Skip to content
Permalink
Browse files
uaccess-buffer: add core code
Add the core code to support uaccess logging. Subsequent patches will
hook this up to the arch-specific kernel entry and exit code for
certain architectures.

Link: https://linux-review.googlesource.com/id/I6581765646501a5631b281d670903945ebadc57d
Signed-off-by: Peter Collingbourne <pcc@google.com>
  • Loading branch information
pcc authored and intel-lab-lkp committed Nov 23, 2021
1 parent e3924f1 commit e050ed271bb00085068f2c9b6790c2e071154629
Show file tree
Hide file tree
Showing 14 changed files with 324 additions and 3 deletions.
@@ -1302,6 +1302,11 @@ config ARCH_HAS_PARANOID_L1D_FLUSH
config DYNAMIC_SIGFRAME
bool

config HAVE_ARCH_UACCESS_BUFFER
bool
help
Select if the architecture's syscall entry/exit code supports uaccess buffers.

source "kernel/gcov/Kconfig"

source "scripts/gcc-plugins/Kconfig"
@@ -65,6 +65,7 @@
#include <linux/vmalloc.h>
#include <linux/io_uring.h>
#include <linux/syscall_user_dispatch.h>
#include <linux/uaccess-buffer.h>

#include <linux/uaccess.h>
#include <asm/mmu_context.h>
@@ -1313,6 +1314,7 @@ int begin_new_exec(struct linux_binprm * bprm)
me->personality &= ~bprm->per_clear;

clear_syscall_work_syscall_user_dispatch(me);
uaccess_buffer_set_descriptor_addr_addr(0);

/*
* We have to apply CLOEXEC before we change whether the process is
@@ -2,7 +2,7 @@

/*
* This header provides generic wrappers for memory access instrumentation that
* the compiler cannot emit for: KASAN, KCSAN.
* the compiler cannot emit for: KASAN, KCSAN, uaccess buffers.
*/
#ifndef _LINUX_INSTRUMENTED_H
#define _LINUX_INSTRUMENTED_H
@@ -11,6 +11,7 @@
#include <linux/kasan-checks.h>
#include <linux/kcsan-checks.h>
#include <linux/types.h>
#include <linux/uaccess-buffer-log-hooks.h>

/**
* instrument_read - instrument regular read access
@@ -117,6 +118,7 @@ instrument_copy_to_user(void __user *to, const void *from, unsigned long n)
{
kasan_check_read(from, n);
kcsan_check_read(from, n);
uaccess_buffer_log_write(to, n);
}

/**
@@ -134,6 +136,7 @@ instrument_copy_from_user(const void *to, const void __user *from, unsigned long
{
kasan_check_write(to, n);
kcsan_check_write(to, n);
uaccess_buffer_log_read(from, n);
}

#endif /* _LINUX_INSTRUMENTED_H */
@@ -1488,6 +1488,10 @@ struct task_struct {
struct callback_head l1d_flush_kill;
#endif

#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER
struct uaccess_buffer_info uaccess_buffer;
#endif

/*
* New fields for task_struct should be added above here, so that
* they are included in the randomized portion of task_struct.
@@ -0,0 +1,59 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _LINUX_UACCESS_BUFFER_LOG_HOOKS_H
#define _LINUX_UACCESS_BUFFER_LOG_HOOKS_H

#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER

struct uaccess_buffer_info {
/*
* The pointer to pointer to struct uaccess_descriptor. This is the
* value controlled by prctl(PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR).
*/
struct uaccess_descriptor __user *__user *desc_ptr_ptr;

/*
* The pointer to struct uaccess_descriptor read at syscall entry time.
*/
struct uaccess_descriptor __user *desc_ptr;

/*
* A pointer to the kernel's temporary copy of the uaccess log for the
* current syscall. We log to a kernel buffer in order to avoid leaking
* timing information to userspace.
*/
struct uaccess_buffer_entry *kbegin;

/*
* The position of the next uaccess buffer entry for the current
* syscall.
*/
struct uaccess_buffer_entry *kcur;

/*
* A pointer to the end of the kernel's uaccess log.
*/
struct uaccess_buffer_entry *kend;

/*
* The pointer to the userspace uaccess log, as read from the
* struct uaccess_descriptor.
*/
struct uaccess_buffer_entry __user *ubegin;
};

void uaccess_buffer_log_read(const void __user *from, unsigned long n);
void uaccess_buffer_log_write(void __user *to, unsigned long n);

#else

static inline void uaccess_buffer_log_read(const void __user *from,
unsigned long n)
{
}
static inline void uaccess_buffer_log_write(void __user *to, unsigned long n)
{
}

#endif

#endif /* _LINUX_UACCESS_BUFFER_LOG_HOOKS_H */
@@ -0,0 +1,79 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _LINUX_UACCESS_BUFFER_H
#define _LINUX_UACCESS_BUFFER_H

