Commit de54ebbe authored by Kees Cook's avatar Kees Cook Committed by Paul E. McKenney
Browse files

bug: Provide toggle for BUG on data corruption 



The kernel checks for cases of data structure corruption under some
CONFIGs (e.g. CONFIG_DEBUG_LIST). When corruption is detected, some
systems may want to BUG() immediately instead of letting the system run
with known corruption.  Usually these kinds of manipulation primitives can
be used by security flaws to gain arbitrary memory write control. This
provides a new config CONFIG_BUG_ON_DATA_CORRUPTION and a corresponding
macro CHECK_DATA_CORRUPTION for handling these situations. Notably, even
if not BUGing, the kernel should not continue processing the corrupted
structure.

This is inspired by similar hardening by Syed Rameez Mustafa in MSM
kernels, and in PaX and Grsecurity, which is likely in response to earlier
removal of the BUG calls in commit 924d9add ("list debugging: use
WARN() instead of BUG()").

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: default avatarRik van Riel <riel@redhat.com>
parent 0cd340dc

include/linux/bug.h

+17 −0
Original line number Diff line number Diff line
@@ -121,4 +121,21 @@ static inline enum bug_trap_type report_bug(unsigned long bug_addr, 
}



#endif	/* CONFIG_GENERIC_BUG */



/*

 * Since detected data corruption should stop operation on the affected

 * structures, this returns false if the corruption condition is found.

 */

#define CHECK_DATA_CORRUPTION(condition, fmt, ...)			 \

	do {								 \

		if (unlikely(condition)) {				 \

			if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \

				pr_err(fmt, ##__VA_ARGS__);		 \

				BUG();					 \

			} else						 \

				WARN(1, fmt, ##__VA_ARGS__);		 \

			return false;					 \

		}							 \

	} while (0)



#endif	/* _LINUX_BUG_H */

lib/Kconfig.debug

+10 −0
Original line number Diff line number Diff line
@@ -1960,6 +1960,16 @@ config TEST_STATIC_KEYS 


	  If unsure, say N.



config BUG_ON_DATA_CORRUPTION

	bool "Trigger a BUG when data corruption is detected"

	select CONFIG_DEBUG_LIST

	help

	  Select this option if the kernel should BUG when it encounters

	  data corruption in kernel memory structures when they get checked

	  for validity.



	  If unsure, say N.



source "samples/Kconfig"



source "lib/Kconfig.kgdb"

lib/list_debug.c

+22 −35
Original line number Diff line number Diff line
@@ -20,21 +20,16 @@ 
bool __list_add_valid(struct list_head *new, struct list_head *prev,

		      struct list_head *next)

{

	if (unlikely(next->prev != prev)) {

		WARN(1, "list_add corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",

	CHECK_DATA_CORRUPTION(next->prev != prev,

		"list_add corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",

		prev, next->prev, next);

		return false;

	}

	if (unlikely(prev->next != next)) {

		WARN(1, "list_add corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",

	CHECK_DATA_CORRUPTION(prev->next != next,

		"list_add corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",

		next, prev->next, prev);

		return false;

	}

	if (unlikely(new == prev || new == next)) {

		WARN(1, "list_add double add: new=%p, prev=%p, next=%p.\n",

	CHECK_DATA_CORRUPTION(new == prev || new == next,

		"list_add double add: new=%p, prev=%p, next=%p.\n",

		new, prev, next);

		return false;

	}



	return true;

}

EXPORT_SYMBOL(__list_add_valid);
@@ -46,26 +41,18 @@ bool __list_del_entry_valid(struct list_head *entry) 
	prev = entry->prev;

	next = entry->next;



	if (unlikely(next == LIST_POISON1)) {

		WARN(1, "list_del corruption, %p->next is LIST_POISON1 (%p)\n",

	CHECK_DATA_CORRUPTION(next == LIST_POISON1,

		"list_del corruption, %p->next is LIST_POISON1 (%p)\n",

		entry, LIST_POISON1);

		return false;

	}

	if (unlikely(prev == LIST_POISON2)) {

		WARN(1, "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",

	CHECK_DATA_CORRUPTION(prev == LIST_POISON2,

		"list_del corruption, %p->prev is LIST_POISON2 (%p)\n",

		entry, LIST_POISON2);

		return false;

	}

	if (unlikely(prev->next != entry)) {

		WARN(1, "list_del corruption. prev->next should be %p, but was %p\n",

	CHECK_DATA_CORRUPTION(prev->next != entry,

		"list_del corruption. prev->next should be %p, but was %p\n",

		entry, prev->next);

		return false;

	}

	if (unlikely(next->prev != entry)) {

		WARN(1, "list_del corruption. next->prev should be %p, but was %p\n",

	CHECK_DATA_CORRUPTION(next->prev != entry,

		"list_del corruption. next->prev should be %p, but was %p\n",

		entry, next->prev);

		return false;

	}

	return true;



}

CRA Git | Maintained and supported by SUSTech CRA and CCSE