ARM: software-based priviledged-no-access support (a5e090ac) · Commits · 戴 / test

arch/arm/Kconfig

+15 −0

Original line number	Diff line number	Diff line
		@@ -1694,6 +1694,21 @@ config HIGHPTE
		bool "Allocate 2nd-level pagetables from highmem"
		depends on HIGHMEM

		config CPU_SW_DOMAIN_PAN
		bool "Enable use of CPU domains to implement privileged no-access"
		depends on MMU && !ARM_LPAE
		default y
		help
		Increase kernel security by ensuring that normal kernel accesses
		are unable to access userspace addresses. This can help prevent
		use-after-free bugs becoming an exploitable privilege escalation
		by ensuring that magic values (such as LIST_POISON) will always
		fault when dereferenced.

		CPUs with low-vector mappings use a best-efforts implementation.
		Their lower 1MB needs to remain accessible for the vectors, but
		the remainder of userspace will become appropriately inaccessible.

		config HW_PERF_EVENTS
		bool "Enable hardware performance counter support for perf events"
		depends on PERF_EVENTS

+30 −0

Original line number	Diff line number	Diff line
		@@ -446,15 +446,45 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
		.endm

		.macro uaccess_disable, tmp, isb=1
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		/*
		* Whenever we re-enter userspace, the domains should always be
		* set appropriately.
		*/
		mov \tmp, #DACR_UACCESS_DISABLE
		mcr p15, 0, \tmp, c3, c0, 0 @ Set domain register
		.if \isb
		instr_sync
		.endif
		#endif
		.endm

		.macro uaccess_enable, tmp, isb=1
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		/*
		* Whenever we re-enter userspace, the domains should always be
		* set appropriately.
		*/
		mov \tmp, #DACR_UACCESS_ENABLE
		mcr p15, 0, \tmp, c3, c0, 0
		.if \isb
		instr_sync
		.endif
		#endif
		.endm

		.macro uaccess_save, tmp
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		mrc p15, 0, \tmp, c3, c0, 0
		str \tmp, [sp, #S_FRAME_SIZE]
		#endif
		.endm

		.macro uaccess_restore
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		ldr r0, [sp, #S_FRAME_SIZE]
		mcr p15, 0, r0, c3, c0, 0
		#endif
		.endm

		.macro uaccess_save_and_disable, tmp

+19 −2

Original line number	Diff line number	Diff line
		@@ -57,11 +57,29 @@
		#define domain_mask(dom) ((3) << (2 * (dom)))
		#define domain_val(dom,type) ((type) << (2 * (dom)))

		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		#define DACR_INIT \
		(domain_val(DOMAIN_USER, DOMAIN_NOACCESS) \| \
		domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) \| \
		domain_val(DOMAIN_IO, DOMAIN_CLIENT) \| \
		domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
		#else
		#define DACR_INIT \
		(domain_val(DOMAIN_USER, DOMAIN_CLIENT) \| \
		domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) \| \
		domain_val(DOMAIN_IO, DOMAIN_CLIENT) \| \
		domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT))
		#endif

		#define __DACR_DEFAULT \
		domain_val(DOMAIN_KERNEL, DOMAIN_CLIENT) \| \
		domain_val(DOMAIN_IO, DOMAIN_CLIENT) \| \
		domain_val(DOMAIN_VECTORS, DOMAIN_CLIENT)

		#define DACR_UACCESS_DISABLE \
		(__DACR_DEFAULT \| domain_val(DOMAIN_USER, DOMAIN_NOACCESS))
		#define DACR_UACCESS_ENABLE \
		(__DACR_DEFAULT \| domain_val(DOMAIN_USER, DOMAIN_CLIENT))

		#ifndef __ASSEMBLY__

		@@ -76,7 +94,6 @@ static inline unsigned int get_domain(void)
		return domain;
		}

		#ifdef CONFIG_CPU_USE_DOMAINS
		static inline void set_domain(unsigned val)
		{
		asm volatile(
		@@ -85,6 +102,7 @@ static inline void set_domain(unsigned val)
		isb();
		}

		#ifdef CONFIG_CPU_USE_DOMAINS
		#define modify_domain(dom,type) \
		do { \
		unsigned int domain = get_domain(); \
		@@ -94,7 +112,6 @@ static inline void set_domain(unsigned val)
		} while (0)

		#else
		static inline void set_domain(unsigned val) { }
		static inline void modify_domain(unsigned dom, unsigned type) { }
		#endif

+14 −0

Original line number	Diff line number	Diff line
		@@ -57,11 +57,25 @@ extern int fixup_exception(struct pt_regs *regs);
		*/
		static inline unsigned int uaccess_save_and_enable(void)
		{
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		unsigned int old_domain = get_domain();

		/* Set the current domain access to permit user accesses */
		set_domain((old_domain & ~domain_mask(DOMAIN_USER)) \|
		domain_val(DOMAIN_USER, DOMAIN_CLIENT));

		return old_domain;
		#else
		return 0;
		#endif
		}

		static inline void uaccess_restore(unsigned int flags)
		{
		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		/* Restore the user access mask */
		set_domain(flags);
		#endif
		}

		/*

+30 −6

Original line number	Diff line number	Diff line
		@@ -129,12 +129,36 @@ void __show_regs(struct pt_regs *regs)
		buf[4] = '\0';

		#ifndef CONFIG_CPU_V7M
		{
		unsigned int domain = get_domain();
		const char *segment;

		#ifdef CONFIG_CPU_SW_DOMAIN_PAN
		/*
		* Get the domain register for the parent context. In user
		* mode, we don't save the DACR, so lets use what it should
		* be. For other modes, we place it after the pt_regs struct.
		*/
		if (user_mode(regs))
		domain = DACR_UACCESS_ENABLE;
		else
		domain = (unsigned int )(regs + 1);
		#endif

		if ((domain & domain_mask(DOMAIN_USER)) ==
		domain_val(DOMAIN_USER, DOMAIN_NOACCESS))
		segment = "none";
		else if (get_fs() == get_ds())
		segment = "kernel";
		else
		segment = "user";

		printk("Flags: %s IRQs o%s FIQs o%s Mode %s ISA %s Segment %s\n",
		buf, interrupts_enabled(regs) ? "n" : "ff",
		fast_interrupts_enabled(regs) ? "n" : "ff",
		processor_modes[processor_mode(regs)],
		isa_modes[isa_mode(regs)],
		get_fs() == get_ds() ? "kernel" : "user");
		isa_modes[isa_mode(regs)], segment);
		}
		#else
		printk("xPSR: %08lx\n", regs->ARM_cpsr);
		#endif