#include <linux/sched.h>
#include <uapi/linux/uaccess-buffer.h>

#include <asm-generic/errno-base.h>

#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER

static inline bool uaccess_buffer_maybe_blocked(struct task_struct *tsk)
{
return tsk->uaccess_buffer.desc_ptr_ptr;
}

void __uaccess_buffer_syscall_entry(void);
static inline void uaccess_buffer_syscall_entry(void)
{
if (uaccess_buffer_maybe_blocked(current))
__uaccess_buffer_syscall_entry();
}

void __uaccess_buffer_syscall_exit(void);
static inline void uaccess_buffer_syscall_exit(void)
{
if (uaccess_buffer_maybe_blocked(current))
__uaccess_buffer_syscall_exit();
}

bool __uaccess_buffer_pre_exit_loop(void);
static inline bool uaccess_buffer_pre_exit_loop(void)
{
if (!uaccess_buffer_maybe_blocked(current))
return false;
return __uaccess_buffer_pre_exit_loop();
}

void __uaccess_buffer_post_exit_loop(void);
static inline void uaccess_buffer_post_exit_loop(bool pending)
{
if (pending)
__uaccess_buffer_post_exit_loop();
}

void uaccess_buffer_cancel_log(struct task_struct *tsk);
int uaccess_buffer_set_descriptor_addr_addr(unsigned long addr);

#else

static inline bool uaccess_buffer_maybe_blocked(struct task_struct *tsk)
{
return false;
}

static inline void uaccess_buffer_syscall_entry(void)
{
}
static inline void uaccess_buffer_syscall_exit(void)
{
}
static inline bool uaccess_buffer_pre_exit_loop(void)
{
return false;
}
static inline void uaccess_buffer_post_exit_loop(bool pending)
{
}
static inline void uaccess_buffer_cancel_log(struct task_struct *tsk)
{
}

static inline int uaccess_buffer_set_descriptor_addr_addr(unsigned long addr)
{
return -EINVAL;
}
#endif

#endif /* _LINUX_UACCESS_BUFFER_H */
@@ -272,4 +272,7 @@ struct prctl_mm_map {
# define PR_SCHED_CORE_SCOPE_THREAD_GROUP 1
# define PR_SCHED_CORE_SCOPE_PROCESS_GROUP 2

/* Configure uaccess logging feature */
#define PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR 63

#endif /* _LINUX_PRCTL_H */
@@ -0,0 +1,25 @@
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef _UAPI_LINUX_UACCESS_BUFFER_H
#define _UAPI_LINUX_UACCESS_BUFFER_H

/* Location of the uaccess log. */
struct uaccess_descriptor {
/* Address of the uaccess_buffer_entry array. */
__u64 addr;
/* Size of the uaccess_buffer_entry array in number of elements. */
__u64 size;
};

/* Format of the entries in the uaccess log. */
struct uaccess_buffer_entry {
/* Address being accessed. */
__u64 addr;
/* Number of bytes that were accessed. */
__u64 size;
/* UACCESS_BUFFER_* flags. */
__u64 flags;
};

#define UACCESS_BUFFER_FLAG_WRITE 1 /* access was a write */

#endif /* _UAPI_LINUX_UACCESS_BUFFER_H */
@@ -114,6 +114,7 @@ obj-$(CONFIG_KCSAN) += kcsan/
obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o
obj-$(CONFIG_HAVE_STATIC_CALL_INLINE) += static_call.o
obj-$(CONFIG_CFI_CLANG) += cfi.o
obj-$(CONFIG_HAVE_ARCH_UACCESS_BUFFER) += uaccess-buffer.o

obj-$(CONFIG_PERF_EVENTS) += events/

@@ -637,7 +637,11 @@ const struct bpf_func_proto bpf_event_output_data_proto = {
BPF_CALL_3(bpf_copy_from_user, void *, dst, u32, size,
const void __user *, user_ptr)
{
int ret = copy_from_user(dst, user_ptr, size);
/*
* Avoid copy_from_user() here as it may leak information about the BPF
* program to userspace via the uaccess buffer.
*/
int ret = raw_copy_from_user(dst, user_ptr, size);

if (unlikely(ret)) {
memset(dst, 0, size);
@@ -96,6 +96,7 @@
#include <linux/scs.h>
#include <linux/io_uring.h>
#include <linux/bpf.h>
#include <linux/uaccess-buffer.h>

#include <asm/pgalloc.h>
#include <linux/uaccess.h>
@@ -890,6 +891,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
if (memcg_charge_kernel_stack(tsk))
goto free_stack;

uaccess_buffer_cancel_log(tsk);

stack_vm_area = task_stack_vm_area(tsk);

err = arch_dup_task_struct(tsk, orig);
@@ -45,6 +45,7 @@
#include <linux/posix-timers.h>
#include <linux/cgroup.h>
#include <linux/audit.h>
#include <linux/uaccess-buffer.h>

#define CREATE_TRACE_POINTS
#include <trace/events/signal.h>
@@ -1031,7 +1032,8 @@ static void complete_signal(int sig, struct task_struct *p, enum pid_type type)
if (sig_fatal(p, sig) &&
!(signal->flags & SIGNAL_GROUP_EXIT) &&
!sigismember(&t->real_blocked, sig) &&
(sig == SIGKILL || !p->ptrace)) {
(sig == SIGKILL ||
!(p->ptrace || uaccess_buffer_maybe_blocked(p)))) {
/*
* This signal will be fatal to the whole group.
*/
@@ -42,6 +42,7 @@
#include <linux/version.h>
#include <linux/ctype.h>
#include <linux/syscall_user_dispatch.h>
#include <linux/uaccess-buffer.h>

#include <linux/compat.h>
#include <linux/syscalls.h>
@@ -2530,6 +2531,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
error = sched_core_share_pid(arg2, arg3, arg4, arg5);
break;
#endif
case PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR:
if (arg3 || arg4 || arg5)
return -EINVAL;
error = uaccess_buffer_set_descriptor_addr_addr(arg2);
break;
default:
error = -EINVAL;
break;

0 comments on commit e050ed2

Please sign in to comment.