From: Kirill Tkhai <ktkhai@virtuozzo.com> To: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, aryabinin@virtuozzo.com, glider@google.com, dvyukov@google.com, luto@kernel.org, bp@alien8.de, jpoimboe@redhat.com, dave.hansen@linux.intel.com, jgross@suse.com, kirill.shutemov@linux.intel.com, keescook@chromium.org, minipli@googlemail.com, gregkh@linuxfoundation.org, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org Subject: [PATCH RFC] x86: KASAN: Sanitize unauthorized irq stack access Date: Wed, 07 Feb 2018 19:14:43 +0300 [thread overview] Message-ID: <151802005995.4570.824586713429099710.stgit@localhost.localdomain> (raw) Sometimes it is possible to meet a situation, when irq stack is corrupted, while innocent callback function is being executed. This may happen because of crappy drivers irq handlers, when they access wrong memory on the irq stack. This patch aims to catch such the situations and adds checks of unauthorized stack access. Every time we enter in interrupt, we check for irq_count, and allow irq stack usage. After last nested irq handler is exited, we prohibit the access back. I did x86_unpoison_irq_stack() and x86_poison_irq_stack() calls unconditional, because this requires to change the order of incl PER_CPU_VAR(irq_count) and UNWIND_HINT_REGS(), and I'm not sure it's legitimately to do. So, irq_count is checked in x86_unpoison_irq_stack(). Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> --- arch/x86/entry/entry_64.S | 6 ++++++ arch/x86/include/asm/processor.h | 6 ++++++ arch/x86/kernel/irq_64.c | 13 +++++++++++++ include/linux/kasan.h | 3 +++ mm/kasan/kasan.c | 16 ++++++++++++++++ 5 files changed, 44 insertions(+) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 741d9877b357..1e9d69de2528 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -485,6 +485,9 @@ END(irq_entries_start) * The invariant is that, if irq_count != -1, then the IRQ stack is in use. */ .macro ENTER_IRQ_STACK regs=1 old_rsp +#ifdef CONFIG_KASAN + call x86_unpoison_irq_stack +#endif DEBUG_ENTRY_ASSERT_IRQS_OFF movq %rsp, \old_rsp @@ -552,6 +555,9 @@ END(irq_entries_start) */ decl PER_CPU_VAR(irq_count) +#ifdef CONFIG_KASAN + call x86_poison_irq_stack +#endif .endm /* diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index 793bae7e7ce3..4353e3a85b0b 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -404,6 +404,12 @@ union irq_stack_union { }; }; +#define KASAN_IRQ_STACK_SIZE \ + (sizeof(union irq_stack_union) - \ + (offsetof(union irq_stack_union, stack_canary) + 8)) + +#define percpu_irq_stack_addr() this_cpu_ptr(irq_stack_union.irq_stack) + DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible; DECLARE_INIT_PER_CPU(irq_stack_union); diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c index d86e344f5b3d..ad78f4b3f0b5 100644 --- a/arch/x86/kernel/irq_64.c +++ b/arch/x86/kernel/irq_64.c @@ -77,3 +77,16 @@ bool handle_irq(struct irq_desc *desc, struct pt_regs *regs) generic_handle_irq_desc(desc); return true; } + +#ifdef CONFIG_KASAN +void __visible x86_poison_irq_stack(void) +{ + if (this_cpu_read(irq_count) == -1) + kasan_poison_irq_stack(); +} +void __visible x86_unpoison_irq_stack(void) +{ + if (this_cpu_read(irq_count) == -1) + kasan_unpoison_irq_stack(); +} +#endif diff --git a/include/linux/kasan.h b/include/linux/kasan.h index adc13474a53b..cb433f1bf178 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -40,6 +40,9 @@ void kasan_unpoison_shadow(const void *address, size_t size); void kasan_unpoison_task_stack(struct task_struct *task); void