From: Mark Rutland <mark.rutland@arm.com>
To: ard.biesheuvel@linaro.org, kernel-hardening@lists.openwall.com,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Cc: akashi.takahiro@linaro.org, catalin.marinas@arm.com,
dave.martin@arm.com, james.morse@arm.com,
labbott@fedoraproject.org, will.deacon@arm.com,
keescook@chromium.org, Mark Rutland <mark.rutland@arm.com>
Subject: [RFC PATCH 6/6] arm64: add VMAP_STACK and detect out-of-bounds SP
Date: Wed, 12 Jul 2017 23:33:03 +0100 [thread overview]
Message-ID: <1499898783-25732-7-git-send-email-mark.rutland@arm.com> (raw)
In-Reply-To: <1499898783-25732-1-git-send-email-mark.rutland@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/entry.S | 43 +++++++++++++++++++++++++++++++++++++++++++
arch/arm64/kernel/traps.c | 21 +++++++++++++++++++++
3 files changed, 65 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b2024db..5cbd961 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1,5 +1,6 @@
config ARM64
def_bool y
+ select HAVE_ARCH_VMAP_STACK
select ACPI_CCA_REQUIRED if ACPI
select ACPI_GENERIC_GSI if ACPI
select ACPI_GTDT if ACPI
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 7c8b164..e0fdb65 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -396,11 +396,54 @@ el1_error_invalid:
inv_entry 1, BAD_ERROR
ENDPROC(el1_error_invalid)
+#ifdef CONFIG_VMAP_STACK
+.macro detect_bad_stack
+ msr sp_el0, x0
+ get_thread_info x0
+ ldr x0, [x0, #TSK_TI_CUR_STK]
+ sub x0, sp, x0
+ and x0, x0, #~(THREAD_SIZE - 1)
+ cbnz x0, __bad_stack
+ mrs x0, sp_el0
+.endm
+
+__bad_stack:
+ /*
+ * Stash the bad SP, and free up another GPR. We no longer care about
+ * EL0 state, since this thread cannot recover.
+ */
+ mov x0, sp
+ msr tpidrro_el0, x0
+ msr tpidr_el0, x1
+
+ /* Move to the emergency stack */
+ adr_this_cpu x0, bad_stack, x1
+ mov x1, #THREAD_START_SP
+ add sp, x0, x1
+
+ /* Restore GPRs and log them to pt_regs */
+ mrs x0, sp_el0
+ mrs x1, tpidr_el0
+ kernel_entry 1
+
+ /* restore the bad SP to pt_regs */
+ mrs x1, tpidrro_el0
+ str x1, [sp, #S_SP]
+
+ /* Time to die */
+ mov x0, sp
+ b handle_bad_stack
+#else
+.macro detect_bad_stack
+.endm
+#endif
+
/*
* EL1 mode handlers.
