1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Clang Control Flow Integrity (CFI) error and slowpath handling.
4 *
5 * Copyright (C) 2021 Google LLC
6 */
7
8 #include <linux/hardirq.h>
9 #include <linux/kallsyms.h>
10 #include <linux/module.h>
11 #include <linux/mutex.h>
12 #include <linux/printk.h>
13 #include <linux/ratelimit.h>
14 #include <linux/rcupdate.h>
15 #include <linux/vmalloc.h>
16 #include <asm/cacheflush.h>
17 #include <asm/set_memory.h>
18
19 /* Compiler-defined handler names */
20 #ifdef CONFIG_CFI_PERMISSIVE
21 #define cfi_failure_handler __ubsan_handle_cfi_check_fail
22 #else
23 #define cfi_failure_handler __ubsan_handle_cfi_check_fail_abort
24 #endif
25
handle_cfi_failure(void * ptr)26 static inline void handle_cfi_failure(void *ptr)
27 {
28 if (IS_ENABLED(CONFIG_CFI_PERMISSIVE))
29 WARN_RATELIMIT(1, "CFI failure (target: %pS):\n", ptr);
30 else
31 panic("CFI failure (target: %pS)\n", ptr);
32 }
33
34 #ifdef CONFIG_MODULES
35 #ifdef CONFIG_CFI_CLANG_SHADOW
36 /*
37 * Index type. A 16-bit index can address at most (2^16)-2 pages (taking
38 * into account SHADOW_INVALID), i.e. ~256M with 4k pages.
39 */
40 typedef u16 shadow_t;
41 #define SHADOW_INVALID ((shadow_t)~0UL)
42
43 struct cfi_shadow {
44 /* Page index for the beginning of the shadow */
45 unsigned long base;
46 /* rcu to free old cfi_shadow asynchronously */
47 struct rcu_head rcu;
48 /* An array of __cfi_check locations (as indices to the shadow) */
49 shadow_t shadow[1];
50 } __packed;
51
52 /*
53 * The shadow covers ~128M from the beginning of the module region. If
54 * the region is larger, we fall back to __module_address for the rest.
55 */
56 #define __SHADOW_RANGE (_UL(SZ_128M) >> PAGE_SHIFT)
57
58 /* The in-memory size of struct cfi_shadow, always at least one page */
59 #define __SHADOW_PAGES ((__SHADOW_RANGE * sizeof(shadow_t)) >> PAGE_SHIFT)
60 #define SHADOW_PAGES max(1UL, __SHADOW_PAGES)
61 #define SHADOW_SIZE (SHADOW_PAGES << PAGE_SHIFT)
62
63 /* The actual size of the shadow array, minus metadata */
64 #define SHADOW_ARR_SIZE (SHADOW_SIZE - offsetof(struct cfi_shadow, shadow))
65 #define SHADOW_ARR_SLOTS (SHADOW_ARR_SIZE / sizeof(shadow_t))
66
67 static DEFINE_MUTEX(shadow_update_lock);
68 static struct cfi_shadow __rcu *cfi_shadow __read_mostly;
69
70 /* Returns the index in the shadow for the given address */
ptr_to_shadow(const struct cfi_shadow * s,unsigned long ptr)71 static inline int ptr_to_shadow(const struct cfi_shadow *s, unsigned long ptr)
72 {
73 unsigned long index;
74 unsigned long page = ptr >> PAGE_SHIFT;
75
76 if (unlikely(page < s->base))
77 return -1; /* Outside of module area */
78
79 index = page - s->base;
80
81 if (index >= SHADOW_ARR_SLOTS)
82 return -1; /* Cannot be addressed with shadow */
83
84 return (int)index;
85 }
86
87 /* Returns the page address for an index in the shadow */
shadow_to_ptr(const struct cfi_shadow * s,int index)88 static inline unsigned long shadow_to_ptr(const struct cfi_shadow *s,
89 int index)
90 {
91 if (unlikely(index < 0 || index >= SHADOW_ARR_SLOTS))
92 return 0;
93
94 return (s->base + index) << PAGE_SHIFT;
95 }
96
97 /* Returns the __cfi_check function address for the given shadow location */
shadow_to_check_fn(const struct cfi_shadow * s,int index)98 static inline unsigned long shadow_to_check_fn(const struct cfi_shadow *s,
99 int index)
100 {
101 if (unlikely(index < 0 || index >= SHADOW_ARR_SLOTS))
102 return 0;
103
104 if (unlikely(s->shadow[index] == SHADOW_INVALID))
105 return 0;
106
107 /* __cfi_check is always page aligned */
108 return (s->base + s->shadow[index]) << PAGE_SHIFT;
109 }
110
