From patchwork Mon Feb 11 17:59:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 158022 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp2891919jaa; Mon, 11 Feb 2019 09:59:48 -0800 (PST) X-Google-Smtp-Source: AHgI3IY81q3qsK0m/B/CEf/lVAZkqOUvN9iOzL6WT6gwnBvZgIsvuVyrCf8EbMMfaXrerCMROvyV X-Received: by 2002:a17:902:820f:: with SMTP id x15mr37406074pln.224.1549907987962; Mon, 11 Feb 2019 09:59:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549907987; cv=none; d=google.com; s=arc-20160816; b=hgGcBFPXY/+ynupxUEJbpJVKDvKHzGzr5c/fdMCspzf5fgzZ1Sq0w4Ue3z86Dh+CnZ EEibLdPkNCf0bzE4OEYMSNUe69hDOlM6A9t3GCLi3ydnUhmbTzd2qNwWNkc7MpNHIGRI 1b9mlNoV6A8zaCvLz/GyU9Ma6bc2EcS4TfnGEmyfE8HfXQgvYgTvSzFsGLiCcnKOzFV1 74K6GoMfIAvUjI0p1WX1feW5qmOEKwYYApvABBT2E6n6VWWAA8fCC4TwHj4XHws12Nm/ 8ByNKxypOVUu5tgrDUEXyVby0rfZcof92GOLuBQO3lwvZSoSGBG+arzDkIkm49hP6Ycc 5l6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=hO76sjAZgEHyPjd0c0Vua+q8nWvIE3sQ1uXBd2acD+8=; b=EeOr6WUMxAdPGNZJRxgpgVeZSfYEtpDadpmMY5DNcG+D5EhBQjNB/LllcbGnkFEjr2 PV5N6bE1xkuz84kowFdbc2vI481ih+iaVW8aLqSjcRVv2Ao3gUM4oGicGIeC3tmdYxmi kGzu/E4zeiTFNQo1ERBeEHYL1IChS4F1vMHVzFAiqO02t6kAQSQHB350hp45fSv/FE7j hMjknx/e1GgGBiB+nIBICEX3KsYRXVhu3DQnaczFXakopD+3lX3vqUEdxjyC4qgEXL5n uobrgCG7Tm2W0kxzXUkSxnjxgSt3V2eDZDT5eW16UZU8D/kLsJufNpxeT2JvqkwclE+R 8/Yg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z8si9483200pgv.204.2019.02.11.09.59.47; Mon, 11 Feb 2019 09:59:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731001AbfBKR7q (ORCPT + 31 others); Mon, 11 Feb 2019 12:59:46 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55048 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726104AbfBKR7n (ORCPT ); Mon, 11 Feb 2019 12:59:43 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5A29715AD; Mon, 11 Feb 2019 09:59:43 -0800 (PST) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D4AE83F675; Mon, 11 Feb 2019 09:59:41 -0800 (PST) From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Kees Cook , Jann Horn , Andrew Morton , Matthew Wilcox , Michal Hocko , Peter Zijlstra Subject: [RFC PATCH 1/4] mm: Check user stack pointer is mapped with MAP_STACK Date: Mon, 11 Feb 2019 17:59:32 +0000 Message-Id: <20190211175935.4602-2-will.deacon@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190211175935.4602-1-will.deacon@arm.com> References: <20190211175935.4602-1-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org By marking stack VMAs with VM_USERSTACK, we can perform optional checks on entry to the kernel from system calls and user faults to ensure that the user stack pointer does indeed point to a stack VMA. If the stack pointer is found to point elsewhere, a SIGSEGV can be delivered to the current application. This acts as a best-effort defense against stack-pivoting attacks. Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Peter Zijlstra Signed-off-by: Will Deacon --- include/linux/mm.h | 10 +++++++++- include/linux/mman.h | 3 ++- include/linux/sched.h | 4 ++++ mm/memory.