*/
.align 6
el1_sync:
+ detect_bad_stack
kernel_entry 1
mrs x1, esr_el1 // read the syndrome register
lsr x24, x1, #ESR_ELx_EC_SHIFT // exception class
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 0805b44..84b00e3 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -683,6 +683,27 @@ asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
force_sig_info(info.si_signo, &info, current);
}
+#ifdef CONFIG_VMAP_STACK
+DEFINE_PER_CPU(unsigned long [IRQ_STACK_SIZE/sizeof(long)], bad_stack) __aligned(16);
+
+asmlinkage void handle_bad_stack(struct pt_regs *regs)
+{
+ unsigned long tsk_stk = (unsigned long)current->stack;
+ unsigned long irq_stk = (unsigned long)per_cpu(irq_stack, smp_processor_id());
+
+ console_verbose();
+ pr_emerg("Stack out-of-bounds!\n"
+ "\tsp: 0x%016lx\n"
+ "\ttsk stack: [0x%016lx..0x%016lx]\n"
+ "\tirq stack: [0x%016lx..0x%016lx]\n",
+ kernel_stack_pointer(regs),
+ tsk_stk, tsk_stk + THREAD_SIZE,
+ irq_stk, irq_stk + THREAD_SIZE);
+ show_regs(regs);
+ panic("stack out-of-bounds");
+}
+#endif
+
void __pte_error(const char *file, int line, unsigned long val)
{
pr_err("%s:%d: bad pte %016lx.\n", file, line, val);
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: mark.rutland@arm.com (Mark Rutland)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH 6/6] arm64: add VMAP_STACK and detect out-of-bounds SP
Date: Wed, 12 Jul 2017 23:33:03 +0100 [thread overview]
Message-ID: <1499898783-25732-7-git-send-email-mark.rutland@arm.com> (raw)
In-Reply-To: <1499898783-25732-1-git-send-email-mark.rutland@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/entry.S | 43 +++++++++++++++++++++++++++++++++++++++++++
arch/arm64/kernel/traps.c | 21 +++++++++++++++++++++
3 files changed, 65 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b2024db..5cbd961 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1,5 +1,6 @@
config ARM64
def_bool y
+ select HAVE_ARCH_VMAP_STACK
select ACPI_CCA_REQUIRED if ACPI
select ACPI_GENERIC_GSI if ACPI
select ACPI_GTDT if ACPI
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 7c8b164..e0fdb65 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -396,11 +396,54 @@ el1_error_invalid:
inv_entry 1, BAD_ERROR
ENDPROC(el1_error_invalid)
+#ifdef CONFIG_VMAP_STACK
+.macro detect_bad_stack
+ msr sp_el0, x0
+ get_thread_info x0
+ ldr x0, [x0, #TSK_TI_CUR_STK]
+ sub x0, sp, x0
+ and x0, x0, #~(THREAD_SIZE - 1)
+ cbnz x0, __bad_stack
+ mrs x0, sp_el0
+.endm
+
+__bad_stack:
+ /*
+ * Stash the bad SP, and free up another GPR. We no longer care about
+ * EL0 state, since this thread cannot recover.
+ */
+ mov x0, sp
+ msr tpidrro_el0, x0
+ msr tpidr_el0, x1
+
+ /* Move to the emergency stack */
+ adr_this_cpu x0, bad_stack, x1
+ mov x1, #THREAD_START_SP
+ add sp, x0, x1
+
+ /* Restore GPRs and log them to pt_regs */
+ mrs x0, sp_el0
+ mrs x1, tpidr_el0
+ kernel_entry 1
+
+ /* restore the bad SP to pt_regs */
+ mrs x1, tpidrro_el0
+ str x1, [sp, #S_SP]
+
+ /* Time to die */
+ mov x0, sp
+ b handle_bad_stack
+#else
+.macro detect_bad_stack
+.endm
+#endif
+
/*
* EL1 mode handlers.