kasan_unpoison_stack_above_sp_to(const void *watermark); +void kasan_poison_irq_stack(void); +void kasan_unpoison_irq_stack(void); + void kasan_alloc_pages(struct page *page, unsigned int order); void kasan_free_pages(struct page *page, unsigned int order); diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 0d9d9d268f32..9bc150c87205 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -412,6 +412,22 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object) KASAN_KMALLOC_REDZONE); } +#ifdef KASAN_IRQ_STACK_SIZE +void kasan_poison_irq_stack(void) +{ + void *stack = percpu_irq_stack_addr(); + + kasan_poison_shadow(stack, KASAN_IRQ_STACK_SIZE, KASAN_GLOBAL_REDZONE); +} + +void kasan_unpoison_irq_stack(void) +{ + void *stack = percpu_irq_stack_addr(); + + kasan_unpoison_shadow(stack, KASAN_IRQ_STACK_SIZE); +} +#endif /* KASAN_IRQ_STACK_SIZE */ + static inline int in_irqentry_text(unsigned long ptr) { return (ptr >= (unsigned long)&__irqentry_text_start &&
WARNING: multiple messages have this Message-ID (diff)
From: Kirill Tkhai <ktkhai@virtuozzo.com> To: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com, aryabinin@virtuozzo.com, glider@google.com, dvyukov@google.com, luto@kernel.org, bp@alien8.de, jpoimboe@redhat.com, dave.hansen@linux.intel.com, jgross@suse.com, kirill.shutemov@linux.intel.com, keescook@chromium.org, minipli@googlemail.com, gregkh@linuxfoundation.org, kstewart@linuxfoundation.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org Subject: [PATCH RFC] x86: KASAN: Sanitize unauthorized irq stack access Date: Wed, 07 Feb 2018 19:14:43 +0300 [thread overview] Message-ID: <151802005995.4570.824586713429099710.stgit@localhost.localdomain> (raw) Sometimes it is possible to meet a situation, when irq stack is corrupted, while innocent callback function is being executed. This may happen because of crappy drivers irq handlers, when they access wrong memory on the irq stack. This patch aims to catch such the situations and adds checks of unauthorized stack access. Every time we enter in interrupt, we check for irq_count, and allow irq stack usage. After last nested irq handler is exited, we prohibit the access back. I did x86_unpoison_irq_stack() and x86_poison_irq_stack() calls unconditional, because this requires to change the order of incl PER_CPU_VAR(irq_count) and UNWIND_HINT_REGS(), and I'm not sure it's legitimately to do. So, irq_count is checked in x86_unpoison_irq_stack(). Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> --- arch/x86/entry/entry_64.S | 6 ++++++ arch/x86/include/asm/processor.h | 6 ++++++ arch/x86/kernel/irq_64.c | 13 +++++++++++++ include/linux/kasan.h | 3 +++ mm/kasan/kasan.c | 16 ++++++++++++++++ 5 files changed, 44 insertions(+) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 741d9877b357..1e9d69de2528 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -485,6 +485,9 @@ END(irq_entries_start) * The invariant is that, if irq_count != -1, then the IRQ stack is in use. */ .macro ENTER_IRQ_STACK regs=1 old_rsp +#ifdef CONFIG_KASAN + call x86_unpoison_irq_stack +#endif DEBUG_ENTRY_ASSERT_IRQS_OFF movq %rsp, \old_rsp @@ -552,6 +555,9 @@ END(irq_entries_start) */ decl PER_CPU_VAR(irq_count) +#ifdef CONFIG_KASAN + call x86_poison_irq_stack +#endif .endm /* diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index 793bae7e7ce3..4353e3a85b0b 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -404,6 +404,12 @@ union irq_stack_union { }; }; +#define KASAN_IRQ_STACK_SIZE \ + (sizeof(union irq_stack_union) - \ + (offsetof(union