2019-05-27 00:55:05 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2008-01-30 05:31:07 -07:00
|
|
|
/*
|
2008-01-30 05:31:10 -07:00
|
|
|
* Flexible mmap layout support
|
2008-01-30 05:31:07 -07:00
|
|
|
*
|
|
|
|
|
* Based on code by Ingo Molnar and Andi Kleen, copyrighted
|
|
|
|
|
* as follows:
|
|
|
|
|
*
|
2009-01-30 18:03:42 -07:00
|
|
|
* Copyright 2003-2009 Red Hat Inc.
|
2008-01-30 05:31:07 -07:00
|
|
|
* All Rights Reserved.
|
|
|
|
|
* Copyright 2005 Andi Kleen, SUSE Labs.
|
|
|
|
|
* Copyright 2007 Jiri Kosina, SUSE Labs.
|
2006-01-16 23:03:38 -07:00
|
|
|
*/
|
2008-01-30 05:31:07 -07:00
|
|
|
|
|
|
|
|
#include <linux/personality.h>
|
2006-01-16 23:03:38 -07:00
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/random.h>
|
2008-01-30 05:31:07 -07:00
|
|
|
#include <linux/limits.h>
|
2017-02-08 10:51:30 -07:00
|
|
|
#include <linux/sched/signal.h>
|
2017-02-08 10:51:31 -07:00
|
|
|
#include <linux/sched/mm.h>
|
2017-03-14 05:41:26 -06:00
|
|
|
#include <linux/compat.h>
|
2009-09-08 03:01:55 -06:00
|
|
|
#include <asm/elf.h>
|
|
|
|
|
|
2017-11-15 15:29:51 -07:00
|
|
|
#include "physaddr.h"
|
|
|
|
|
|
2014-09-05 17:16:45 -06:00
|
|
|
struct va_alignment __read_mostly va_align = {
|
2011-08-06 06:31:38 -06:00
|
|
|
.flags = -1,
|
|
|
|
|
};
|
|
|
|
|
|
2017-07-16 16:59:50 -06:00
|
|
|
unsigned long task_size_32bit(void)
|
2017-03-06 07:17:18 -07:00
|
|
|
{
|
|
|
|
|
return IA32_PAGE_OFFSET;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-16 16:59:52 -06:00
|
|
|
unsigned long task_size_64bit(int full_addr_space)
|
2017-03-06 07:17:19 -07:00
|
|
|
{
|
2017-07-16 16:59:52 -06:00
|
|
|
return full_addr_space ? TASK_SIZE_MAX : DEFAULT_MAP_WINDOW;
|
2017-03-06 07:17:19 -07:00
|
|
|
}
|
|
|
|
|
|
2017-03-06 07:17:18 -07:00
|
|
|
static unsigned long stack_maxrandom_size(unsigned long task_size)
|
2009-09-08 03:01:55 -06:00
|
|
|
{
|
2015-02-14 10:33:50 -07:00
|
|
|
unsigned long max = 0;
|
2017-08-15 09:40:11 -06:00
|
|
|
if (current->flags & PF_RANDOMIZE) {
|
2017-07-16 16:59:50 -06:00
|
|
|
max = (-1UL) & __STACK_RND_MASK(task_size == task_size_32bit());
|
2017-03-06 07:17:18 -07:00
|
|
|
max <<= PAGE_SHIFT;
|
2009-09-08 03:01:55 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return max;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-06 07:17:17 -07:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
|
# define mmap32_rnd_bits mmap_rnd_compat_bits
|
|
|
|
|
# define mmap64_rnd_bits mmap_rnd_bits
|
|
|
|
|
#else
|
|
|
|
|
# define mmap32_rnd_bits mmap_rnd_bits
|
|
|
|
|
# define mmap64_rnd_bits mmap_rnd_bits
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-03-06 07:17:18 -07:00
|
|
|
#define SIZE_128M (128 * 1024 * 1024UL)
|
|
|
|
|
|
2008-01-30 05:31:07 -07:00
