mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-26 04:55:16 +07:00
8f2af155b5
Patch series "exec: Pin stack limit during exec". Attempts to solve problems with the stack limit changing during exec continue to be frustrated[1][2]. In addition to the specific issues around the Stack Clash family of flaws, Andy Lutomirski pointed out[3] other places during exec where the stack limit is used and is assumed to be unchanging. Given the many places it gets used and the fact that it can be manipulated/raced via setrlimit() and prlimit(), I think the only way to handle this is to move away from the "current" view of the stack limit and instead attach it to the bprm, and plumb this down into the functions that need to know the stack limits. This series implements the approach. [1]04e35f4495
("exec: avoid RLIMIT_STACK races with prlimit()") [2]779f4e1c6c
("Revert "exec: avoid RLIMIT_STACK races with prlimit()"") [3] to security@kernel.org, "Subject: existing rlimit races?" This patch (of 3): Since it is possible that the stack rlimit can change externally during exec (either via another thread calling setrlimit() or another process calling prlimit()), provide a way to pass the rlimit down into the per-architecture mm layout functions so that the rlimit can stay in the bprm structure instead of sitting in the signal structure until exec is finalized. Link: http://lkml.kernel.org/r/1518638796-20819-2-git-send-email-keescook@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Ben Hutchings <ben@decadent.org.uk> Cc: Willy Tarreau <w@1wt.eu> Cc: Hugh Dickins <hughd@google.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: "Jason A. Donenfeld" <Jason@zx2c4.com> Cc: Rik van Riel <riel@redhat.com> Cc: Laura Abbott <labbott@redhat.com> Cc: Greg KH <greg@kroah.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Ben Hutchings <ben.hutchings@codethink.co.uk> Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
256 lines
7.1 KiB
C
256 lines
7.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _LINUX_SCHED_MM_H
|
|
#define _LINUX_SCHED_MM_H
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/atomic.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/mm_types.h>
|
|
#include <linux/gfp.h>
|
|
#include <linux/sync_core.h>
|
|
|
|
/*
|
|
* Routines for handling mm_structs
|
|
*/
|
|
extern struct mm_struct *mm_alloc(void);
|
|
|
|
/**
|
|
* mmgrab() - Pin a &struct mm_struct.
|
|
* @mm: The &struct mm_struct to pin.
|
|
*
|
|
* Make sure that @mm will not get freed even after the owning task
|
|
* exits. This doesn't guarantee that the associated address space
|
|
* will still exist later on and mmget_not_zero() has to be used before
|
|
* accessing it.
|
|
*
|
|
* This is a preferred way to to pin @mm for a longer/unbounded amount
|
|
* of time.
|
|
*
|
|
* Use mmdrop() to release the reference acquired by mmgrab().
|
|
*
|
|
* See also <Documentation/vm/active_mm.txt> for an in-depth explanation
|
|
* of &mm_struct.mm_count vs &mm_struct.mm_users.
|
|
*/
|
|
static inline void mmgrab(struct mm_struct *mm)
|
|
{
|
|
atomic_inc(&mm->mm_count);
|
|
}
|
|
|
|
extern void __mmdrop(struct mm_struct *mm);
|
|
|
|
static inline void mmdrop(struct mm_struct *mm)
|
|
{
|
|
/*
|
|
* The implicit full barrier implied by atomic_dec_and_test() is
|
|
* required by the membarrier system call before returning to
|
|
* user-space, after storing to rq->curr.
|
|
*/
|
|
if (unlikely(atomic_dec_and_test(&mm->mm_count)))
|
|
__mmdrop(mm);
|
|
}
|
|
|
|
/**
|
|
* mmget() - Pin the address space associated with a &struct mm_struct.
|
|
* @mm: The address space to pin.
|
|
*
|
|
* Make sure that the address space of the given &struct mm_struct doesn't
|
|
* go away. This does not protect against parts of the address space being
|
|
* modified or freed, however.
|
|
*
|
|
* Never use this function to pin this address space for an
|
|
* unbounded/indefinite amount of time.