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 60 insertions(+), 2 deletions(-) -- 2.11.0 diff --git a/include/linux/mm.h b/include/linux/mm.h index 80bb6408fe73..9fa02d47a270 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -233,6 +233,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_ARCH_1 0x01000000 /* Architecture-specific flag */ #define VM_WIPEONFORK 0x02000000 /* Wipe VMA contents in child. */ #define VM_DONTDUMP 0x04000000 /* Do not include in the core dump */ +#define VM_USERSTACK 0x08000000 /* User stack VM */ #ifdef CONFIG_MEM_SOFT_DIRTY # define VM_SOFTDIRTY 0x08000000 /* Not soft dirty clean area */ @@ -310,7 +311,8 @@ extern unsigned int kobjsize(const void *objp); #define VM_STACK VM_GROWSDOWN #endif -#define VM_STACK_FLAGS (VM_STACK | VM_STACK_DEFAULT_FLAGS | VM_ACCOUNT) +#define VM_STACK_FLAGS (VM_STACK | VM_STACK_DEFAULT_FLAGS | VM_ACCOUNT | \ + VM_USERSTACK) /* * Special vmas that are non-mergable, non-mlock()able. @@ -1480,6 +1482,12 @@ int truncate_inode_page(struct address_space *mapping, struct page *page); int generic_error_remove_page(struct address_space *mapping, struct page *page); int invalidate_inode_page(struct page *page); +#ifdef CONFIG_USER_STACK_POINTER_CHECKS +bool usp_check_syscall(void); +#else +static inline bool usp_check_syscall(void) { return true; } +#endif + #ifdef CONFIG_MMU extern vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, unsigned int flags); diff --git a/include/linux/mman.h b/include/linux/mman.h index 4b08e9c9c538..d4f2d39fca70 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -131,7 +131,8 @@ calc_vm_flag_bits(unsigned long flags) return _calc_vm_trans(flags, MAP_GROWSDOWN, VM_GROWSDOWN ) | _calc_vm_trans(flags, MAP_DENYWRITE, VM_DENYWRITE ) | _calc_vm_trans(flags, MAP_LOCKED, VM_LOCKED ) | - _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ); + _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) | + _calc_vm_trans(flags, MAP_STACK, VM_USERSTACK ) ; } unsigned long vm_commit_limit(void); diff --git a/include/linux/sched.h b/include/linux/sched.h index bba3afb4e9bf..2e6766301645 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1208,6 +1208,10 @@ struct task_struct { unsigned long prev_lowest_stack; #endif +#ifdef CONFIG_USER_STACK_POINTER_CHECKS + unsigned int usp_checks; +#endif + /* * New fields for task_struct should be added above here, so that * they are included in the randomized portion of task_struct. diff --git a/mm/memory.c b/mm/memory.c index e11ca9dd823f..e0b449f520da 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -63,6 +64,7 @@ #include #include #include +#include #include #include #include @@ -3911,6 +3913,46 @@ static vm_fault_t __handle_mm_fault(struct vm_area_struct *vma, return handle_pte_fault(&vmf); } +#ifdef CONFIG_USER_STACK_POINTER_CHECKS +#define USP_CHECK_FAULT (1U << 0) +#define USP_CHECK_SYSCALL (1U << 1) + +static bool __usp_check(void) +{ + struct vm_area_struct *vma; + + vma = find_vma(current->mm, current_user_stack_pointer()); + return vma && (vma->vm_flags & VM_USERSTACK); +} + +static bool usp_check_fault(unsigned int flags) +{ + if (!(flags & FAULT_FLAG_USER)) + return true; + + if (!(current->usp_checks & USP_CHECK_FAULT)) + return true; + + return __usp_check(); +} + +bool usp_check_syscall(void) +{ + bool ret; + struct mm_struct *mm = current->mm; + + if (!