|
|
|
static int mmap_is_legacy(void)
|
2008-01-30 05:31:07 -07:00
|
|
|
{
|
|
|
|
|
if (current->personality & ADDR_COMPAT_LAYOUT)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
return sysctl_legacy_va_layout;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-06 07:17:17 -07:00
|
|
|
static unsigned long arch_rnd(unsigned int rndbits)
|
2008-01-30 05:31:10 -07:00
|
|
|
{
|
2017-08-15 09:39:52 -06:00
|
|
|
if (!(current->flags & PF_RANDOMIZE))
|
|
|
|
|
return 0;
|
2017-03-06 07:17:17 -07:00
|
|
|
return (get_random_long() & ((1UL << rndbits) - 1)) << PAGE_SHIFT;
|
|
|
|
|
}
|
2015-04-14 16:47:45 -06:00
|
|
|
|
2017-03-06 07:17:17 -07:00
|
|
|
unsigned long arch_mmap_rnd(void)
|
|
|
|
|
{
|
|
|
|
|
return arch_rnd(mmap_is_ia32() ? mmap32_rnd_bits : mmap64_rnd_bits);
|
2008-01-30 05:31:10 -07:00
|
|
|
}
|
|
|
|
|
|
2018-04-10 17:34:53 -06:00
|
|
|
static unsigned long mmap_base(unsigned long rnd, unsigned long task_size,
|
|
|
|
|
struct rlimit *rlim_stack)
|
2008-01-30 05:31:10 -07:00
|
|
|
{
|
2018-04-10 17:34:53 -06:00
|
|
|
unsigned long gap = rlim_stack->rlim_cur;
|
2017-07-12 15:36:33 -06:00
|
|
|
unsigned long pad = stack_maxrandom_size(task_size) + stack_guard_gap;
|
2017-03-06 07:17:18 -07:00
|
|
|
unsigned long gap_min, gap_max;
|
|
|
|
|
|
2017-07-12 15:36:33 -06:00
|
|
|
/* Values close to RLIM_INFINITY can overflow. */
|
|
|
|
|
if (gap + pad > gap)
|
|
|
|
|
gap += pad;
|
|
|
|
|
|
2017-03-06 07:17:18 -07:00
|
|
|
/*
|
|
|
|
|
* Top of mmap area (just below the process stack).
|
|
|
|
|
* Leave an at least ~128 MB hole with possible stack randomization.
|
|
|
|
|
*/
|
2017-07-12 15:36:33 -06:00
|
|
|
gap_min = SIZE_128M;
|
2017-03-06 07:17:18 -07:00
|
|
|
gap_max = (task_size / 6) * 5;
|
2008-01-30 05:31:10 -07:00
|
|
|
|
2017-03-06 07:17:18 -07:00
|
|
|
if (gap < gap_min)
|
|
|
|
|
gap = gap_min;
|
|
|
|
|
else if (gap > gap_max)
|
|
|
|
|
gap = gap_max;
|
2008-01-30 05:31:10 -07:00
|
|
|
|
2017-03-06 07:17:18 -07:00
|
|
|
return PAGE_ALIGN(task_size - gap - rnd);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned long mmap_legacy_base(unsigned long rnd,
|
|
|
|
|
unsigned long task_size)
|
|
|
|
|
{
|
|
|
|
|
return __TASK_UNMAPPED_BASE(task_size) + rnd;
|
2008-01-30 05:31:10 -07:00
|
|
|
}
|
|
|
|
|
|
2008-01-30 05:31:07 -07:00
|
|
|
/*
|
|
|
|
|
* This function, called very early during the creation of a new
|
|
|
|
|
* process VM image, sets up which VM layout function to use:
|
|
|
|
|
*/
|
2017-03-06 07:17:19 -07:00
|
|
|
static void arch_pick_mmap_base(unsigned long *base, unsigned long *legacy_base,
|
2018-04-10 17:34:53 -06:00
|
|
|
unsigned long random_factor, unsigned long task_size,
|
|
|
|
|
struct rlimit *rlim_stack)
|
2008-01-30 05:31:07 -07:00
|
|
|
