1 // SPDX-License-Identifier: GPL-2.0
3 * Clang Control Flow Integrity (CFI) error and slowpath handling.
5 * Copyright (C) 2021 Google LLC
8 #include <linux/hardirq.h>
9 #include <linux/kallsyms.h>
10 #include <linux/module.h>
11 #include <linux/mutex.h>
12 #include <linux/printk.h>
13 #include <linux/ratelimit.h>
14 #include <linux/rcupdate.h>
15 #include <linux/vmalloc.h>
16 #include <asm/cacheflush.h>
17 #include <asm/set_memory.h>
19 /* Compiler-defined handler names */
20 #ifdef CONFIG_CFI_PERMISSIVE
21 #define cfi_failure_handler __ubsan_handle_cfi_check_fail
23 #define cfi_failure_handler __ubsan_handle_cfi_check_fail_abort
26 static inline void handle_cfi_failure(void *ptr
)
28 if (IS_ENABLED(CONFIG_CFI_PERMISSIVE
))
29 WARN_RATELIMIT(1, "CFI failure (target: %pS):\n", ptr
);
31 panic("CFI failure (target: %pS)\n", ptr
);
35 #ifdef CONFIG_CFI_CLANG_SHADOW
37 * Index type. A 16-bit index can address at most (2^16)-2 pages (taking
38 * into account SHADOW_INVALID), i.e. ~256M with 4k pages.
41 #define SHADOW_INVALID ((shadow_t)~0UL)
44 /* Page index for the beginning of the shadow */
46 /* An array of __cfi_check locations (as indices to the shadow) */
51 * The shadow covers ~128M from the beginning of the module region. If
52 * the region is larger, we fall back to __module_address for the rest.
54 #define __SHADOW_RANGE (_UL(SZ_128M) >> PAGE_SHIFT)
56 /* The in-memory size of struct cfi_shadow, always at least one page */
57 #define __SHADOW_PAGES ((__SHADOW_RANGE * sizeof(shadow_t)) >> PAGE_SHIFT)
58 #define SHADOW_PAGES max(1UL, __SHADOW_PAGES)
59 #define SHADOW_SIZE (SHADOW_PAGES << PAGE_SHIFT)
61 /* The actual size of the shadow array, minus metadata */
62 #define SHADOW_ARR_SIZE (SHADOW_SIZE - offsetof(struct cfi_shadow, shadow))
63 #define SHADOW_ARR_SLOTS (SHADOW_ARR_SIZE / sizeof(shadow_t))
65 static DEFINE_MUTEX(shadow_update_lock
);
66 static struct cfi_shadow __rcu
*cfi_shadow __read_mostly
;
68 /* Returns the index in the shadow for the given address */
69 static inline int ptr_to_shadow(const struct cfi_shadow
*s
, unsigned long ptr
)
72 unsigned long page
= ptr
>> PAGE_SHIFT
;
74 if (unlikely(page
< s
->base
))
75 return -1; /* Outside of module area */
77 index
= page
- s
->base
;
79 if (index
>= SHADOW_ARR_SLOTS
)
80 return -1; /* Cannot be addressed with shadow */
85 /* Returns the page address for an index in the shadow */
86 static inline unsigned long shadow_to_ptr(const struct cfi_shadow
*s
,
89 if (unlikely(index
< 0 || index
>= SHADOW_ARR_SLOTS
))
92 return (s
->base
+ index
) << PAGE_SHIFT
;
95 /* Returns the __cfi_check function address for the given shadow location */
96 static inline unsigned long shadow_to_check_fn(const struct cfi_shadow
*s
,
99 if (unlikely(index
< 0 || index
>= SHADOW_ARR_SLOTS
))
102 if (unlikely(s
->shadow
[index
] == SHADOW_INVALID
))
105 /* __cfi_check is always page aligned */
106 return (s
->base
+ s
->shadow
[index
]) << PAGE_SHIFT
;
109 static void prepare_next_shadow(const struct cfi_shadow __rcu
*prev
,
110 struct cfi_shadow
*next
)
114 /* Mark everything invalid */
115 memset(next
->shadow
, 0xFF, SHADOW_ARR_SIZE
);
118 return; /* No previous shadow */
120 /* If the base address didn't change, an update is not needed */
121 if (prev
->base
== next
->base
) {
122 memcpy(next
->shadow
, prev
->shadow
, SHADOW_ARR_SIZE
);
126 /* Convert the previous shadow to the new address range */
127 for (i
= 0; i
< SHADOW_ARR_SLOTS
; ++i
) {
128 if (prev
->shadow
[i
] == SHADOW_INVALID
)
131 index
= ptr_to_shadow(next
, shadow_to_ptr(prev
, i
));
135 check
= ptr_to_shadow(next
,
136 shadow_to_check_fn(prev
, prev
->shadow
[i
]));
140 next
->shadow
[index
] = (shadow_t
)check
;
144 static void add_module_to_shadow(struct cfi_shadow
*s
, struct module
*mod
,
145 unsigned long min_addr
, unsigned long max_addr
)
148 unsigned long check
= (unsigned long)mod