|
|
*
|
|
* Use mmput() to release the reference acquired by mmget().
|
|
*
|
|
* See also <Documentation/vm/active_mm.txt> for an in-depth explanation
|
|
* of &mm_struct.mm_count vs &mm_struct.mm_users.
|
|
*/
|
|
static inline void mmget(struct mm_struct *mm)
|
|
{
|
|
atomic_inc(&mm->mm_users);
|
|
}
|
|
|
|
static inline bool mmget_not_zero(struct mm_struct *mm)
|
|
{
|
|
return atomic_inc_not_zero(&mm->mm_users);
|
|
}
|
|
|
|
/* mmput gets rid of the mappings and all user-space */
|
|
extern void mmput(struct mm_struct *);
|
|
#ifdef CONFIG_MMU
|
|
/* same as above but performs the slow path from the async context. Can
|
|
* be called from the atomic context as well
|
|
*/
|
|
void mmput_async(struct mm_struct *);
|
|
#endif
|
|
|
|
/* Grab a reference to a task's mm, if it is not already going away */
|
|
extern struct mm_struct *get_task_mm(struct task_struct *task);
|
|
/*
|
|
* Grab a reference to a task's mm, if it is not already going away
|
|
* and ptrace_may_access with the mode parameter passed to it
|
|
* succeeds.
|
|
*/
|
|
extern struct mm_struct *mm_access(struct task_struct *task, unsigned int mode);
|
|
/* Remove the current tasks stale references to the old mm_struct */
|
|
extern void mm_release(struct task_struct *, struct mm_struct *);
|
|
|
|
#ifdef CONFIG_MEMCG
|
|
extern void mm_update_next_owner(struct mm_struct *mm);
|
|
#else
|
|
static inline void mm_update_next_owner(struct mm_struct *mm)
|
|
{
|
|
}
|
|
#endif /* CONFIG_MEMCG */
|
|
|
|
#ifdef CONFIG_MMU
|
|
extern void arch_pick_mmap_layout(struct mm_struct *mm,
|
|
struct rlimit *rlim_stack);
|
|
extern unsigned long
|
|
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
|
|
unsigned long, unsigned long);
|
|
extern unsigned long
|
|
arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr,
|
|
unsigned long len, unsigned long pgoff,
|
|
unsigned long flags);
|
|
#else
|
|
static inline void arch_pick_mmap_layout(struct mm_struct *mm,
|
|
struct rlimit *rlim_stack) {}
|
|
#endif
|
|
|
|
static inline bool in_vfork(struct task_struct *tsk)
|
|
{
|
|
bool ret;
|
|
|
|
/*
|
|
* need RCU to access ->real_parent if CLONE_VM was used along with
|
|
* CLONE_PARENT.
|
|
*
|
|
* We check real_parent->mm == tsk->mm because CLONE_VFORK does not
|
|
* imply CLONE_VM
|
|
*
|
|
* CLONE_VFORK can be used with CLONE_PARENT/CLONE_THREAD and thus
|
|
* ->real_parent is not necessarily the task doing vfork(), so in
|
|
* theory we can't rely on task_lock() if we want to dereference it.
|
|
*
|
|
* And in this case we can't trust the real_parent->mm == tsk->mm
|
|
* check, it can be false negative. But we do not care, if init or
|
|
* another oom-unkillable task does this it should blame itself.
|
|
*/
|
|
rcu_read_lock();
|
|
ret = tsk->vfork_done && tsk->real_parent->mm == tsk->mm;
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Applies per-task gfp context to the given allocation flags.
