1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Copyright (c) 2012-2014 Andy Lutomirski <[email protected]>
4
 *
5
 * Based on the original implementation which is:
6
 *  Copyright (C) 2001 Andrea Arcangeli <[email protected]> SuSE
7
 *  Copyright 2003 Andi Kleen, SuSE Labs.
8
 *
9
 *  Parts of the original code have been moved to arch/x86/vdso/vma.c
10
 *
11
 * This file implements vsyscall emulation.  vsyscalls are a legacy ABI:
12
 * Userspace can request certain kernel services by calling fixed
13
 * addresses.  This concept is problematic:
14
 *
15
 * - It interferes with ASLR.
16
 * - It's awkward to write code that lives in kernel addresses but is
17
 *   callable by userspace at fixed addresses.
18
 * - The whole concept is impossible for 32-bit compat userspace.
19
 * - UML cannot easily virtualize a vsyscall.
20
 *
21
 * As of mid-2014, I believe that there is no new userspace code that
22
 * will use a vsyscall if the vDSO is present.  I hope that there will
23
 * soon be no new userspace code that will ever use a vsyscall.
24
 *
25
 * The code in this file emulates vsyscalls when notified of a page
26
 * fault to a vsyscall address.
27
 */
28

29
#include <linux/kernel.h>
30
#include <linux/timer.h>
31
#include <linux/sched/signal.h>
32
#include <linux/mm_types.h>
33
#include <linux/syscalls.h>
34
#include <linux/ratelimit.h>
35

36
#include <asm/vsyscall.h>
37
#include <asm/unistd.h>
38
#include <asm/fixmap.h>
39
#include <asm/traps.h>
40

41
#define CREATE_TRACE_POINTS
42
#include "vsyscall_trace.h"
43

44
static enum { EMULATE, XONLY, NONE } vsyscall_mode __ro_after_init =
45
#ifdef CONFIG_LEGACY_VSYSCALL_NONE
46
	NONE;
47
#elif defined(CONFIG_LEGACY_VSYSCALL_XONLY)
48
	XONLY;
49
#else
50
	#error VSYSCALL config is broken
51
#endif
52

53
static int __init vsyscall_setup(char *str)
54
{
55
	if (str) {
56
		if (!strcmp("emulate", str))
57
			vsyscall_mode = EMULATE;
58
		else if (!strcmp("xonly", str))
59
			vsyscall_mode = XONLY;
60
		else if (!strcmp("none", str))
61
			vsyscall_mode = NONE;
62
		else
63
			return -EINVAL;
64

65
		return 0;
66
	}
67

68
	return -EINVAL;
69
}
70
early_param("vsyscall", vsyscall_setup);
71

72
static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
73
			      const char *message)
74
{
75
	if (!show_unhandled_signals)
76
		return;
77

78
	printk_ratelimited("%s%s[%d] %s ip:%lx cs:%x sp:%lx ax:%lx si:%lx di:%lx\n",
79
			   level, current->comm, task_pid_nr(current),
80
			   message, regs->ip, regs->cs,
81
			   regs->sp, regs->ax, regs->si, regs->di);
82
}
83

84
static int addr_to_vsyscall_nr(unsigned long addr)
85
{
86
	int nr;
87

88
	if ((addr & ~0xC00UL) != VSYSCALL_ADDR)
89
		return -EINVAL;
90

91
	nr = (addr & 0xC00UL) >> 10;
92
	if (nr >= 3)
93
		return -EINVAL;
94

95
	return nr;
96
}
97

98
static bool write_ok_or_segv(unsigned long ptr, size_t size)
99
{
100
	if (!access_ok((void __user *)ptr, size)) {
101
		struct thread_struct *thread = &current->thread;
102

103
		thread->error_code	= X86_PF_USER | X86_PF_WRITE;
104
		thread->cr2		= ptr;
105
		thread->trap_nr		= X86_TRAP_PF;
106

107
		force_sig_fault(SIGSEGV, SEGV_MAPERR, (void __user *)ptr);
108
		return false;
109
	} else {
110
		return true;
111
	}
112
}
113

114
bool emulate_vsyscall(unsigned long error_code,
115
		      struct pt_regs *regs, unsigned long address)
116
{
117
	unsigned long caller;
118
	int vsyscall_nr, syscall_nr, tmp;
119
	long ret;
120
	unsigned long orig_dx;
121

122
	/* Write faults or kernel-privilege faults never get fixed up. */
123
	if ((error_code & (X86_PF_WRITE | X86_PF_USER)) != X86_PF_USER)
124
		return false;
125

