Loading...
1/*
2 * Copyright (C) 2001 Andrea Arcangeli <andrea@suse.de> SuSE
3 * Copyright 2003 Andi Kleen, SuSE Labs.
4 *
5 * [ NOTE: this mechanism is now deprecated in favor of the vDSO. ]
6 *
7 * Thanks to hpa@transmeta.com for some useful hint.
8 * Special thanks to Ingo Molnar for his early experience with
9 * a different vsyscall implementation for Linux/IA32 and for the name.
10 *
11 * vsyscall 1 is located at -10Mbyte, vsyscall 2 is located
12 * at virtual address -10Mbyte+1024bytes etc... There are at max 4
13 * vsyscalls. One vsyscall can reserve more than 1 slot to avoid
14 * jumping out of line if necessary. We cannot add more with this
15 * mechanism because older kernels won't return -ENOSYS.
16 *
17 * Note: the concept clashes with user mode linux. UML users should
18 * use the vDSO.
19 */
20
21#include <linux/time.h>
22#include <linux/init.h>
23#include <linux/kernel.h>
24#include <linux/timer.h>
25#include <linux/seqlock.h>
26#include <linux/jiffies.h>
27#include <linux/sysctl.h>
28#include <linux/topology.h>
29#include <linux/clocksource.h>
30#include <linux/getcpu.h>
31#include <linux/cpu.h>
32#include <linux/smp.h>
33#include <linux/notifier.h>
34#include <linux/syscalls.h>
35#include <linux/ratelimit.h>
36
37#include <asm/vsyscall.h>
38#include <asm/pgtable.h>
39#include <asm/compat.h>
40#include <asm/page.h>
41#include <asm/unistd.h>
42#include <asm/fixmap.h>
43#include <asm/errno.h>
44#include <asm/io.h>
45#include <asm/segment.h>
46#include <asm/desc.h>
47#include <asm/topology.h>
48#include <asm/vgtod.h>
49#include <asm/traps.h>
50
51#define CREATE_TRACE_POINTS
52#include "vsyscall_trace.h"
53
54DEFINE_VVAR(int, vgetcpu_mode);
55DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data);
56
57static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
58
59static int __init vsyscall_setup(char *str)
60{
61 if (str) {
62 if (!strcmp("emulate", str))
63 vsyscall_mode = EMULATE;
64 else if (!strcmp("native", str))
65 vsyscall_mode = NATIVE;
66 else if (!strcmp("none", str))
67 vsyscall_mode = NONE;
68 else
69 return -EINVAL;
70
71 return 0;
72 }
73
74 return -EINVAL;
75}
76early_param("vsyscall", vsyscall_setup);
77
78void update_vsyscall_tz(void)
79{
80 vsyscall_gtod_data.sys_tz = sys_tz;
81}
82
83void update_vsyscall(struct timespec *wall_time, struct timespec *wtm,
84 struct clocksource *clock, u32 mult)
85{
86 struct timespec monotonic;
87
88 write_seqcount_begin(&vsyscall_gtod_data.seq);
89
90 /* copy vsyscall data */
91 vsyscall_gtod_data.clock.vclock_mode = clock->archdata.vclock_mode;
92 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
93 vsyscall_gtod_data.clock.mask = clock->mask;
94 vsyscall_gtod_data.clock.mult = mult;
95 vsyscall_gtod_data.clock.shift = clock->shift;
96
97 vsyscall_gtod_data.wall_time_sec = wall_time->tv_sec;
98 vsyscall_gtod_data.wall_time_nsec = wall_time->tv_nsec;
99
100 monotonic = timespec_add(*wall_time, *wtm);
101 vsyscall_gtod_data.monotonic_time_sec = monotonic.tv_sec;
102 vsyscall_gtod_data.monotonic_time_nsec = monotonic.tv_nsec;
103
104 vsyscall_gtod_data.wall_time_coarse = __current_kernel_time();
105 vsyscall_gtod_data.monotonic_time_coarse =
106 timespec_add(vsyscall_gtod_data.wall_time_coarse, *wtm);
107
108 write_seqcount_end(&vsyscall_gtod_data.seq);
109}
110