*/
.align 6
el1_sync:
+ detect_bad_stack
kernel_entry 1
mrs x1, esr_el1 // read the syndrome register
lsr x24, x1, #ESR_ELx_EC_SHIFT // exception class
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 0805b44..84b00e3 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -683,6 +683,27 @@ asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
force_sig_info(info.si_signo, &info, current);
}
+#ifdef CONFIG_VMAP_STACK
+DEFINE_PER_CPU(unsigned long [IRQ_STACK_SIZE/sizeof(long)], bad_stack) __aligned(16);
+
+asmlinkage void handle_bad_stack(struct pt_regs *regs)
+{
+ unsigned long tsk_stk = (unsigned long)current->stack;
+ unsigned long irq_stk = (unsigned long)per_cpu(irq_stack, smp_processor_id());
+
+ console_verbose();
+ pr_emerg("Stack out-of-bounds!\n"
+ "\tsp: 0x%016lx\n"
+ "\ttsk stack: [0x%016lx..0x%016lx]\n"
+ "\tirq stack: [0x%016lx..0x%016lx]\n",
+ kernel_stack_pointer(regs),
+ tsk_stk, tsk_stk + THREAD_SIZE,
+ irq_stk, irq_stk + THREAD_SIZE);
+ show_regs(regs);
+ panic("stack out-of-bounds");
+}
+#endif
+
void __pte_error(const char *file, int line, unsigned long val)
{
pr_err("%s:%d: bad pte %016lx.\n", file, line, val);
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: ard.biesheuvel@linaro.org, kernel-hardening@lists.openwall.com,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Cc: akashi.takahiro@linaro.org, catalin.marinas@arm.com,
dave.martin@arm.com, james.morse@arm.com,
labbott@fedoraproject.org, will.deacon@arm.com,
keescook@chromium.org, Mark Rutland <mark.rutland@arm.com>
Subject: [kernel-hardening] [RFC PATCH 6/6] arm64: add VMAP_STACK and detect out-of-bounds SP
Date: Wed, 12 Jul 2017 23:33:03 +0100 [thread overview]
Message-ID: <1499898783-25732-7-git-send-email-mark.rutland@arm.com> (raw)
In-Reply-To: <1499898783-25732-1-git-send-email-mark.rutland@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/entry.S | 43 +++++++++++++++++++++++++++++++++++++++++++
arch/arm64/kernel/traps.c | 21 +++++++++++++++++++++
3 files changed, 65 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b2024db..5cbd961 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1,5 +1,6 @@
config ARM64
def_bool y
+ select HAVE_ARCH_VMAP_STACK
select ACPI_CCA_REQUIRED if ACPI
select ACPI_GENERIC_GSI if ACPI
select ACPI_GTDT if ACPI
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 7c8b164..e0fdb65 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -396,11 +396,54 @@ el1_error_invalid:
inv_entry 1, BAD_ERROR
ENDPROC(el1_error_invalid)
+#ifdef CONFIG_VMAP_STACK
+.macro detect_bad_stack
+ msr sp_el0, x0
+ get_thread_info x0
+ ldr x0, [x0, #TSK_TI_CUR_STK]
+ sub x0, sp, x0
+ and x0, x0, #~(THREAD_SIZE - 1)
+ cbnz x0, __bad_stack
+ mrs x0, sp_el0
+.endm
+
+__bad_stack:
+ /*
+ * Stash the bad SP, and free up another GPR. We no longer care about
+ * EL0 state, since this thread cannot recover.
+ */
+ mov x0, sp
+ msr tpidrro_el0, x0
+ msr tpidr_el0, x1
+
+ /* Move to the emergency stack */
+ adr_this_cpu x0, bad_stack, x1
+ mov x1, #THREAD_START_SP
+ add sp, x0, x1
+
+ /* Restore GPRs and log them to pt_regs */
+ mrs x0, sp_el0
+ mrs x1, tpidr_el0
+ kernel_entry 1
+
+ /* restore the bad SP to pt_regs */
+ mrs x1, tpidrro_el0
+ str x1, [sp, #S_SP]
+
+ /* Time to die */
+ mov x0, sp
+ b handle_bad_stack
+#else
+.macro detect_bad_stack
+.endm
+#endif
+
/*
* EL1 mode handlers.