(current->usp_checks & USP_CHECK_SYSCALL)) + return true; + + down_read(&mm->mmap_sem); + ret = __usp_check(); + up_read(&mm->mmap_sem); + return ret; +} +#else +static bool usp_check_fault(unsigned int flags) { return true; } +#endif + /* * By the time we get here, we already hold the mm semaphore * @@ -3930,6 +3972,9 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, /* do counter updates before entering really critical section. */ check_sync_rss_stat(current); + if (!usp_check_fault(flags)) + return VM_FAULT_SIGSEGV; + if (!arch_vma_access_permitted(vma, flags & FAULT_FLAG_WRITE, flags & FAULT_FLAG_INSTRUCTION, flags & FAULT_FLAG_REMOTE)) From patchwork Mon Feb 11 17:59:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 158025 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp2892148jaa; Mon, 11 Feb 2019 10:00:01 -0800 (PST) X-Google-Smtp-Source: AHgI3IZrwGJD9w88cMwT+LnBwnTfMrvGHah1JxgoKjj8XSX09q4tPXvHwTz4mfedKABfw7+VcesW X-Received: by 2002:a63:cd14:: with SMTP id i20mr34594190pgg.288.1549908001593; Mon, 11 Feb 2019 10:00:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549908001; cv=none; d=google.com; s=arc-20160816; b=Ni7wOf9lnIwW0ZXuBs16kvNVYmQALCIvdgK64pdqldy96+49z8MC+v0rjpSl4erCoJ riLO0ipk0amxAZ7pniOUFg9/lFcapHaawo0zUJbYtyCnU+KmPgPeFpvhBdSNX6q49cws NRiEH9LUaIxQb8Hs3YS8UXq6t5zdnkWZVwkjoDir7XGUF8jbUbr9q3zC6FFQpim9SPvs r5+W1rnEUhJlcfbRlb6whUciQQ2xHO3Y3mi9Orc1A7vDmIZRif+K3lqTJ6zNCTgHANXK WJCU+HU6RGud3I1kCtpi7xiwVX2+DgNRE/zpfJi+MfjNt5HYV19e5ofkgPjAl4OQ7eTH jnCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=7use1sZZ2PBmqfDGd/o7fQneN9vt5f85n1VoUiOudC0=; b=m5E7+RQA6YzVbmdn9lH0Sics1Y8+BzmXtJPDYRvOL4yOxbbnHfaoSh5wWbzfLSQwm8 BCe0cV9RMpII4D/E9XpGVyLjHl1VQPgvpp2JMc3Kki0ITsL8zdf9H5x8ym/nUOha6piw RqnWEXHDBNj5t3nsqdYMcSO3JC8mvEp3zcH9FfJXTVdRF7mTemT+FwE9GVisA2kkofer MaFbGrPVhNIddlqgoGC2zvUixmIr2mjVqtb90YCvdh1twvEW13QUTxsl3DPkR8lXEE0I EF6KgrwSItHSgdHVUHgAo+PLHG4nV1vbGAsy4amqgmTlcBsSze2KwrDzXCiyhEovkvKs wmRw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b12si4348421pgj.327.2019.02.11.10.00.01; Mon, 11 Feb 2019 10:00:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732352AbfBKR77 (ORCPT + 31 others); Mon, 11 Feb 2019 12:59:59 -0500 Received: from foss.arm.com ([217.140.101.70]:55062 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730464AbfBKR7p (ORCPT ); Mon, 11 Feb 2019 12:59:45 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1ED88EBD; Mon, 11 Feb 2019 09:59:45 -0800 (PST) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 992703F675; Mon, 11 Feb 2019 09:59:43 -0800 (PST) From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Kees Cook , Jann Horn , Andrew Morton , Matthew Wilcox , Michal Hocko , Peter Zijlstra Subject: [RFC PATCH 2/4] mm: Expose user stack pointer checking via prctl() Date: Mon, 11 Feb 2019 17:59:33 +0000 Message-Id: <20190211175935.4602-3-will.deacon@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190211175935.4602-1-will.deacon@arm.com> References: <20190211175935.4602-1-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hook up a prctl() option to control the level of user stack pointer checking for the current task. By default, no checking is performed, but checks can be independently controlled for system calls and page faults. The option is inherited across fork() and preserved across exec(). Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Peter Zijlstra Signed-off-by: Will Deacon --- include/linux/mm.h | 5 +++++ include/uapi/linux/prctl.h | 5 +++++ kernel/sys.c | 5 +++++ mm/memory.c | 22 ++++++++++++++++++++++ 4 files changed, 37 insertions(+) -- 2.11.0 diff --git a/include/linux/mm.h b/include/linux/mm.h index 9fa02d47a270..7a668447c01f 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1483,8 +1483,13 @@ int generic_error_remove_page(struct address_space *mapping, struct page *page); int invalidate_inode_page(struct page *page); #ifdef CONFIG_USER_STACK_POINTER_CHECKS +long prctl_sp_check(struct task_struct *tsk, unsigned long flags); bool usp_check_syscall(void); #else +static inline long prctl_sp_check(struct task_struct *tsk, unsigned long flags) +{ + return -EINVAL; +} static inline bool usp_check_syscall(void) { return true; } #endif diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index b4875a93363a..3c4d93856f2a 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -228,4 +228,9 @@ struct prctl_mm_map { # define PR_PAC_APDBKEY (1UL << 3) # define PR_PAC_APGAKEY (1UL << 4) +/* User stack pointer sanity checking */ +#define PR_SP_CHECK 55 +# define PR_SP_CHECK_PAGE_FAULT (1UL << 0) +# define PR_SP_CHECK_SYSCALL (1UL << 1) + #endif /* _LINUX_PRCTL_H */ diff --git a/kernel/sys.c b/kernel/sys.c index f7eb62eceb24..bd507eebed54 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2485,6 +2485,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, return -EINVAL; error = PAC_RESET_KEYS(me, arg2); break; + case PR_SP_CHECK: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = prctl_sp_check(me, arg2); + break; default: error = -EINVAL; break; diff --git a/mm/memory.c b/mm/memory.c index e0b449f520da..700d9fd03c88 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -71,6 +71,7 @@ #include #include #include +#include #include #include @@ -3949,6 +3950,27 @@ bool usp_check_syscall(void) up_read(&mm->mmap_sem); return ret; } + +long prctl_sp_check(struct task_struct *tsk, unsigned long flags) +{ + if (flags & ~(PR_SP_CHECK_PAGE_FAULT | PR_SP_CHECK_SYSCALL)) + return -EINVAL; + + if (flags & PR_SP_CHECK_PAGE_FAULT) + tsk->usp_checks |= USP_CHECK_FAULT; + else + tsk->usp_checks &= ~USP_CHECK_FAULT; + + if (flags & PR_SP_CHECK_SYSCALL) { + if (!IS_ENABLED(CONFIG_ARCH_HAS_USP_CHECK_SYSCALL)) + return -EINVAL; + tsk->usp_checks |= USP_CHECK_SYSCALL; + } else { + tsk->usp_checks &= ~USP_CHECK_SYSCALL; + } + + return 0; +} #else static bool usp_check_fault(unsigned int flags) { return true; } #endif From patchwork Mon Feb 11 17:59:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 158024 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp2892059jaa; Mon, 11 Feb 2019 09:59:56 -0800 (PST) X-Google-Smtp-Source: AHgI3Ibj9XdMvBD7j5+XlcxKYSDek4uod5Lf/8SrLEDUqB1y0MS5IYCwKWysfmMzUv1hMigGkAZU X-Received: by 2002:a63:e20a:: with SMTP id q10mr9937994pgh.206.1549907996655; Mon, 11 Feb 2019 09:59:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549907996; cv=none; d=google.com; s=arc-20160816; b=O3f5n8VinUfVOGg0/p7vKw5cbPExPNIq24fhe4TEEoZeJmSFbT8m7MLjJa5VyH3GZK se/C5rt3fOlTCC1i2z06h8MyjAuJKh7LlcRm3IUXbZWbY1Q3pwDv8rhUduDsbaWQnAps TGSm9aZKCKTX2k3yaEeCS4KUaVobsU8o+dcUri7B6C1VsUTiz8yO6kx17u5avozXXR0O W+j9H+iaTeic0ytseKogGMi+bBHPxy88kFUtNItefYppt+A3cDM/qec7ZHkM6pSYtThe 74uZI+d/1hW0suG8cO+l+HNFz2JGtVJe2b+LmIJh0TqqAkv8ASpjWNE4GccxziL+uxgi