->cfi_check
;
151 if (unlikely(!PAGE_ALIGNED(check
))) {
152 pr_warn("cfi: not using shadow for module %s\n", mod
->name
);
156 check_index
= ptr_to_shadow(s
, check
);
158 return; /* Module not addressable with shadow */
160 /* For each page, store the check function index in the shadow */
161 for (ptr
= min_addr
; ptr
<= max_addr
; ptr
+= PAGE_SIZE
) {
162 int index
= ptr_to_shadow(s
, ptr
);
165 /* Each page must only contain one module */
166 WARN_ON_ONCE(s
->shadow
[index
] != SHADOW_INVALID
);
167 s
->shadow
[index
] = (shadow_t
)check_index
;
172 static void remove_module_from_shadow(struct cfi_shadow
*s
, struct module
*mod
,
173 unsigned long min_addr
, unsigned long max_addr
)
177 for (ptr
= min_addr
; ptr
<= max_addr
; ptr
+= PAGE_SIZE
) {
178 int index
= ptr_to_shadow(s
, ptr
);
181 s
->shadow
[index
] = SHADOW_INVALID
;
185 typedef void (*update_shadow_fn
)(struct cfi_shadow
*, struct module
*,
186 unsigned long min_addr
, unsigned long max_addr
);
188 static void update_shadow(struct module
*mod
, unsigned long base_addr
,
191 struct cfi_shadow
*prev
;
192 struct cfi_shadow
*next
;
193 unsigned long min_addr
, max_addr
;
195 next
= vmalloc(SHADOW_SIZE
);
197 mutex_lock(&shadow_update_lock
);
198 prev
= rcu_dereference_protected(cfi_shadow
,
199 mutex_is_locked(&shadow_update_lock
));
202 next
->base
= base_addr
>> PAGE_SHIFT
;
203 prepare_next_shadow(prev
, next
);
205 min_addr
= (unsigned long)mod
->core_layout
.base
;
206 max_addr
= min_addr
+ mod
->core_layout
.text_size
;
207 fn(next
, mod
, min_addr
& PAGE_MASK
, max_addr
& PAGE_MASK
);
209 set_memory_ro((unsigned long)next
, SHADOW_PAGES
);
212 rcu_assign_pointer(cfi_shadow
, next
);
213 mutex_unlock(&shadow_update_lock
);
217 set_memory_rw((unsigned long)prev
, SHADOW_PAGES
);
222 void cfi_module_add(struct module
*mod
, unsigned long base_addr
)
224 update_shadow(mod
, base_addr
, add_module_to_shadow
);
227 void cfi_module_remove(struct module
*mod
, unsigned long base_addr
)
229 update_shadow(mod
, base_addr
, remove_module_from_shadow
);
232 static inline cfi_check_fn
ptr_to_check_fn(const struct cfi_shadow __rcu
*s
,
238 return NULL
; /* No shadow available */
240 index
= ptr_to_shadow(s
, ptr
);
242 return NULL
; /* Cannot be addressed with shadow */
244 return (cfi_check_fn
)shadow_to_check_fn(s
, index
);
247 static inline cfi_check_fn
find_shadow_check_fn(unsigned long ptr
)
251 rcu_read_lock_sched_notrace();
252 fn
= ptr_to_check_fn(rcu_dereference_sched(cfi_shadow
), ptr
);
253 rcu_read_unlock_sched_notrace();
258 #else /* !CONFIG_CFI_CLANG_SHADOW */
260 static inline cfi_check_fn
find_shadow_check_fn(unsigned long ptr
)
265 #endif /* CONFIG_CFI_CLANG_SHADOW */
267 static inline cfi_check_fn
find_module_check_fn(unsigned long ptr
)
269 cfi_check_fn fn
= NULL
;
272 rcu_read_lock_sched_notrace();
273 mod
= __module_address(ptr
);
276 rcu_read_unlock_sched_notrace();
281 static inline cfi_check_fn
find_check_fn(unsigned long ptr
)
283 cfi_check_fn fn
= NULL
;
285 if (is_kernel_text(ptr
))
289 * Indirect call checks can happen when RCU is not watching. Both
290 * the shadow and __module_address use RCU, so we need to wake it
294 if (IS_ENABLED(CONFIG_CFI_CLANG_SHADOW
))
295 fn
= find_shadow_check_fn(ptr
);
298 fn
= find_module_check_fn(ptr
);
304 void __cfi_slowpath_diag(uint64_t id
, void *ptr
, void *diag
)
306 cfi_check_fn fn
= find_check_fn((unsigned long)ptr
);
310 else /* Don't allow unchecked modules */
311 handle_cfi_failure(ptr
);
313 EXPORT_SYMBOL(__cfi_slowpath_diag
);
315 #else /* !CONFIG_MODULES */
317 void __cfi_slowpath_diag(uint64_t id
, void *ptr
, void *diag
)
319 handle_cfi_failure(ptr
); /* No modules */
321 EXPORT_SYMBOL(__cfi_slowpath_diag
);
323 #endif /* CONFIG_MODULES */
325 void cfi_failure_handler(void *data
, void *ptr
, void *vtable
)
327 handle_cfi_failure(ptr
);
329 EXPORT_SYMBOL(cfi_failure_handler
);