*/
.align 6
el1_sync:
+ detect_bad_stack
kernel_entry 1
mrs x1, esr_el1 // read the syndrome register
lsr x24, x1, #ESR_ELx_EC_SHIFT // exception class
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 0805b44..84b00e3 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -683,6 +683,27 @@ asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
force_sig_info(info.si_signo, &info, current);
}
+#ifdef CONFIG_VMAP_STACK
+DEFINE_PER_CPU(unsigned long [IRQ_STACK_SIZE/sizeof(long)], bad_stack) __aligned(16);
+
+asmlinkage void handle_bad_stack(struct pt_regs *regs)
+{
+ unsigned long tsk_stk = (unsigned long)current->stack;
+ unsigned long irq_stk = (unsigned long)per_cpu(irq_stack, smp_processor_id());
+
+ console_verbose();
+ pr_emerg("Stack out-of-bounds!\n"
+ "\tsp: 0x%016lx\n"
+ "\ttsk stack: [0x%016lx..0x%016lx]\n"
+ "\tirq stack: [0x%016lx..0x%016lx]\n",
+ kernel_stack_pointer(regs),
+ tsk_stk, tsk_stk + THREAD_SIZE,
+ irq_stk, irq_stk + THREAD_SIZE);
+ show_regs(regs);
+ panic("stack out-of-bounds");
+}
+#endif
+
void __pte_error(const char *file, int line, unsigned long val)
{
pr_err("%s:%d: bad pte %016lx.\n", file, line, val);
--
1.9.1
next prev parent reply other threads:[~2017-07-12 22:34 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-12 22:32 [RFC PATCH 0/6] arm64: alternative VMAP_STACK implementation Mark Rutland
2017-07-12 22:32 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:32 ` Mark Rutland
2017-07-12 22:32 ` [RFC PATCH 1/6] arm64: use tpidr_el1 for current, free sp_el0 Mark Rutland
2017-07-12 22:32 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:32 ` Mark Rutland
2017-07-14 1:30 ` Will Deacon
2017-07-14 1:30 ` [kernel-hardening] " Will Deacon
2017-07-14 1:30 ` Will Deacon
2017-07-12 22:32 ` [RFC PATCH 2/6] arm64: avoid open-coding THREAD_SIZE{,_ORDER} Mark Rutland
2017-07-12 22:32 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:32 ` Mark Rutland
2017-07-13 10:18 ` James Morse
2017-07-13 10:18 ` [kernel-hardening] " James Morse
2017-07-13 10:18 ` James Morse
2017-07-13 11:26 ` Mark Rutland
2017-07-13 11:26 ` [kernel-hardening] " Mark Rutland
2017-07-13 11:26 ` Mark Rutland
2017-07-12 22:33 ` [RFC PATCH 3/6] arm64: pad stacks to PAGE_SIZE for VMAP_STACK Mark Rutland
2017-07-12 22:33 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:33 ` Mark Rutland
2017-07-12 22:33 ` [RFC PATCH 4/6] arm64: pass stack base to secondary_start_kernel Mark Rutland
2017-07-12 22:33 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:33 ` Mark Rutland
2017-07-12 22:33 ` [RFC PATCH 5/6] arm64: keep track of current stack Mark Rutland
2017-07-12 22:33 ` [kernel-hardening] " Mark Rutland
2017-07-12 22:33 ` Mark Rutland
2017-07-12 22:33 ` Mark Rutland [this message]
2017-07-12 22:33 ` [kernel-hardening] [RFC PATCH 6/6] arm64: add VMAP_STACK and detect out-of-bounds SP Mark Rutland
2017-07-12 22:33 ` Mark Rutland
2017-07-13 6:58 ` Ard Biesheuvel
2017-07-13 6:58 ` [kernel-hardening] " Ard Biesheuvel
