| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 |
- // SPDX-License-Identifier: GPL-2.0
- /*
- * Implement mseal() syscall.
- *
- * Copyright (c) 2023,2024 Google, Inc.
- *
- * Author: Jeff Xu <jeffxu@chromium.org>
- */
- #include <linux/mempolicy.h>
- #include <linux/mman.h>
- #include <linux/mm.h>
- #include <linux/mm_inline.h>
- #include <linux/syscalls.h>
- #include <linux/sched.h>
- #include "internal.h"
- /*
- * mseal() disallows an input range which contain unmapped ranges (VMA holes).
- *
- * It disallows unmapped regions from start to end whether they exist at the
- * start, in the middle, or at the end of the range, or any combination thereof.
- *
- * This is because after sealing a range, there's nothing to stop memory mapping
- * of ranges in the remaining gaps later, meaning that the user might then
- * wrongly consider the entirety of the mseal()'d range to be sealed when it
- * in fact isn't.
- */
- /*
- * Does the [start, end) range contain any unmapped memory?
- *
- * We ensure that:
- * - start is part of a valid VMA.
- * - end is part of a valid VMA.
- * - no gap (unallocated memory) exists between start and end.
- */
- static bool range_contains_unmapped(struct mm_struct *mm,
- unsigned long start, unsigned long end)
- {
- struct vm_area_struct *vma;
- unsigned long prev_end = start;
- VMA_ITERATOR(vmi, current->mm, start);
- for_each_vma_range(vmi, vma, end) {
- if (vma->vm_start > prev_end)
- return true;
- prev_end = vma->vm_end;
- }
- return prev_end < end;
- }
- static int mseal_apply(struct mm_struct *mm,
- unsigned long start, unsigned long end)
- {
- struct vm_area_struct *vma, *prev;
- VMA_ITERATOR(vmi, mm, start);
- /* We know there are no gaps so this will be non-NULL. */
- vma = vma_iter_load(&vmi);
- prev = vma_prev(&vmi);
- if (start > vma->vm_start)
- prev = vma;
- for_each_vma_range(vmi, vma, end) {
- const unsigned long curr_start = MAX(vma->vm_start, start);
- const unsigned long curr_end = MIN(vma->vm_end, end);
- if (!(vma->vm_flags & VM_SEALED)) {
- vm_flags_t vm_flags = vma->vm_flags | VM_SEALED;
- vma = vma_modify_flags(&vmi, prev, vma, curr_start,
- curr_end, &vm_flags);
- if (IS_ERR(vma))
- return PTR_ERR(vma);
- vm_flags_set(vma, VM_SEALED);
- }
- prev = vma;
- }
- return 0;
- }
- /*
- * mseal(2) seals the VM's meta data from
- * selected syscalls.
- *
- * addr/len: VM address range.
- *
- * The address range by addr/len must meet:
- * start (addr) must be in a valid VMA.
- * end (addr + len) must be in a valid VMA.
- * no gap (unallocated memory) between start and end.
- * start (addr) must be page aligned.
- *
- * len: len will be page aligned implicitly.
- *
- * Below VMA operations are blocked after sealing.
- * 1> Unmapping, moving to another location, and shrinking
- * the size, via munmap() and mremap(), can leave an empty
- * space, therefore can be replaced with a VMA with a new
- * set of attributes.
- * 2> Moving or expanding a different vma into the current location,
- * via mremap().
- * 3> Modifying a VMA via mmap(MAP_FIXED).
- * 4> Size expansion, via mremap(), does not appear to pose any
- * specific risks to sealed VMAs. It is included anyway because
- * the use case is unclear. In any case, users can rely on
- * merging to expand a sealed VMA.
- * 5> mprotect and pkey_mprotect.
- * 6> Some destructive madvice() behavior (e.g. MADV_DONTNEED)
- * for anonymous memory, when users don't have write permission to the
- * memory. Those behaviors can alter region contents by discarding pages,
- * effectively a memset(0) for anonymous memory.
- *
- * flags: reserved.
- *
- * return values:
- * zero: success.
- * -EINVAL:
- * invalid input flags.
- * start address is not page aligned.
- * Address range (start + len) overflow.
- * -ENOMEM:
- * addr is not a valid address (not allocated).
- * end (start + len) is not a valid address.
- * a gap (unallocated memory) between start and end.
- * -EPERM:
- * - In 32 bit architecture, sealing is not supported.
- * Note:
- * user can call mseal(2) multiple times, adding a seal on an
- * already sealed memory is a no-action (no error).
- *
- * unseal() is not supported.
- */
- int do_mseal(unsigned long start, size_t len_in, unsigned long flags)
- {
- size_t len;
- int ret = 0;
- unsigned long end;
- struct mm_struct *mm = current->mm;
- /* Verify flags not set. */
- if (flags)
- return -EINVAL;
- start = untagged_addr(start);
- if (!PAGE_ALIGNED(start))
- return -EINVAL;
- len = PAGE_ALIGN(len_in);
- /* Check to see whether len was rounded up from small -ve to zero. */
- if (len_in && !len)
- return -EINVAL;
- end = start + len;
- if (end < start)
- return -EINVAL;
- if (end == start)
- return 0;
- if (mmap_write_lock_killable(mm))
- return -EINTR;
- if (range_contains_unmapped(mm, start, end)) {
- ret = -ENOMEM;
- goto out;
- }
- /*
- * Second pass, this should success, unless there are errors
- * from vma_modify_flags, e.g. merge/split error, or process
- * reaching the max supported VMAs, however, those cases shall
- * be rare.
- */
- ret = mseal_apply(mm, start, end);
- out:
- mmap_write_unlock(mm);
- return ret;
- }
- SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long,
- flags)
- {
- return do_mseal(start, len, flags);
- }
|