126
	/*
127
	 * Assume that faults at regs->ip are because of an
128
	 * instruction fetch. Return early and avoid
129
	 * emulation for faults during data accesses:
130
	 */
131
	if (address != regs->ip) {
132
		/* Failed vsyscall read */
133
		if (vsyscall_mode == EMULATE)
134
			return false;
135

136
		/*
137
		 * User code tried and failed to read the vsyscall page.
138
		 */
139
		warn_bad_vsyscall(KERN_INFO, regs, "vsyscall read attempt denied -- look up the vsyscall kernel parameter if you need a workaround");
140
		return false;
141
	}
142

143
	/*
144
	 * X86_PF_INSTR is only set when NX is supported.  When
145
	 * available, use it to double-check that the emulation code
146
	 * is only being used for instruction fetches:
147
	 */
148
	if (cpu_feature_enabled(X86_FEATURE_NX))
149
		WARN_ON_ONCE(!(error_code & X86_PF_INSTR));
150

151
	/*
152
	 * No point in checking CS -- the only way to get here is a user mode
153
	 * trap to a high address, which means that we're in 64-bit user code.
154
	 */
155

156
	if (vsyscall_mode == NONE) {
157
		warn_bad_vsyscall(KERN_INFO, regs,
158
				  "vsyscall attempted with vsyscall=none");
159
		return false;
160
	}
161

162
	vsyscall_nr = addr_to_vsyscall_nr(address);
163

164
	trace_emulate_vsyscall(vsyscall_nr);
165

166
	if (vsyscall_nr < 0) {
167
		warn_bad_vsyscall(KERN_WARNING, regs,
168
				  "misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround");
169
		goto sigsegv;
170
	}
171

172
	if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
173
		warn_bad_vsyscall(KERN_WARNING, regs,
174
				  "vsyscall with bad stack (exploit attempt?)");
175
		goto sigsegv;
176
	}
177

178
	/*
179
	 * Check for access_ok violations and find the syscall nr.
180
	 *
181
	 * NULL is a valid user pointer (in the access_ok sense) on 32-bit and
182
	 * 64-bit, so we don't need to special-case it here.  For all the
183
	 * vsyscalls, NULL means "don't write anything" not "write it at
184
	 * address 0".
185
	 */
186
	switch (vsyscall_nr) {
187
	case 0:
188
		if (!write_ok_or_segv(regs->di, sizeof(struct __kernel_old_timeval)) ||
189
		    !write_ok_or_segv(regs->si, sizeof(struct timezone))) {
190
			ret = -EFAULT;
191
			goto check_fault;
192
		}
193

194
		syscall_nr = __NR_gettimeofday;
195
		break;
196

197
	case 1:
198
		if (!write_ok_or_segv(regs->di, sizeof(__kernel_old_time_t))) {
199
			ret = -EFAULT;
200
			goto check_fault;
201
		}
202

203
		syscall_nr = __NR_time;
204
		break;
205

206
	case 2:
207
		if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
208
		    !write_ok_or_segv(regs->si, sizeof(unsigned))) {
209
			ret = -EFAULT;
210
			goto check_fault;
211
		}
212

213
		syscall_nr = __NR_getcpu;
214
		break;
215
	}
216

217
	/*
218
	 * Handle seccomp.  regs->ip must be the original value.
219
	 * See seccomp_send_sigsys and Documentation/userspace-api/seccomp_filter.rst.
220
	 *
221
	 * We could optimize the seccomp disabled case, but performance
222
	 * here doesn't matter.
223
	 */
224
	regs->orig_ax = syscall_nr;
225
	regs->ax = -ENOSYS;
226
	tmp = secure_computing();
227
	if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) {
228
		warn_bad_vsyscall(KERN_DEBUG, regs,
229
				  "seccomp tried to change syscall nr or ip");
230
		force_exit_sig(SIGSYS);
231
		return true;
232
	}
233
	regs->orig_ax = -1;
234
	if (tmp)
235
		goto do_ret;  /* skip requested */
236

237
	/*
238
	 * With a real vsyscall, page faults cause SIGSEGV.
239
	 */
240
	ret = -EFAULT;
241
	switch (vsyscall_nr) {
242
	case 0:
243
		/* this decodes regs->di and regs->si on its own */
244
		ret = __x64_sys_gettimeofday(regs);
245
		break;
246

247
	case 1:
248
		/* this decodes regs->di on its own */
249
		ret = __x64_sys_time(regs);
250
		break;
251

252
	case 2:
253
		/* while we could clobber regs->dx, we didn't in the past... */
254
		orig_dx = regs->dx;
255
		regs->dx = 0;
256
		/* this decodes regs->di, regs->si and regs->dx on its own */
257
		ret = __x64_sys_getcpu(regs);
258
		regs->dx = orig_dx;
259
		break;
260
	}
261