irq_stack_union, stack_canary) + 8)) + +#define percpu_irq_stack_addr() this_cpu_ptr(irq_stack_union.irq_stack) + DECLARE_PER_CPU_FIRST(union irq_stack_union, irq_stack_union) __visible; DECLARE_INIT_PER_CPU(irq_stack_union); diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c index d86e344f5b3d..ad78f4b3f0b5 100644 --- a/arch/x86/kernel/irq_64.c +++ b/arch/x86/kernel/irq_64.c @@ -77,3 +77,16 @@ bool handle_irq(struct irq_desc *desc, struct pt_regs *regs) generic_handle_irq_desc(desc); return true; } + +#ifdef CONFIG_KASAN +void __visible x86_poison_irq_stack(void) +{ + if (this_cpu_read(irq_count) == -1) + kasan_poison_irq_stack(); +} +void __visible x86_unpoison_irq_stack(void) +{ + if (this_cpu_read(irq_count) == -1) + kasan_unpoison_irq_stack(); +} +#endif diff --git a/include/linux/kasan.h b/include/linux/kasan.h index adc13474a53b..cb433f1bf178 100644 --- a/include/linux/kasan.h +++ b/include/linux/kasan.h @@ -40,6 +40,9 @@ void kasan_unpoison_shadow(const void *address, size_t size); void kasan_unpoison_task_stack(struct task_struct *task); void kasan_unpoison_stack_above_sp_to(const void *watermark); +void kasan_poison_irq_stack(void); +void kasan_unpoison_irq_stack(void); + void kasan_alloc_pages(struct page *page, unsigned int order); void kasan_free_pages(struct page *page, unsigned int order); diff --git a/mm/kasan/kasan.c b/mm/kasan/kasan.c index 0d9d9d268f32..9bc150c87205 100644 --- a/mm/kasan/kasan.c +++ b/mm/kasan/kasan.c @@ -412,6 +412,22 @@ void kasan_poison_object_data(struct kmem_cache *cache, void *object) KASAN_KMALLOC_REDZONE); } +#ifdef KASAN_IRQ_STACK_SIZE +void kasan_poison_irq_stack(void) +{ + void *stack = percpu_irq_stack_addr(); + + kasan_poison_shadow(stack, KASAN_IRQ_STACK_SIZE, KASAN_GLOBAL_REDZONE); +} + +void kasan_unpoison_irq_stack(void) +{ + void *stack = percpu_irq_stack_addr(); + + kasan_unpoison_shadow(stack, KASAN_IRQ_STACK_SIZE); +} +#endif /* KASAN_IRQ_STACK_SIZE */ + static inline int in_irqentry_text(unsigned long ptr) { return (ptr >= (unsigned long)&__irqentry_text_start && -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2018-02-07 16:14 UTC|newest] Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-02-07 16:14 Kirill Tkhai [this message] 2018-02-07 16:14 ` [PATCH RFC] x86: KASAN: Sanitize unauthorized irq stack access Kirill Tkhai 2018-02-07 18:38 ` Dave Hansen 2018-02-07 18:38 ` Dave Hansen 2018-02-07 19:31 ` Dmitry Vyukov 2018-02-07 19:31 ` Dmitry Vyukov 2018-02-08 10:03 ` Kirill Tkhai 2018-02-08 10:03 ` Kirill Tkhai 2018-02-08 16:30 ` Josh Poimboeuf 2018-02-08 16:30 ` Josh Poimboeuf 2018-02-08 16:41 ` Dmitry Vyukov 2018-02-08 16:41 ` Dmitry Vyukov 2018-02-08 17:20 ` Josh Poimboeuf 2018-02-08 17:20 ` Josh Poimboeuf 2018-02-08 19:00 ` Matthew Wilcox 2018-02-08 19:00 ` Matthew Wilcox 2018-02-09 8:53 ` Kirill Tkhai 2018-02-09 8:53 ` Kirill Tkhai
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=151802005995.4570.824586713429099710.stgit@localhost.localdomain \ --to=ktkhai@virtuozzo.com \ --cc=aryabinin@virtuozzo.com \ --cc=bp@alien8.de \ --cc=dave.hansen@linux.intel.com \ --cc=dvyukov@google.com \ --cc=glider@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=hpa@zytor.com \ --cc=jgross@suse.com \ --cc=jpoimboe@redhat.com \ --cc=kasan-dev@googlegroups.com \ --cc=keescook@chromium.org \ --cc=kirill.shutemov@linux.intel.com \ --cc=kstewart@linuxfoundation.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mingo@redhat.com \ --cc=minipli@googlemail.com \ --cc=tglx@linutronix.de \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.