111static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
112 const char *message)
113{
114 static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST);
115 struct task_struct *tsk;
116
117 if (!show_unhandled_signals || !__ratelimit(&rs))
118 return;
119
120 tsk = current;
121
122 printk("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
123 level, tsk->comm, task_pid_nr(tsk),
124 message, regs->ip, regs->cs,
125 regs->sp, regs->ax, regs->si, regs->di);
126}
127
128static int addr_to_vsyscall_nr(unsigned long addr)
129{
130 int nr;
131
132 if ((addr & ~0xC00UL) != VSYSCALL_START)
133 return -EINVAL;
134
135 nr = (addr & 0xC00UL) >> 10;
136 if (nr >= 3)
137 return -EINVAL;
138
139 return nr;
140}
141
142#ifdef CONFIG_SECCOMP
143static int vsyscall_seccomp(struct task_struct *tsk, int syscall_nr)
144{
145 if (!seccomp_mode(&tsk->seccomp))
146 return 0;
147 task_pt_regs(tsk)->orig_ax = syscall_nr;
148 task_pt_regs(tsk)->ax = syscall_nr;
149 return __secure_computing(syscall_nr);
150}
151#else
152#define vsyscall_seccomp(_tsk, _nr) 0
153#endif
154
155static bool write_ok_or_segv(unsigned long ptr, size_t size)
156{
157 /*
158 * XXX: if access_ok, get_user, and put_user handled
159 * sig_on_uaccess_error, this could go away.
160 */
161
162 if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
163 siginfo_t info;
164 struct thread_struct *thread = ¤t->thread;
165
166 thread->error_code = 6; /* user fault, no page, write */
167 thread->cr2 = ptr;
168 thread->trap_nr = X86_TRAP_PF;
169
170 memset(&info, 0, sizeof(info));
171 info.si_signo = SIGSEGV;
172 info.si_errno = 0;
173 info.si_code = SEGV_MAPERR;
174 info.si_addr = (void __user *)ptr;
175
176 force_sig_info(SIGSEGV, &info, current);
177 return false;
178 } else {
179 return true;
180 }
181}
182
183bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
184{
185 struct task_struct *tsk;
186 unsigned long caller;
187 int vsyscall_nr;
188 int prev_sig_on_uaccess_error;
189 long ret;
190 int skip;
191
192 /*
193 * No point in checking CS -- the only way to get here is a user mode
194 * trap to a high address, which means that we're in 64-bit user code.
195 */
196
197 WARN_ON_ONCE(address != regs->ip);
198
199 if (vsyscall_mode == NONE) {
200 warn_bad_vsyscall(KERN_INFO, regs,
201 "vsyscall attempted with vsyscall=none");
202 return false;
203 }
204
205 vsyscall_nr = addr_to_vsyscall_nr(address);
206
207 trace_emulate_vsyscall(vsyscall_nr);
208
209 if (vsyscall_nr < 0) {
210 warn_bad_vsyscall(KERN_WARNING, regs,
211 "misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround");
212 goto sigsegv;
213 }
214
215 if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
216 warn_bad_vsyscall(KERN_WARNING, regs,
217 "vsyscall with bad stack (exploit attempt?)");
218 goto sigsegv;
219 }
220
221 tsk = current;
222 /*
223 * With a real vsyscall, page faults cause SIGSEGV. We want to
224 * preserve that behavior to make writing exploits harder.
225 */
226 prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
227 current_thread_info()->sig_on_uaccess_error = 1;
228
229 /*
230 * NULL is a valid user pointer (in the access_ok sense) on 32-bit and
231 * 64-bit, so we don't need to special-case it here. For all the
232 * vsyscalls, NULL means "don't write anything" not "write it at
233 * address 0".