{
|
2017-03-06 07:17:19 -07:00
|
|
|
*legacy_base = mmap_legacy_base(random_factor, task_size);
|
|
|
|
|
if (mmap_is_legacy())
|
|
|
|
|
*base = *legacy_base;
|
|
|
|
|
else
|
2018-04-10 17:34:53 -06:00
|
|
|
*base = mmap_base(random_factor, task_size, rlim_stack);
|
2017-03-06 07:17:19 -07:00
|
|
|
}
|
2013-08-21 11:55:59 -06:00
|
|
|
|
2018-04-10 17:34:53 -06:00
|
|
|
void arch_pick_mmap_layout(struct mm_struct *mm, struct rlimit *rlim_stack)
|
2017-03-06 07:17:19 -07:00
|
|
|
{
|
|
|
|
|
if (mmap_is_legacy())
|
2008-01-30 05:31:07 -07:00
|
|
|
mm->get_unmapped_area = arch_get_unmapped_area;
|
2017-03-06 07:17:19 -07:00
|
|
|
else
|
2008-01-30 05:31:07 -07:00
|
|
|
mm->get_unmapped_area = arch_get_unmapped_area_topdown;
|
2017-03-06 07:17:19 -07:00
|
|
|
|
|
|
|
|
arch_pick_mmap_base(&mm->mmap_base, &mm->mmap_legacy_base,
|
2018-04-10 17:34:53 -06:00
|
|
|
arch_rnd(mmap64_rnd_bits), task_size_64bit(0),
|
|
|
|
|
rlim_stack);
|
2017-03-06 07:17:19 -07:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
|
|
|
|
|
/*
|
|
|
|
|
* The mmap syscall mapping base decision depends solely on the
|
|
|
|
|
* syscall type (64-bit or compat). This applies for 64bit
|
|
|
|
|
* applications and 32bit applications. The 64bit syscall uses
|
|
|
|
|
* mmap_base, the compat syscall uses mmap_compat_base.
|
|
|
|
|
*/
|
|
|
|
|
arch_pick_mmap_base(&mm->mmap_compat_base, &mm->mmap_compat_legacy_base,
|
2018-04-10 17:34:53 -06:00
|
|
|
arch_rnd(mmap32_rnd_bits), task_size_32bit(),
|
|
|
|
|
rlim_stack);
|
2017-03-06 07:17:19 -07:00
|
|
|
#endif
|
2006-01-16 23:03:38 -07:00
|
|
|
}
|
2015-07-20 15:29:58 -06:00
|
|
|
|
2017-03-14 05:41:26 -06:00
|
|
|
unsigned long get_mmap_base(int is_legacy)
|
|
|
|
|
{
|
|
|
|
|
struct mm_struct *mm = current->mm;
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
|
2018-10-12 07:42:52 -06:00
|
|
|
if (in_32bit_syscall()) {
|
2017-03-14 05:41:26 -06:00
|
|
|
return is_legacy ? mm->mmap_compat_legacy_base
|
|
|
|
|
: mm->mmap_compat_base;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
return is_legacy ? mm->mmap_legacy_base : mm->mmap_base;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-20 15:29:58 -06:00
|
|
|
const char *arch_vma_name(struct vm_area_struct *vma)
|
|
|
|
|
{
|
|
|
|
|
if (vma->vm_flags & VM_MPX)
|
|
|
|
|
return "[mpx]";
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2017-11-15 07:36:06 -07:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* mmap_address_hint_valid - Validate the address hint of mmap
|
|
|
|
|
* @addr: Address hint
|
|
|
|
|
* @len: Mapping length
|
|
|
|
|
*
|
|
|
|
|
* Check whether @addr and @addr + @len result in a valid mapping.
|
|
|
|
|
*
|
|
|
|
|
* On 32bit this only checks whether @addr + @len is <= TASK_SIZE.
