Loading...
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * This code fills the used part of the kernel stack with a poison value
4 * before returning to userspace. It's part of the STACKLEAK feature
5 * ported from grsecurity/PaX.
6 *
7 * Author: Alexander Popov <alex.popov@linux.com>
8 *
9 * STACKLEAK reduces the information which kernel stack leak bugs can
10 * reveal and blocks some uninitialized stack variable attacks.
11 */
12
13#include <linux/stackleak.h>
14#include <linux/kprobes.h>
15
16#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
17#include <linux/jump_label.h>
18#include <linux/sysctl.h>
19#include <linux/init.h>
20
21static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
22
23#ifdef CONFIG_SYSCTL
24static int stack_erasing_sysctl(struct ctl_table *table, int write,
25 void __user *buffer, size_t *lenp, loff_t *ppos)
26{
27 int ret = 0;
28 int state = !static_branch_unlikely(&stack_erasing_bypass);
29 int prev_state = state;
30
31 table->data = &state;
32 table->maxlen = sizeof(int);
33 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
34 state = !!state;
35 if (ret || !write || state == prev_state)
36 return ret;
37
38 if (state)
39 static_branch_disable(&stack_erasing_bypass);
40 else
41 static_branch_enable(&stack_erasing_bypass);
42
43 pr_warn("stackleak: kernel stack erasing is %s\n",
44 state ? "enabled" : "disabled");
45 return ret;
46}
47static struct ctl_table stackleak_sysctls[] = {
48 {
49 .procname = "stack_erasing",
50 .data = NULL,
51 .maxlen = sizeof(int),
52 .mode = 0600,
53 .proc_handler = stack_erasing_sysctl,
54 .extra1 = SYSCTL_ZERO,
55 .extra2 = SYSCTL_ONE,
56 },
57 {}
58};
59
60static int __init stackleak_sysctls_init(void)
61{
62 register_sysctl_init("kernel", stackleak_sysctls);
63 return 0;
64}
65late_initcall(stackleak_sysctls_init);
66#endif /* CONFIG_SYSCTL */
67
68#define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
69#else
70#define skip_erasing() false
71#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
72
73static __always_inline void __stackleak_erase(bool on_task_stack)
74{
75 const unsigned long task_stack_low = stackleak_task_low_bound(current);
76 const unsigned long task_stack_high = stackleak_task_high_bound(current);
77 unsigned long erase_low, erase_high;
78
79 erase_low = stackleak_find_top_of_poison(task_stack_low,
80 current->lowest_stack);
81
82#ifdef CONFIG_STACKLEAK_METRICS
83 current->prev_lowest_stack = erase_low;
84#endif
85
86 /*
87 * Write poison to the task's stack between 'erase_low' and
88 * 'erase_high'.
89 *
90 * If we're running on a different stack (e.g. an entry trampoline
91 * stack) we can erase everything below the pt_regs at the top of the
92 * task stack.
93 *
94 * If we're running on the task stack itself, we must not clobber any
95 * stack used by this function and its caller. We assume that this
96 * function has a fixed-size stack frame, and the current stack pointer
97 * doesn't change while we write poison.
98 */
99 if (on_task_stack)
100 erase_high = current_stack_pointer;
101 else
102 erase_high = task_stack_high;
103
104 while (erase_low < erase_high) {
105 *(unsigned long *)erase_low = STACKLEAK_POISON;
106 erase_low += sizeof(unsigned long);
107 }
108
109 /* Reset the 'lowest_stack' value for the next syscall */
110 current->lowest_stack = task_stack_high;
111}
112
113/*
114 * Erase and poison the portion of the task stack used since the last erase.
115 * Can be called from the task stack or an entry stack when the task stack is
116 * no longer in use.
117 */
118asmlinkage void noinstr stackleak_erase(void)
119{
120 if (skip_erasing())
121 return;
122
123 __stackleak_erase(on_thread_stack());
124}
125
126/*
127 * Erase and poison the portion of the task stack used since the last erase.
128 * Can only be called from the task stack.
129 */
130asmlinkage void noinstr stackleak_erase_on_task_stack(void)
131{
132 if (skip_erasing())
133 return;
134
135 __stackleak_erase(true);
136}
137
138/*
139 * Erase and poison the portion of the task stack used since the last erase.
140 * Can only be called from a stack other than the task stack.
141 */
142asmlinkage void noinstr stackleak_erase_off_task_stack(void)
143{
144 if (skip_erasing())
145 return;
146
147 __stackleak_erase(false);
148}
149
150void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
151{
152 unsigned long sp = current_stack_pointer;
153
154 /*
155 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
156 * STACKLEAK_SEARCH_DEPTH makes the poison search in
157 * stackleak_erase() unreliable. Let's prevent that.
158 */
159 BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
160
161 /* 'lowest_stack' should be aligned on the register width boundary */
162 sp = ALIGN(sp, sizeof(unsigned long));
163 if (sp < current->lowest_stack &&
164 sp >= stackleak_task_low_bound(current)) {
165 current->lowest_stack = sp;
166 }
167}
168EXPORT_SYMBOL(stackleak_track_stack);
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * This code fills the used part of the kernel stack with a poison value
4 * before returning to userspace. It's part of the STACKLEAK feature
5 * ported from grsecurity/PaX.