|
|
* PF_MEMALLOC_NOIO implies GFP_NOIO
|
|
* PF_MEMALLOC_NOFS implies GFP_NOFS
|
|
*/
|
|
static inline gfp_t current_gfp_context(gfp_t flags)
|
|
{
|
|
/*
|
|
* NOIO implies both NOIO and NOFS and it is a weaker context
|
|
* so always make sure it makes precendence
|
|
*/
|
|
if (unlikely(current->flags & PF_MEMALLOC_NOIO))
|
|
flags &= ~(__GFP_IO | __GFP_FS);
|
|
else if (unlikely(current->flags & PF_MEMALLOC_NOFS))
|
|
flags &= ~__GFP_FS;
|
|
return flags;
|
|
}
|
|
|
|
#ifdef CONFIG_LOCKDEP
|
|
extern void fs_reclaim_acquire(gfp_t gfp_mask);
|
|
extern void fs_reclaim_release(gfp_t gfp_mask);
|
|
#else
|
|
static inline void fs_reclaim_acquire(gfp_t gfp_mask) { }
|
|
static inline void fs_reclaim_release(gfp_t gfp_mask) { }
|
|
#endif
|
|
|
|
static inline unsigned int memalloc_noio_save(void)
|
|
{
|
|
unsigned int flags = current->flags & PF_MEMALLOC_NOIO;
|
|
current->flags |= PF_MEMALLOC_NOIO;
|
|
return flags;
|
|
}
|
|
|
|
static inline void memalloc_noio_restore(unsigned int flags)
|
|
{
|
|
current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags;
|
|
}
|
|
|
|
static inline unsigned int memalloc_nofs_save(void)
|
|
{
|
|
unsigned int flags = current->flags & PF_MEMALLOC_NOFS;
|
|
current->flags |= PF_MEMALLOC_NOFS;
|
|
return flags;
|
|
}
|
|
|
|
static inline void memalloc_nofs_restore(unsigned int flags)
|
|
{
|
|
current->flags = (current->flags & ~PF_MEMALLOC_NOFS) | flags;
|
|
}
|
|
|
|
static inline unsigned int memalloc_noreclaim_save(void)
|
|
{
|
|
unsigned int flags = current->flags & PF_MEMALLOC;
|
|
current->flags |= PF_MEMALLOC;
|
|
return flags;
|
|
}
|
|
|
|
static inline void memalloc_noreclaim_restore(unsigned int flags)
|
|
{
|
|
current->flags = (current->flags & ~PF_MEMALLOC) | flags;
|
|
}
|
|
|
|
#ifdef CONFIG_MEMBARRIER
|
|
enum {
|
|
MEMBARRIER_STATE_PRIVATE_EXPEDITED_READY = (1U << 0),
|
|
MEMBARRIER_STATE_PRIVATE_EXPEDITED = (1U << 1),
|
|
MEMBARRIER_STATE_GLOBAL_EXPEDITED_READY = (1U << 2),
|
|
MEMBARRIER_STATE_GLOBAL_EXPEDITED = (1U << 3),
|
|
MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE_READY = (1U << 4),
|
|
MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE = (1U << 5),
|
|
};
|
|
|
|
enum {
|
|
MEMBARRIER_FLAG_SYNC_CORE = (1U << 0),
|
|
};
|
|
|
|
#ifdef CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS
|
|
#include <asm/membarrier.h>
|
|
#endif
|
|
|
|
static inline void membarrier_mm_sync_core_before_usermode(struct mm_struct *mm)
|
|
{
|
|
if (likely(!(atomic_read(&mm->membarrier_state) &
|
|
MEMBARRIER_STATE_PRIVATE_EXPEDITED_SYNC_CORE)))
|
|
return;
|
|
sync_core_before_usermode();
|
|
}
|
|
|
|
static inline void membarrier_execve(struct task_struct *t)
|
|
{
|
|
atomic_set(&t->mm->membarrier_state, 0);
|
|
}
|
|
#else
|
|
#ifdef CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS
|
|
static inline void membarrier_arch_switch_mm(struct mm_struct *prev,
|
|
struct mm_struct *next,
|
|
struct task_struct *tsk)
|
|
{
|
|
}
|
|
#endif
|
|
static inline void membarrier_execve(struct task_struct *t)
|
|
{
|
|
}
|
|
static inline void membarrier_mm_sync_core_before_usermode(struct mm_struct *mm)
|
|
{
|
|
}
|
|
#endif
|
|
|
|
#endif /* _LINUX_SCHED_MM_H */
|