|
|
|
|
|
*
|
|
|
|
|
* On 64bit with 5-level page tables another sanity check is required
|
|
|
|
|
* because mappings requested by mmap(@addr, 0) which cross the 47-bit
|
|
|
|
|
* virtual address boundary can cause the following theoretical issue:
|
|
|
|
|
*
|
|
|
|
|
* An application calls mmap(addr, 0), i.e. without MAP_FIXED, where @addr
|
|
|
|
|
* is below the border of the 47-bit address space and @addr + @len is
|
|
|
|
|
* above the border.
|
|
|
|
|
*
|
|
|
|
|
* With 4-level paging this request succeeds, but the resulting mapping
|
|
|
|
|
* address will always be within the 47-bit virtual address space, because
|
|
|
|
|
* the hint address does not result in a valid mapping and is
|
|
|
|
|
* ignored. Hence applications which are not prepared to handle virtual
|
|
|
|
|
* addresses above 47-bit work correctly.
|
|
|
|
|
*
|
|
|
|
|
* With 5-level paging this request would be granted and result in a
|
|
|
|
|
* mapping which crosses the border of the 47-bit virtual address
|
|
|
|
|
* space. If the application cannot handle addresses above 47-bit this
|
|
|
|
|
* will lead to misbehaviour and hard to diagnose failures.
|
|
|
|
|
*
|
|
|
|
|
* Therefore ignore address hints which would result in a mapping crossing
|
|
|
|
|
* the 47-bit virtual address boundary.
|
|
|
|
|
*
|
|
|
|
|
* Note, that in the same scenario with MAP_FIXED the behaviour is
|
|
|
|
|
* different. The request with @addr < 47-bit and @addr + @len > 47-bit
|
|
|
|
|
* fails on a 4-level paging machine but succeeds on a 5-level paging
|
|
|
|
|
* machine. It is reasonable to expect that an application does not rely on
|
|
|
|
|
* the failure of such a fixed mapping request, so the restriction is not
|
|
|
|
|
* applied.
|
|
|
|
|
*/
|
|
|
|
|
bool mmap_address_hint_valid(unsigned long addr, unsigned long len)
|
|
|
|
|
{
|
|
|
|
|
if (TASK_SIZE - len < addr)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return (addr > DEFAULT_MAP_WINDOW) == (addr + len > DEFAULT_MAP_WINDOW);
|
|
|
|
|
}
|
2017-11-15 15:29:51 -07:00
|
|
|
|
|
|
|
|
/* Can we access it for direct reading/writing? Must be RAM: */
|
|
|
|
|
int valid_phys_addr_range(phys_addr_t addr, size_t count)
|
|
|
|
|
{
|
2019-03-25 18:18:17 -06:00
|
|
|
return addr + count - 1 <= __pa(high_memory - 1);
|
2017-11-15 15:29:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Can we access it through mmap? Must be a valid physical address: */
|
|
|
|
|
int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
|
|
|
|
|
{
|
|
|
|
|
phys_addr_t addr = (phys_addr_t)pfn << PAGE_SHIFT;
|
|
|
|
|
|
|
|
|
|
return phys_addr_valid(addr + count - 1);
|
|
|
|
|
}
|
2018-06-13 16:48:27 -06:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Only allow root to set high MMIO mappings to PROT_NONE.
|
|
|
|
|
* This prevents an unpriv. user to set them to PROT_NONE and invert
|
|
|
|
|
* them, then pointing to valid memory for L1TF speculation.
|
|
|
|
|
*
|
|
|
|
|
* Note: for locked down kernels may want to disable the root override.
|
|
|
|
|
*/
|
|
|
|
|
bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot)
|
|
|
|
|
{
|
|
|
|
|
if (!boot_cpu_has_bug(X86_BUG_L1TF))
|
|
|
|
|
return true;
|
|
|
|
|
if (!__pte_needs_invert(pgprot_val(prot)))
|
|
|
|
|
return true;
|
|
|
|
|
/* If it's real memory always allow */
|
|
|
|
|
if (pfn_valid(pfn))
|
|
|
|
|
return true;
|
2018-08-23 07:44:18 -06:00
|
|
|
if (pfn >= l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN))
|
2018-06-13 16:48:27 -06:00
|
|
|
return false;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