2017-07-13 6:58 ` Ard Biesheuvel
2017-07-13 10:49 ` Mark Rutland
2017-07-13 10:49 ` [kernel-hardening] " Mark Rutland
2017-07-13 10:49 ` Mark Rutland
2017-07-13 11:49 ` Ard Biesheuvel
2017-07-13 11:49 ` [kernel-hardening] " Ard Biesheuvel
2017-07-13 11:49 ` Ard Biesheuvel
2017-07-13 16:10 ` Mark Rutland
2017-07-13 16:10 ` [kernel-hardening] " Mark Rutland
2017-07-13 16:10 ` Mark Rutland
2017-07-13 17:55 ` [kernel-hardening] " Mark Rutland
2017-07-13 17:55 ` Mark Rutland
2017-07-13 17:55 ` Mark Rutland
2017-07-13 18:28 ` Ard Biesheuvel
2017-07-13 18:28 ` Ard Biesheuvel
2017-07-13 18:28 ` Ard Biesheuvel
2017-07-14 10:32 ` Mark Rutland
2017-07-14 10:32 ` Mark Rutland
2017-07-14 10:32 ` Mark Rutland
2017-07-14 10:48 ` Ard Biesheuvel
2017-07-14 10:48 ` Ard Biesheuvel
2017-07-14 10:48 ` Ard Biesheuvel
2017-07-14 12:27 ` Ard Biesheuvel
2017-07-14 12:27 ` Ard Biesheuvel
2017-07-14 12:27 ` Ard Biesheuvel
2017-07-14 14:06 ` Mark Rutland
2017-07-14 14:06 ` Mark Rutland
2017-07-14 14:06 ` Mark Rutland
2017-07-14 14:14 ` Ard Biesheuvel
2017-07-14 14:14 ` Ard Biesheuvel
2017-07-14 14:14 ` Ard Biesheuvel
2017-07-14 14:39 ` Robin Murphy
2017-07-14 14:39 ` Robin Murphy
2017-07-14 14:39 ` Robin Murphy
2017-07-14 15:03 ` Robin Murphy
2017-07-14 15:03 ` Robin Murphy
2017-07-14 15:03 ` Robin Murphy
2017-07-14 15:15 ` Ard Biesheuvel
2017-07-14 15:15 ` Ard Biesheuvel
2017-07-14 15:15 ` Ard Biesheuvel
2017-07-14 15:25 ` Mark Rutland
2017-07-14 15:25 ` Mark Rutland
2017-07-14 15:25 ` Mark Rutland
2017-07-14 21:27 ` Mark Rutland
2017-07-14 21:27 ` Mark Rutland
2017-07-14 21:27 ` Mark Rutland
2017-07-16 0:03 ` Ard Biesheuvel
2017-07-16 0:03 ` Ard Biesheuvel
2017-07-16 0:03 ` Ard Biesheuvel
2017-07-18 21:53 ` Laura Abbott
2017-07-18 21:53 ` Laura Abbott
2017-07-18 21:53 ` Laura Abbott
2017-07-19 8:08 ` Ard Biesheuvel
2017-07-19 8:08 ` Ard Biesheuvel
2017-07-19 8:08 ` Ard Biesheuvel
2017-07-19 23:32 ` Laura Abbott
2017-07-19 23:32 ` Laura Abbott
2017-07-20 5:35 ` Ard Biesheuvel
2017-07-20 5:35 ` Ard Biesheuvel
2017-07-20 5:35 ` Ard Biesheuvel
2017-07-20 8:36 ` James Morse
2017-07-20 8:36 ` James Morse
2017-07-20 8:36 ` James Morse
2017-07-20 8:56 ` Ard Biesheuvel
2017-07-20 8:56 ` Ard Biesheuvel
2017-07-20 8:56 ` Ard Biesheuvel
2017-07-20 17:30 ` Ard Biesheuvel
2017-07-20 17:30 ` Ard Biesheuvel
2017-07-20 17:30 ` Ard Biesheuvel
2017-07-20 19:10 ` Laura Abbott
2017-07-20 19:10 ` Laura Abbott
2017-07-20 19:10 ` Laura Abbott
2017-07-14 12:52 ` Mark Rutland
2017-07-14 12:52 ` Mark Rutland
2017-07-14 12:52 ` Mark Rutland
2017-07-14 12:55 ` Ard Biesheuvel
2017-07-14 12:55 ` Ard Biesheuvel
2017-07-14 12:55 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1499898783-25732-7-git-send-email-mark.rutland@arm.com \
--to=mark.rutland@arm.com \
--cc=akashi.takahiro@linaro.org \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=dave.martin@arm.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@fedoraproject.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.