randomize_kstack.h (3839B)
1/* SPDX-License-Identifier: GPL-2.0-only */ 2#ifndef _LINUX_RANDOMIZE_KSTACK_H 3#define _LINUX_RANDOMIZE_KSTACK_H 4 5#ifdef CONFIG_RANDOMIZE_KSTACK_OFFSET 6#include <linux/kernel.h> 7#include <linux/jump_label.h> 8#include <linux/percpu-defs.h> 9 10DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, 11 randomize_kstack_offset); 12DECLARE_PER_CPU(u32, kstack_offset); 13 14/* 15 * Do not use this anywhere else in the kernel. This is used here because 16 * it provides an arch-agnostic way to grow the stack with correct 17 * alignment. Also, since this use is being explicitly masked to a max of 18 * 10 bits, stack-clash style attacks are unlikely. For more details see 19 * "VLAs" in Documentation/process/deprecated.rst 20 * 21 * The normal __builtin_alloca() is initialized with INIT_STACK_ALL (currently 22 * only with Clang and not GCC). Initializing the unused area on each syscall 23 * entry is expensive, and generating an implicit call to memset() may also be 24 * problematic (such as in noinstr functions). Therefore, if the compiler 25 * supports it (which it should if it initializes allocas), always use the 26 * "uninitialized" variant of the builtin. 27 */ 28#if __has_builtin(__builtin_alloca_uninitialized) 29#define __kstack_alloca __builtin_alloca_uninitialized 30#else 31#define __kstack_alloca __builtin_alloca 32#endif 33 34/* 35 * Use, at most, 10 bits of entropy. We explicitly cap this to keep the 36 * "VLA" from being unbounded (see above). 10 bits leaves enough room for 37 * per-arch offset masks to reduce entropy (by removing higher bits, since 38 * high entropy may overly constrain usable stack space), and for 39 * compiler/arch-specific stack alignment to remove the lower bits. 40 */ 41#define KSTACK_OFFSET_MAX(x) ((x) & 0x3FF) 42 43/** 44 * add_random_kstack_offset - Increase stack utilization by previously 45 * chosen random offset 46 * 47 * This should be used in the syscall entry path when interrupts and 48 * preempt are disabled, and after user registers have been stored to 49 * the stack. For testing the resulting entropy, please see: 50 * tools/testing/selftests/lkdtm/stack-entropy.sh 51 */ 52#define add_random_kstack_offset() do { \ 53 if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ 54 &randomize_kstack_offset)) { \ 55 u32 offset = raw_cpu_read(kstack_offset); \ 56 u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \ 57 /* Keep allocation even after "ptr" loses scope. */ \ 58 asm volatile("" :: "r"(ptr) : "memory"); \ 59 } \ 60} while (0) 61 62/** 63 * choose_random_kstack_offset - Choose the random offset for the next 64 * add_random_kstack_offset() 65 * 66 * This should only be used during syscall exit when interrupts and 67 * preempt are disabled. This position in the syscall flow is done to 68 * frustrate attacks from userspace attempting to learn the next offset: 69 * - Maximize the timing uncertainty visible from userspace: if the 70 * offset is chosen at syscall entry, userspace has much more control 71 * over the timing between choosing offsets. "How long will we be in 72 * kernel mode?" tends to be more difficult to predict than "how long 73 * will we be in user mode?" 74 * - Reduce the lifetime of the new offset sitting in memory during 75 * kernel mode execution. Exposure of "thread-local" memory content 76 * (e.g. current, percpu, etc) tends to be easier than arbitrary 77 * location memory exposure. 78 */ 79#define choose_random_kstack_offset(rand) do { \ 80 if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ 81 &randomize_kstack_offset)) { \ 82 u32 offset = raw_cpu_read(kstack_offset); \ 83 offset ^= (rand); \ 84 raw_cpu_write(kstack_offset, offset); \ 85 } \ 86} while (0) 87#else /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ 88#define add_random_kstack_offset() do { } while (0) 89#define choose_random_kstack_offset(rand) do { } while (0) 90#endif /* CONFIG_RANDOMIZE_KSTACK_OFFSET */ 91 92#endif