prepare_next_shadow(const struct cfi_shadow __rcu * prev,struct cfi_shadow * next)111 static void prepare_next_shadow(const struct cfi_shadow __rcu *prev,
112 struct cfi_shadow *next)
113 {
114 int i, index, check;
115
116 /* Mark everything invalid */
117 memset(next->shadow, 0xFF, SHADOW_ARR_SIZE);
118
119 if (!prev)
120 return; /* No previous shadow */
121
122 /* If the base address didn't change, an update is not needed */
123 if (prev->base == next->base) {
124 memcpy(next->shadow, prev->shadow, SHADOW_ARR_SIZE);
125 return;
126 }
127
128 /* Convert the previous shadow to the new address range */
129 for (i = 0; i < SHADOW_ARR_SLOTS; ++i) {
130 if (prev->shadow[i] == SHADOW_INVALID)
131 continue;
132
133 index = ptr_to_shadow(next, shadow_to_ptr(prev, i));
134 if (index < 0)
135 continue;
136
137 check = ptr_to_shadow(next,
138 shadow_to_check_fn(prev, prev->shadow[i]));
139 if (check < 0)
140 continue;
141
142 next->shadow[index] = (shadow_t)check;
143 }
144 }
145
add_module_to_shadow(struct cfi_shadow * s,struct module * mod,unsigned long min_addr,unsigned long max_addr)146 static void add_module_to_shadow(struct cfi_shadow *s, struct module *mod,
147 unsigned long min_addr, unsigned long max_addr)
148 {
149 int check_index;
150 unsigned long check = (unsigned long)mod->cfi_check;
151 unsigned long ptr;
152
153 if (unlikely(!PAGE_ALIGNED(check))) {
154 pr_warn("cfi: not using shadow for module %s\n", mod->name);
155 return;
156 }
157
158 check_index = ptr_to_shadow(s, check);
159 if (check_index < 0)
160 return; /* Module not addressable with shadow */
161
162 /* For each page, store the check function index in the shadow */
163 for (ptr = min_addr; ptr <= max_addr; ptr += PAGE_SIZE) {
164 int index = ptr_to_shadow(s, ptr);
165
166 if (index >= 0) {
167 /* Each page must only contain one module */
168 WARN_ON_ONCE(s->shadow[index] != SHADOW_INVALID);
169 s->shadow[index] = (shadow_t)check_index;
170 }
171 }
172 }
173
remove_module_from_shadow(struct cfi_shadow * s,struct module * mod,unsigned long min_addr,unsigned long max_addr)174 static void remove_module_from_shadow(struct cfi_shadow *s, struct module *mod,
175 unsigned long min_addr, unsigned long max_addr)
176 {
177 unsigned long ptr;
178
179 for (ptr = min_addr; ptr <= max_addr; ptr += PAGE_SIZE) {
180 int index = ptr_to_shadow(s, ptr);
181
182 if (index >= 0)
183 s->shadow[index] = SHADOW_INVALID;
184 }
185 }
186
free_shadow(struct rcu_head * rcu)187 static void free_shadow(struct rcu_head *rcu)
188 {
189 struct cfi_shadow *old = container_of(rcu, struct cfi_shadow, rcu);
190
191 vfree(old);
192 }
193
194 typedef void (*update_shadow_fn)(struct cfi_shadow *, struct module *,
195 unsigned long min_addr, unsigned long max_addr);
196
update_shadow(struct module * mod,unsigned long base_addr,update_shadow_fn fn)197 static void update_shadow(struct module *mod, unsigned long base_addr,
198 update_shadow_fn fn)
199 {
200 struct cfi_shadow *prev;
201 struct cfi_shadow *next;
202 unsigned long min_addr, max_addr;
203
204 next = vmalloc(SHADOW_SIZE);
205
206 mutex_lock(&shadow_update_lock);
207 prev = rcu_dereference_protected(cfi_shadow,
208 mutex_is_locked(&shadow_update_lock));
209
210 if (next) {
211 next->base = base_addr >> PAGE_SHIFT;
212 prepare_next_shadow(prev, next);
213
214 min_addr = (unsigned long)mod->core_layout.base;
215 max_addr = min_addr + mod->core_layout.text_size;
216 fn(next, mod, min_addr & PAGE_MASK, max_addr & PAGE_MASK);
217
218 set_memory_ro((unsigned long)next, SHADOW_PAGES);
219 }
220
221 rcu_assign_pointer(cfi_shadow, next);
222 mutex_unlock(&shadow_update_lock);
223
224 if (prev) {