234 */
235 ret = -EFAULT;
236 skip = 0;
237 switch (vsyscall_nr) {
238 case 0:
239 skip = vsyscall_seccomp(tsk, __NR_gettimeofday);
240 if (skip)
241 break;
242
243 if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
244 !write_ok_or_segv(regs->si, sizeof(struct timezone)))
245 break;
246
247 ret = sys_gettimeofday(
248 (struct timeval __user *)regs->di,
249 (struct timezone __user *)regs->si);
250 break;
251
252 case 1:
253 skip = vsyscall_seccomp(tsk, __NR_time);
254 if (skip)
255 break;
256
257 if (!write_ok_or_segv(regs->di, sizeof(time_t)))
258 break;
259
260 ret = sys_time((time_t __user *)regs->di);
261 break;
262
263 case 2:
264 skip = vsyscall_seccomp(tsk, __NR_getcpu);
265 if (skip)
266 break;
267
268 if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
269 !write_ok_or_segv(regs->si, sizeof(unsigned)))
270 break;
271
272 ret = sys_getcpu((unsigned __user *)regs->di,
273 (unsigned __user *)regs->si,
274 NULL);
275 break;
276 }
277
278 current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
279
280 if (skip) {
281 if ((long)regs->ax <= 0L) /* seccomp errno emulation */
282 goto do_ret;
283 goto done; /* seccomp trace/trap */
284 }
285
286 if (ret == -EFAULT) {
287 /* Bad news -- userspace fed a bad pointer to a vsyscall. */
288 warn_bad_vsyscall(KERN_INFO, regs,
289 "vsyscall fault (exploit attempt?)");
290
291 /*
292 * If we failed to generate a signal for any reason,
293 * generate one here. (This should be impossible.)
294 */
295 if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
296 !sigismember(&tsk->pending.signal, SIGSEGV)))
297 goto sigsegv;
298
299 return true; /* Don't emulate the ret. */
300 }
301
302 regs->ax = ret;
303
304do_ret:
305 /* Emulate a ret instruction. */
306 regs->ip = caller;
307 regs->sp += 8;
308done:
309 return true;
310
311sigsegv:
312 force_sig(SIGSEGV, current);
313 return true;
314}
315
316/*
317 * Assume __initcall executes before all user space. Hopefully kmod
318 * doesn't violate that. We'll find out if it does.
319 */
320static void __cpuinit vsyscall_set_cpu(int cpu)
321{
322 unsigned long d;
323 unsigned long node = 0;
324#ifdef CONFIG_NUMA
325 node = cpu_to_node(cpu);
326#endif
327 if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
328 write_rdtscp_aux((node << 12) | cpu);
329
330 /*
331 * Store cpu number in limit so that it can be loaded quickly
332 * in user space in vgetcpu. (12 bits for the CPU and 8 bits for the node)
333 */
334 d = 0x0f40000000000ULL;
335 d |= cpu;
336 d |= (node & 0xf) << 12;
337 d |= (node >> 4) << 48;
338
339 write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PER_CPU, &d, DESCTYPE_S);
340}
341
342static void __cpuinit cpu_vsyscall_init(void *arg)
343{
344 /* preemption should be already off */
345 vsyscall_set_cpu(raw_smp_processor_id());
346}
347
348static int __cpuinit
349cpu_vsyscall_notifier(struct notifier_block *n, unsigned long action, void *arg)
350{
351 long cpu = (long)arg;
352
353 if (action == CPU_ONLINE || action == CPU_ONLINE_FROZEN)
354 smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 1);
355
356 return NOTIFY_DONE;
357}
358
359void __init map_vsyscall(void)
360{
361 extern char __vsyscall_page;
362 unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
363 extern char __vvar_page;
364 unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
365
366 __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
367 vsyscall_mode == NATIVE
368 ? PAGE_KERNEL_VSYSCALL
369 : PAGE_KERNEL_VVAR);
370 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) !=
371 (unsigned long)VSYSCALL_START);
372
373 __set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
374 BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) !=
375 (unsigned long)VVAR_ADDRESS);
376}
377
378static int __init vsyscall_init(void)
379{
380 BUG_ON(VSYSCALL_ADDR(0) != __fix_to_virt(VSYSCALL_FIRST_PAGE));
381
382 on_each_cpu(cpu_vsyscall_init, NULL, 1);
383 /* notifier priority > KVM */
384 hotcpu_notifier(cpu_vsyscall_notifier, 30);
385
386 return 0;
387}
388__initcall(vsyscall_init);