262
check_fault:
263
	if (ret == -EFAULT) {
264
		/* Bad news -- userspace fed a bad pointer to a vsyscall. */
265
		warn_bad_vsyscall(KERN_INFO, regs,
266
				  "vsyscall fault (exploit attempt?)");
267
		goto sigsegv;
268
	}
269

270
	regs->ax = ret;
271

272
do_ret:
273
	/* Emulate a ret instruction. */
274
	regs->ip = caller;
275
	regs->sp += 8;
276
	return true;
277

278
sigsegv:
279
	force_sig(SIGSEGV);
280
	return true;
281
}
282

283
/*
284
 * A pseudo VMA to allow ptrace access for the vsyscall page.  This only
285
 * covers the 64bit vsyscall page now. 32bit has a real VMA now and does
286
 * not need special handling anymore:
287
 */
288
static const char *gate_vma_name(struct vm_area_struct *vma)
289
{
290
	return "[vsyscall]";
291
}
292
static const struct vm_operations_struct gate_vma_ops = {
293
	.name = gate_vma_name,
294
};
295
static struct vm_area_struct gate_vma __ro_after_init = {
296
	.vm_start	= VSYSCALL_ADDR,
297
	.vm_end		= VSYSCALL_ADDR + PAGE_SIZE,
298
	.vm_page_prot	= PAGE_READONLY_EXEC,
299
	.vm_flags	= VM_READ | VM_EXEC,
300
	.vm_ops		= &gate_vma_ops,
301
};
302

303
struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
304
{
305
#ifdef CONFIG_COMPAT
306
	if (!mm || !test_bit(MM_CONTEXT_HAS_VSYSCALL, &mm->context.flags))
307
		return NULL;
308
#endif
309
	if (vsyscall_mode == NONE)
310
		return NULL;
311
	return &gate_vma;
312
}
313

314
int in_gate_area(struct mm_struct *mm, unsigned long addr)
315
{
316
	struct vm_area_struct *vma = get_gate_vma(mm);
317

318
	if (!vma)
319
		return 0;
320

321
	return (addr >= vma->vm_start) && (addr < vma->vm_end);
322
}
323

324
/*
325
 * Use this when you have no reliable mm, typically from interrupt
326
 * context. It is less reliable than using a task's mm and may give
327
 * false positives.
328
 */
329
int in_gate_area_no_mm(unsigned long addr)
330
{
331
	return vsyscall_mode != NONE && (addr & PAGE_MASK) == VSYSCALL_ADDR;
332
}
333

334
/*
335
 * The VSYSCALL page is the only user-accessible page in the kernel address
336
 * range.  Normally, the kernel page tables can have _PAGE_USER clear, but
337
 * the tables covering VSYSCALL_ADDR need _PAGE_USER set if vsyscalls
338
 * are enabled.
339
 *
340
 * Some day we may create a "minimal" vsyscall mode in which we emulate
341
 * vsyscalls but leave the page not present.  If so, we skip calling
342
 * this.
343
 */
344
void __init set_vsyscall_pgtable_user_bits(pgd_t *root)
345
{
346
	pgd_t *pgd;
347
	p4d_t *p4d;
348
	pud_t *pud;
349
	pmd_t *pmd;
350

351
	pgd = pgd_offset_pgd(root, VSYSCALL_ADDR);
352
	set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
353
	p4d = p4d_offset(pgd, VSYSCALL_ADDR);
354
	set_p4d(p4d, __p4d(p4d_val(*p4d) | _PAGE_USER));
355
	pud = pud_offset(p4d, VSYSCALL_ADDR);
356
	set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
357
	pmd = pmd_offset(pud, VSYSCALL_ADDR);
358
	set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER));
359
}
360

361
void __init map_vsyscall(void)
362
{
363
	extern char __vsyscall_page;
364
	unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
365

366
	/*
367
	 * For full emulation, the page needs to exist for real.  In
368
	 * execute-only mode, there is no PTE at all backing the vsyscall
369
	 * page.
370
	 */
371
	if (vsyscall_mode == EMULATE) {
372
		__set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
373
			     PAGE_KERNEL_VVAR);
374
		set_vsyscall_pgtable_user_bits(swapper_pg_dir);
375
	}
376

377
	if (vsyscall_mode == XONLY)
378
		vm_flags_init(&gate_vma, VM_EXEC);
379

380
	BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
381
		     (unsigned long)VSYSCALL_ADDR);
382
}
383

384