6 *
7 * Author: Alexander Popov <alex.popov@linux.com>
8 *
9 * STACKLEAK reduces the information which kernel stack leak bugs can
10 * reveal and blocks some uninitialized stack variable attacks.
11 */
12
13#include <linux/stackleak.h>
14#include <linux/kprobes.h>
15
16#ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
17#include <linux/jump_label.h>
18#include <linux/sysctl.h>
19#include <linux/init.h>
20
21static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
22
23#ifdef CONFIG_SYSCTL
24static int stack_erasing_sysctl(struct ctl_table *table, int write,
25 void __user *buffer, size_t *lenp, loff_t *ppos)
26{
27 int ret = 0;
28 int state = !static_branch_unlikely(&stack_erasing_bypass);
29 int prev_state = state;
30
31 table->data = &state;
32 table->maxlen = sizeof(int);
33 ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
34 state = !!state;
35 if (ret || !write || state == prev_state)
36 return ret;
37
38 if (state)
39 static_branch_disable(&stack_erasing_bypass);
40 else
41 static_branch_enable(&stack_erasing_bypass);
42
43 pr_warn("stackleak: kernel stack erasing is %s\n",
44 state ? "enabled" : "disabled");
45 return ret;
46}
47static struct ctl_table stackleak_sysctls[] = {
48 {
49 .procname = "stack_erasing",
50 .data = NULL,
51 .maxlen = sizeof(int),
52 .mode = 0600,
53 .proc_handler = stack_erasing_sysctl,
54 .extra1 = SYSCTL_ZERO,
55 .extra2 = SYSCTL_ONE,
56 },
57 {}
58};
59
60static int __init stackleak_sysctls_init(void)
61{
62 register_sysctl_init("kernel", stackleak_sysctls);
63 return 0;
64}
65late_initcall(stackleak_sysctls_init);
66#endif /* CONFIG_SYSCTL */
67
68#define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
69#else
70#define skip_erasing() false
71#endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
72
73#ifndef __stackleak_poison
74static __always_inline void __stackleak_poison(unsigned long erase_low,
75 unsigned long erase_high,
76 unsigned long poison)
77{
78 while (erase_low < erase_high) {
79 *(unsigned long *)erase_low = poison;
80 erase_low += sizeof(unsigned long);
81 }
82}
83#endif
84
85static __always_inline void __stackleak_erase(bool on_task_stack)
86{
87 const unsigned long task_stack_low = stackleak_task_low_bound(current);
88 const unsigned long task_stack_high = stackleak_task_high_bound(current);
89 unsigned long erase_low, erase_high;
90
91 erase_low = stackleak_find_top_of_poison(task_stack_low,
92 current->lowest_stack);
93
94#ifdef CONFIG_STACKLEAK_METRICS
95 current->prev_lowest_stack = erase_low;
96#endif
97
98 /*
99 * Write poison to the task's stack between 'erase_low' and
100 * 'erase_high'.
101 *
102 * If we're running on a different stack (e.g. an entry trampoline
103 * stack) we can erase everything below the pt_regs at the top of the
104 * task stack.
105 *
106 * If we're running on the task stack itself, we must not clobber any
107 * stack used by this function and its caller. We assume that this
108 * function has a fixed-size stack frame, and the current stack pointer
109 * doesn't change while we write poison.
110 */
111 if (on_task_stack)
112 erase_high = current_stack_pointer;
113 else
114 erase_high = task_stack_high;
115
116 __stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
117
118 /* Reset the 'lowest_stack' value for the next syscall */
119 current->lowest_stack = task_stack_high;
120}
121
122/*
123 * Erase and poison the portion of the task stack used since the last erase.
124 * Can be called from the task stack or an entry stack when the task stack is
125 * no longer in use.
126 */
127asmlinkage void noinstr stackleak_erase(void)
128{
129 if (skip_erasing())
130 return;
131
132 __stackleak_erase(on_thread_stack());
133}
134
135/*
136 * Erase and poison the portion of the task stack used since the last erase.
137 * Can only be called from the task stack.
138 */
139asmlinkage void noinstr stackleak_erase_on_task_stack(void)
140{
141 if (skip_erasing())
142 return;
143
144 __stackleak_erase(true);
145}
146
147/*
148 * Erase and poison the portion of the task stack used since the last erase.
149 * Can only be called from a stack other than the task stack.
150 */
151asmlinkage void noinstr stackleak_erase_off_task_stack(void)
152{
153 if (skip_erasing())
154 return;
155
156 __stackleak_erase(false);
157}
158
159void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
160{
161 unsigned long sp = current_stack_pointer;
162
163 /*
164 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
165 * STACKLEAK_SEARCH_DEPTH makes the poison search in
166 * stackleak_erase() unreliable. Let's prevent that.
167 */
168 BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
169
170 /* 'lowest_stack' should be aligned on the register width boundary */
171 sp = ALIGN(sp, sizeof(unsigned long));
172 if (sp < current->lowest_stack &&
173 sp >= stackleak_task_low_bound(current)) {
174 current->lowest_stack = sp;
175 }
176}
177EXPORT_SYMBOL(stackleak_track_stack);