225 set_memory_rw((unsigned long)prev, SHADOW_PAGES);
226 call_rcu(&prev->rcu, free_shadow);
227 }
228 }
229
cfi_module_add(struct module * mod,unsigned long base_addr)230 void cfi_module_add(struct module *mod, unsigned long base_addr)
231 {
232 update_shadow(mod, base_addr, add_module_to_shadow);
233 }
234
cfi_module_remove(struct module * mod,unsigned long base_addr)235 void cfi_module_remove(struct module *mod, unsigned long base_addr)
236 {
237 update_shadow(mod, base_addr, remove_module_from_shadow);
238 }
239
ptr_to_check_fn(const struct cfi_shadow __rcu * s,unsigned long ptr)240 static inline cfi_check_fn ptr_to_check_fn(const struct cfi_shadow __rcu *s,
241 unsigned long ptr)
242 {
243 int index;
244
245 if (unlikely(!s))
246 return NULL; /* No shadow available */
247
248 index = ptr_to_shadow(s, ptr);
249 if (index < 0)
250 return NULL; /* Cannot be addressed with shadow */
251
252 return (cfi_check_fn)shadow_to_check_fn(s, index);
253 }
254
find_shadow_check_fn(unsigned long ptr)255 static inline cfi_check_fn find_shadow_check_fn(unsigned long ptr)
256 {
257 cfi_check_fn fn;
258
259 rcu_read_lock_sched_notrace();
260 fn = ptr_to_check_fn(rcu_dereference_sched(cfi_shadow), ptr);
261 rcu_read_unlock_sched_notrace();
262
263 return fn;
264 }
265
266 #else /* !CONFIG_CFI_CLANG_SHADOW */
267
find_shadow_check_fn(unsigned long ptr)268 static inline cfi_check_fn find_shadow_check_fn(unsigned long ptr)
269 {
270 return NULL;
271 }
272
273 #endif /* CONFIG_CFI_CLANG_SHADOW */
274
find_module_check_fn(unsigned long ptr)275 static inline cfi_check_fn find_module_check_fn(unsigned long ptr)
276 {
277 cfi_check_fn fn = NULL;
278 struct module *mod;
279
280 rcu_read_lock_sched_notrace();
281 mod = __module_address(ptr);
282 if (mod)
283 fn = mod->cfi_check;
284 rcu_read_unlock_sched_notrace();
285
286 return fn;
287 }
288
find_check_fn(unsigned long ptr)289 static inline cfi_check_fn find_check_fn(unsigned long ptr)
290 {
291 cfi_check_fn fn = NULL;
292 unsigned long flags;
293 bool rcu_idle;
294
295 if (is_kernel_text(ptr))
296 return __cfi_check;
297
298 /*
299 * Indirect call checks can happen when RCU is not watching. Both
300 * the shadow and __module_address use RCU, so we need to wake it
301 * up if necessary.
302 */
303 rcu_idle = !rcu_is_watching();
304 if (rcu_idle) {
305 local_irq_save(flags);
306 rcu_irq_enter();
307 }
308
309 if (IS_ENABLED(CONFIG_CFI_CLANG_SHADOW))
310 fn = find_shadow_check_fn(ptr);
311 if (!fn)
312 fn = find_module_check_fn(ptr);
313
314 if (rcu_idle) {
315 rcu_irq_exit();
316 local_irq_restore(flags);
317 }
318
319 return fn;
320 }
321
___cfi_slowpath_diag(uint64_t id,void * ptr,void * diag)322 static inline void __nocfi ___cfi_slowpath_diag(uint64_t id, void *ptr, void *diag)
323 {
324 cfi_check_fn fn = find_check_fn((unsigned long)ptr);
325
326 if (likely(fn))
327 fn(id, ptr, diag);
328 else /* Don't allow unchecked modules */
329 handle_cfi_failure(ptr);
330 }
331
__cfi_slowpath_diag(uint64_t id,void * ptr,void * diag)332 void __cfi_slowpath_diag(uint64_t id, void *ptr, void *diag)
333 {
334 ___cfi_slowpath_diag(id, ptr, diag);
335 }
336 EXPORT_SYMBOL(__cfi_slowpath_diag);
337
338 #else /* !CONFIG_MODULES */
339
__cfi_slowpath_diag(uint64_t id,void * ptr,void * diag)340 void __cfi_slowpath_diag(uint64_t id, void *ptr, void *diag)
341 {
342 handle_cfi_failure(ptr); /* No modules */
343 }
344 EXPORT_SYMBOL(__cfi_slowpath_diag);
345
346 #endif /* CONFIG_MODULES */
347
cfi_failure_handler(void * data,void * ptr,void * vtable)348 void cfi_failure_handler(void *data, void *ptr, void *vtable)
349 {
350 handle_cfi_failure(ptr);
351 }
352 EXPORT_SYMBOL(cfi_failure_handler);
353