use more subdir- for visiting subdirectories while cleaning 2021-10-24 13:49:46 +09:00
Kconfig usercopy: Check valid lifetime via stack depth 2022-02-25 18:20:11 -08:00
Kconfig.debug
Kconfig.platforms ARM: SoC updates for v5.17 2022-01-10 08:10:20 -08:00
Makefile arm64/xor: use EOR3 instructions when available 2021-12-14 12:14:26 +00:00