Commit ffecead7 authored Sep 07, 2017 by Thomas Garnier Committed by Satya Tangirala Sep 21, 2018

BACKPORT: arm/syscalls: Optimize address limit check



(cherry-picked from e33f8d32677fa4f4f8996ef46748f86aac81ccff)

Disable the generic address limit check in favor of an architecture
specific optimized implementation. The generic implementation using
pending work flags did not work well with ARM and alignment faults.

The address limit is checked on each syscall return path to user-mode
path as well as the irq user-mode return function. If the address limit
was changed, a function is called to report data corruption (stopping
the kernel or process based on configuration).

The address limit check has to be done before any pending work because
they can reset the address limit and the process is killed using a
SIGKILL signal. For example the lkdtm address limit check does not work
because the signal to kill the process will reset the user-mode address
limit.

Change-Id: I4a2a9f5d25fe395f7da785abeedd2dac347a477c
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Tested-by: Leonard Crestez <leonard.crestez@nxp.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Will Drewry <wad@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-api@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1504798247-48833-4-git-send-email-keescook@chromium.org


Signed-off-by: Satya Tangirala <satyat@google.com>

parent 551244bd

arch/arm/kernel/entry-common.S

+10 −0

Original line number	Diff line number	Diff line
		@@ -12,6 +12,7 @@
		#include <asm/unistd.h>
		#include <asm/ftrace.h>
		#include <asm/unwind.h>
		#include <asm/memory.h>

		#ifdef CONFIG_NEED_RET_TO_USER
		#include <mach/entry-macro.S>
		@@ -35,6 +36,9 @@ ret_fast_syscall:
		UNWIND(.fnstart )
		UNWIND(.cantunwind )
		disable_irq_notrace @ disable interrupts
		ldr r2, [tsk, #TI_ADDR_LIMIT]
		cmp r2, #TASK_SIZE
		blne addr_limit_check_failed
		ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing
		tst r1, #_TIF_SYSCALL_WORK \| _TIF_WORK_MASK
		bne fast_work_pending
		@@ -61,6 +65,9 @@ ret_fast_syscall:
		UNWIND(.cantunwind )
		str r0, [sp, #S_R0 + S_OFF]! @ save returned r0
		disable_irq_notrace @ disable interrupts
		ldr r2, [tsk, #TI_ADDR_LIMIT]
		cmp r2, #TASK_SIZE
		blne addr_limit_check_failed
		ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing
		tst r1, #_TIF_SYSCALL_WORK \| _TIF_WORK_MASK
		beq no_work_pending
		@@ -93,6 +100,9 @@ ENTRY(ret_to_user)
		ret_slow_syscall:
		disable_irq_notrace @ disable interrupts
		ENTRY(ret_to_user_from_irq)
		ldr r2, [tsk, #TI_ADDR_LIMIT]
		cmp r2, #TASK_SIZE
		blne addr_limit_check_failed
		ldr r1, [tsk, #TI_FLAGS]
		tst r1, #_TIF_WORK_MASK
		bne slow_work_pending

arch/arm/kernel/signal.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -14,6 +14,7 @@
		#include <linux/uaccess.h>
		#include <linux/tracehook.h>
		#include <linux/uprobes.h>
		#include <linux/syscalls.h>

		#include <asm/elf.h>
		#include <asm/cacheflush.h>
		@@ -631,3 +632,9 @@ struct page *get_signal_page(void)

		return page;
		}

		/* Defer to generic check */
		asmlinkage void addr_limit_check_failed(void)
		{
		addr_limit_user_check();
		}