IQ6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=mQVhC3u0Xi5MYLbXVZiUfWPecJHdAse2xz1r97E+usI=; b=v1FitbJirUvqtArwZ0uM92hCpLLP+svtGb8tRRaw3SWYA58mmPxUzeBIFPtCdKpLwD 58ytwmo/FsFQezXLSqM039i+NKMXTqmpqizpR/KuBlqFkype8q1b5DRQ5PC/mCmXab5/ Xm59Sn0N0BZyYhqMF+1Dk6IE/Z9bbvUUIW/H9flwdpMTvvMFtydv4pY3RKUY7G65pDvx JLdLcO5YhnN/8xQimUZ802vYCbAkQfp6TPDlH37B9S2+fm4NsrYKq+hrpzxASkyP29DH czSnTHEbRJEoriRiHMbk1GOKk3cx0QGUUsLBEjaDR6EzJRPmdMtihqzcnFVz5hg2a0Z8 dggw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b12si4348421pgj.327.2019.02.11.09.59.56; Mon, 11 Feb 2019 09:59:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731359AbfBKR7t (ORCPT + 31 others); Mon, 11 Feb 2019 12:59:49 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55076 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726104AbfBKR7r (ORCPT ); Mon, 11 Feb 2019 12:59:47 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D800F15BF; Mon, 11 Feb 2019 09:59:46 -0800 (PST) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5DFFE3F675; Mon, 11 Feb 2019 09:59:45 -0800 (PST) From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Kees Cook , Jann Horn , Andrew Morton , Matthew Wilcox , Michal Hocko , Peter Zijlstra Subject: [RFC PATCH 3/4] mm: Add kconfig entries for user stack pointer checking Date: Mon, 11 Feb 2019 17:59:34 +0000 Message-Id: <20190211175935.4602-4-will.deacon@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190211175935.4602-1-will.deacon@arm.com> References: <20190211175935.4602-1-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Provide Kconfig entries to enable/disable user stack pointer checking and also for architectures to expose the system call controls via prctl() once they have augmented their system call entry path to perform the necessary checks. Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Peter Zijlstra Signed-off-by: Will Deacon --- mm/Kconfig | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) -- 2.11.0 diff --git a/mm/Kconfig b/mm/Kconfig index 25c71eb8a7db..35f044162501 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -758,4 +758,21 @@ config GUP_BENCHMARK config ARCH_HAS_PTE_SPECIAL bool +config USER_STACK_POINTER_CHECKS + bool "Check user stack pointer points to stack pages" + depends on MMU + default y + help + This feature can be used to enforce that the user stack pointer + points to either the kernel-allocated user stack or a mapping + created with the MAP_STACK flag. + + By default, no checks are performed, and an application must + opt-in via the PR_SP_CHECK prctl() system call if it wishes to + enable checking. Checking can be independently controlled for + system calls and page fault handling. + +config ARCH_HAS_USP_CHECK_SYSCALL + bool + endmenu From patchwork Mon Feb 11 17:59:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 158023 Delivered-To: patch@linaro.org Received: by 2002:a02:48:0:0:0:0:0 with SMTP id 69csp2892001jaa; Mon, 11 Feb 2019 09:59:53 -0800 (PST) X-Google-Smtp-Source: AHgI3Ibcya1saQJQWn3rILP/ch0A2J1GSUpNmizv48AD/H5MdEaAZi6IeiaexpYgjWxjykdXtnI/ X-Received: by 2002:a63:5ec6:: with SMTP id s189mr33340407pgb.357.1549907993505; Mon, 11 Feb 2019 09:59:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549907993; cv=none; d=google.com; s=arc-20160816; b=Yl2g2k7x2Igp6TGlEQcQN9xr2yVDJ0oj1grpuqE5JnSx4PHFYdBVJaIk/u8Vz/g34D