1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * This code fills the used part of the kernel stack with a poison value
4 * before returning to userspace. It's part of the STACKLEAK feature
5 * ported from grsecurity/PaX.
6 *
7 * Author: Alexander Popov <alex.popov@linux.com>
8 *
9 * STACKLEAK reduces the information which kernel stack leak bugs can
10 * reveal and blocks some uninitialized stack variable attacks.
11 */
12
13 #include <linux/stackleak.h>
14 #include <linux/kprobes.h>
15
16 #ifdef CONFIG_STACKLEAK_RUNTIME_DISABLE
17 #include <linux/jump_label.h>
18 #include <linux/sysctl.h>
19 #include <linux/init.h>
20
21 static DEFINE_STATIC_KEY_FALSE(stack_erasing_bypass);
22
23 #ifdef CONFIG_SYSCTL
stack_erasing_sysctl(const struct ctl_table * table,int write,void __user * buffer,size_t * lenp,loff_t * ppos)24 static int stack_erasing_sysctl(const struct ctl_table *table, int write,
25 void __user *buffer, size_t *lenp, loff_t *ppos)
26 {
27 int ret = 0;
28 int state = !static_branch_unlikely(&stack_erasing_bypass);
29 int prev_state = state;
30 struct ctl_table table_copy = *table;
31
32 table_copy.data = &state;
33 ret = proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
34 state = !!state;
35 if (ret || !write || state == prev_state)
36 return ret;
37
38 if (state)
39 static_branch_disable(&stack_erasing_bypass);
40 else
41 static_branch_enable(&stack_erasing_bypass);
42
43 pr_warn("stackleak: kernel stack erasing is %s\n",
44 state ? "enabled" : "disabled");
45 return ret;
46 }
47 static struct ctl_table stackleak_sysctls[] = {
48 {
49 .procname = "stack_erasing",
50 .data = NULL,
51 .maxlen = sizeof(int),
52 .mode = 0600,
53 .proc_handler = stack_erasing_sysctl,
54 .extra1 = SYSCTL_ZERO,
55 .extra2 = SYSCTL_ONE,
56 },
57 };
58
stackleak_sysctls_init(void)59 static int __init stackleak_sysctls_init(void)
60 {
61 register_sysctl_init("kernel", stackleak_sysctls);
62 return 0;
63 }
64 late_initcall(stackleak_sysctls_init);
65 #endif /* CONFIG_SYSCTL */
66
67 #define skip_erasing() static_branch_unlikely(&stack_erasing_bypass)
68 #else
69 #define skip_erasing() false
70 #endif /* CONFIG_STACKLEAK_RUNTIME_DISABLE */
71
72 #ifndef __stackleak_poison
__stackleak_poison(unsigned long erase_low,unsigned long erase_high,unsigned long poison)73 static __always_inline void __stackleak_poison(unsigned long erase_low,
74 unsigned long erase_high,
75 unsigned long poison)
76 {
77 while (erase_low < erase_high) {
78 *(unsigned long *)erase_low = poison;
79 erase_low += sizeof(unsigned long);
80 }
81 }
82 #endif
83
__stackleak_erase(bool on_task_stack)84 static __always_inline void __stackleak_erase(bool on_task_stack)
85 {
86 const unsigned long task_stack_low = stackleak_task_low_bound(current);
87 const unsigned long task_stack_high = stackleak_task_high_bound(current);
88 unsigned long erase_low, erase_high;
89
90 erase_low = stackleak_find_top_of_poison(task_stack_low,
91 current->lowest_stack);
92
93 #ifdef CONFIG_STACKLEAK_METRICS
94 current->prev_lowest_stack = erase_low;
95 #endif
96
97 /*
98 * Write poison to the task's stack between 'erase_low' and
99 * 'erase_high'.
100 *
101 * If we're running on a different stack (e.g. an entry trampoline
102 * stack) we can erase everything below the pt_regs at the top of the
103 * task stack.
104 *
105 * If we're running on the task stack itself, we must not clobber any
106 * stack used by this function and its caller. We assume that this
107 * function has a fixed-size stack frame, and the current stack pointer
108 * doesn't change while we write poison.
109 */
110 if (on_task_stack)
111 erase_high = current_stack_pointer;
112 else
113 erase_high = task_stack_high;
114
115 __stackleak_poison(erase_low, erase_high, STACKLEAK_POISON);
116
117 /* Reset the 'lowest_stack' value for the next syscall */
118 current->lowest_stack = task_stack_high;
119 }
120
121 /*
122 * Erase and poison the portion of the task stack used since the last erase.
123 * Can be called from the task stack or an entry stack when the task stack is
124 * no longer in use.
125 */
stackleak_erase(void)126 asmlinkage void noinstr stackleak_erase(void)
127 {
128 if (skip_erasing())
129 return;
130
131 __stackleak_erase(on_thread_stack());
132 }
133
134 /*
135 * Erase and poison the portion of the task stack used since the last erase.
136 * Can only be called from the task stack.
137 */
stackleak_erase_on_task_stack(void)138 asmlinkage void noinstr stackleak_erase_on_task_stack(void)
139 {
140 if (skip_erasing())
141 return;
142
143 __stackleak_erase(true);
144 }
145
146 /*
147 * Erase and poison the portion of the task stack used since the last erase.
148 * Can only be called from a stack other than the task stack.
149 */
stackleak_erase_off_task_stack(void)150 asmlinkage void noinstr stackleak_erase_off_task_stack(void)
151 {
152 if (skip_erasing())
153 return;
154
155 __stackleak_erase(false);
156 }
157
stackleak_track_stack(void)158 void __used __no_caller_saved_registers noinstr stackleak_track_stack(void)
159 {
160 unsigned long sp = current_stack_pointer;
161
162 /*
163 * Having CONFIG_STACKLEAK_TRACK_MIN_SIZE larger than
164 * STACKLEAK_SEARCH_DEPTH makes the poison search in
165 * stackleak_erase() unreliable. Let's prevent that.
166 */
167 BUILD_BUG_ON(CONFIG_STACKLEAK_TRACK_MIN_SIZE > STACKLEAK_SEARCH_DEPTH);
168
169 /* 'lowest_stack' should be aligned on the register width boundary */
170 sp = ALIGN(sp, sizeof(unsigned long));
171 if (sp < current->lowest_stack &&
172 sp >= stackleak_task_low_bound(current)) {
173 current->lowest_stack = sp;
174 }
175 }
176 EXPORT_SYMBOL(stackleak_track_stack);
177