leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
229a08a4f4
linux/arch/sh
History
Kees Cook 2792d84e6d usercopy: Check valid lifetime via stack depth 
One of the things that CONFIG_HARDENED_USERCOPY sanity-checks is whether
an object that is about to be copied to/from userspace is overlapping
the stack at all. If it is, it performs a number of inexpensive
bounds checks. One of the finer-grained checks is whether an object
crosses stack frames within the stack region. Doing this on x86 with
CONFIG_FRAME_POINTER was cheap/easy. Doing it with ORC was deemed too
heavy, and was left out (a while ago), leaving the courser whole-stack
check.

The LKDTM tests USERCOPY_STACK_FRAME_TO and USERCOPY_STACK_FRAME_FROM
try to exercise these cross-frame cases to validate the defense is
working. They have been failing ever since ORC was added (which was
expected). While Muhammad was investigating various LKDTM failures[1],
he asked me for additional details on them, and I realized that when
exact stack frame boundary checking is not available (i.e. everything
except x86 with FRAME_POINTER), it could check if a stack object is at
least "current depth valid", in the sense that any object within the
stack region but not between start-of-stack and current_stack_pointer
should be considered unavailable (i.e. its lifetime is from a call no
longer present on the stack).

Introduce ARCH_HAS_CURRENT_STACK_POINTER to track which architectures
have actually implemented the common global register alias.

Additionally report usercopy bounds checking failures with an offset
from current_stack_pointer, which may assist with diagnosing failures.

The LKDTM USERCOPY_STACK_FRAME_TO and USERCOPY_STACK_FRAME_FROM tests
(once slightly adjusted in a separate patch) pass again with this fixed.

[1] https://github.com/kernelci/kernelci-project/issues/84

Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org
Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
v1: https://lore.kernel.org/lkml/20220216201449.2087956-1-keescook@chromium.org
v2: https://lore.kernel.org/lkml/20220224060342.1855457-1-keescook@chromium.org
v3: https://lore.kernel.org/lkml/20220225173345.3358109-1-keescook@chromium.org
v4: - improve commit log (akpm)
2022-02-25 18:20:11 -08:00
..
boards arch/sh updates for 5.16 2021-11-14 11:37:49 -08:00
boot arch: decompressor: remove useless vmlinux.bin.all-y 2022-01-14 02:55:44 +09:00
cchips treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
configs Documentation, arch: Remove leftovers from CIFS_WEAK_PW_HASH 2021-12-17 14:12:03 +01:00
drivers sh: dma: fix kconfig dependency for G2_DMA 2021-01-06 19:55:22 -05:00
include bitmap patches for 5.17-rc1 2022-01-23 06:20:44 +02:00
kernel Merge branch 'signal-for-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2022-01-17 05:49:30 +02:00
lib sh: propage the calling conventions change down to csum_partial_copy_generic() 2020-08-20 15:45:18 -04:00
math-emu sh: fix READ/WRITE redefinition warnings 2021-10-27 16:51:32 -04:00
mm proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
tools sh: Remove SH5-based Cayman platform 2020-08-14 22:05:06 -04:00
Kbuild kbuild: use more subdir- for visiting subdirectories while cleaning 2021-10-24 13:49:46 +09:00
Kconfig usercopy: Check valid lifetime via stack depth 2022-02-25 18:20:11 -08:00
Kconfig.cpu docs: sh: convert register-banks.txt to ReST 2020-06-19 14:10:13 -06:00
Kconfig.debug sh: fix kconfig unmet dependency warning for FRAME_POINTER 2021-10-27 16:51:01 -04:00
Makefile kbuild: use more subdir- for visiting subdirectories while cleaning 2021-10-24 13:49:46 +09:00