prP8SGgRSa05jGpP2wtm9RyYe6q0lLld8PDKwTvT1xKH4GDAokif5e2MDNk8SxmvK/6x 7iWN4q2Np10VPW2CFnOnlcZdzGg7NlOXhpAS/0L8HjcjB2CKzoBsoi8pCAuPWB3rrAPU gmtnmnB9EKbQL+aBmmsyhC/lREysYt7362qZufrqp3vWbS/WYfHUbm1PAWBQ4C2rZ78J 6LrA/dey2R+vFCr2qLNKdTI72sUV4VN0iLA3SCrPU8noxXs0+Bc/GwnThB8rPcdqAx6h ChpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=x97xKymySwL3p5aC6fZaewLWSy2bEfM9v6J0tXTz75U=; b=EyXe/DVxX+hPSdFcdxPmJRYADjHQNwbidza5NyefDv6jXGw3TEdc1D8FLcOwRs+/XY mYH8+xE3eCRZKmBSc1zyW4Sd5uoqn0MJGJreww3TBx8MBmmLVQuxY7tmAn2SIvqUSZri kA1Cw+cfvycQE1qV+W5R1hk0qggmkWsIHOEbBmSvSCzdhx3uxwDeHxaRS82kO4WCTBOw 6olmFWJ/GpalrXRhF/RXsORP4ssTFwLl18fboi5QbVhfsR4fmXel34ZTEjXVzJ8NgAek m6dShl6pTOc0BHIo45yTSc8yqbnIQyyZmau0H1l/ae5l7BNRacDyBp5hSe0qE1wtW+U9 BjIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z8si9483200pgv.204.2019.02.11.09.59.53; Mon, 11 Feb 2019 09:59:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732279AbfBKR7w (ORCPT + 31 others); Mon, 11 Feb 2019 12:59:52 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55090 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731153AbfBKR7t (ORCPT ); Mon, 11 Feb 2019 12:59:49 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9C8DBEBD; Mon, 11 Feb 2019 09:59:48 -0800 (PST) Received: from fuggles.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 22B2D3F675; Mon, 11 Feb 2019 09:59:46 -0800 (PST) From: Will Deacon To: linux-kernel@vger.kernel.org Cc: Will Deacon , Kees Cook , Jann Horn , Andrew Morton , Matthew Wilcox , Michal Hocko , Peter Zijlstra Subject: [RFC PATCH 4/4] arm64: Check user stack pointer on syscall entry Date: Mon, 11 Feb 2019 17:59:35 +0000 Message-Id: <20190211175935.4602-5-will.deacon@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190211175935.4602-1-will.deacon@arm.com> References: <20190211175935.4602-1-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Allow the user stack pointer value to be checked on system call entry and deliver a SIGSEGV if the check does not pass. Cc: Kees Cook Cc: Jann Horn Cc: Andrew Morton Cc: Matthew Wilcox Cc: Michal Hocko Cc: Peter Zijlstra Signed-off-by: Will Deacon --- arch/arm64/Kconfig | 1 + arch/arm64/kernel/syscall.c | 4 ++++ 2 files changed, 5 insertions(+) -- 2.11.0 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a4168d366127..e87304a06a85 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -29,6 +29,7 @@ config ARM64 select ARCH_HAS_SYNC_DMA_FOR_CPU select ARCH_HAS_SYSCALL_WRAPPER select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST + select ARCH_HAS_USP_CHECK_SYSCALL select ARCH_HAVE_NMI_SAFE_CMPXCHG select ARCH_INLINE_READ_LOCK if !PREEMPT select ARCH_INLINE_READ_LOCK_BH if !PREEMPT diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c index 5610ac01c1ec..06566010f6d1 100644 --- a/arch/arm64/kernel/syscall.c +++ b/arch/arm64/kernel/syscall.c @@ -11,6 +11,7 @@ #include #include #include +#include #include long compat_arm_syscall(struct pt_regs *regs, int scno); @@ -71,6 +72,9 @@ static void el0_svc_common(struct pt_regs *regs, int scno, int sc_nr, local_daif_restore(DAIF_PROCCTX); user_exit(); + if (!usp_check_syscall()) + force_signal_inject(SIGSEGV, SEGV_MAPERR, GET_USP(regs)); + if (has_syscall_work(flags)) { /* set default errno for user-issued syscall(-1) */ if (scno == NO_SYSCALL)