Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
vsyscall_64.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2001 Andrea Arcangeli <[email protected]> SuSE
3  * Copyright 2003 Andi Kleen, SuSE Labs.
4  *
5  * [ NOTE: this mechanism is now deprecated in favor of the vDSO. ]
6  *
7  * Thanks to [email protected] for some useful hint.
8  * Special thanks to Ingo Molnar for his early experience with
9  * a different vsyscall implementation for Linux/IA32 and for the name.
10  *
11  * vsyscall 1 is located at -10Mbyte, vsyscall 2 is located
12  * at virtual address -10Mbyte+1024bytes etc... There are at max 4
13  * vsyscalls. One vsyscall can reserve more than 1 slot to avoid
14  * jumping out of line if necessary. We cannot add more with this
15  * mechanism because older kernels won't return -ENOSYS.
16  *
17  * Note: the concept clashes with user mode linux. UML users should
18  * use the vDSO.
19  */
20 
21 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22 
23 #include <linux/time.h>
24 #include <linux/init.h>
25 #include <linux/kernel.h>
26 #include <linux/timer.h>
27 #include <linux/seqlock.h>
28 #include <linux/jiffies.h>
29 #include <linux/sysctl.h>
30 #include <linux/topology.h>
32 #include <linux/getcpu.h>
33 #include <linux/cpu.h>
34 #include <linux/smp.h>
35 #include <linux/notifier.h>
36 #include <linux/syscalls.h>
37 #include <linux/ratelimit.h>
38 
39 #include <asm/vsyscall.h>
40 #include <asm/pgtable.h>
41 #include <asm/compat.h>
42 #include <asm/page.h>
43 #include <asm/unistd.h>
44 #include <asm/fixmap.h>
45 #include <asm/errno.h>
46 #include <asm/io.h>
47 #include <asm/segment.h>
48 #include <asm/desc.h>
49 #include <asm/topology.h>
50 #include <asm/vgtod.h>
51 #include <asm/traps.h>
52 
53 #define CREATE_TRACE_POINTS
54 #include "vsyscall_trace.h"
55 
56 DEFINE_VVAR(int, vgetcpu_mode);
58 
59 static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
60 
61 static int __init vsyscall_setup(char *str)
62 {
63  if (str) {
64  if (!strcmp("emulate", str))
65  vsyscall_mode = EMULATE;
66  else if (!strcmp("native", str))
67  vsyscall_mode = NATIVE;
68  else if (!strcmp("none", str))
69  vsyscall_mode = NONE;
70  else
71  return -EINVAL;
72 
73  return 0;
74  }
75 
76  return -EINVAL;
77 }
78 early_param("vsyscall", vsyscall_setup);
79 
81 {
83 }
84 
85 void update_vsyscall(struct timekeeper *tk)
86 {
87  struct vsyscall_gtod_data *vdata = &vsyscall_gtod_data;
88 
89  write_seqcount_begin(&vdata->seq);
90 
91  /* copy vsyscall data */
92  vdata->clock.vclock_mode = tk->clock->archdata.vclock_mode;
93  vdata->clock.cycle_last = tk->clock->cycle_last;
94  vdata->clock.mask = tk->clock->mask;
95  vdata->clock.mult = tk->mult;
96  vdata->clock.shift = tk->shift;
97 
98  vdata->wall_time_sec = tk->xtime_sec;
99  vdata->wall_time_snsec = tk->xtime_nsec;
100 
101  vdata->monotonic_time_sec = tk->xtime_sec
102  + tk->wall_to_monotonic.tv_sec;
103  vdata->monotonic_time_snsec = tk->xtime_nsec
104  + (tk->wall_to_monotonic.tv_nsec
105  << tk->shift);
106  while (vdata->monotonic_time_snsec >=
107  (((u64)NSEC_PER_SEC) << tk->shift)) {
108  vdata->monotonic_time_snsec -=
109  ((u64)NSEC_PER_SEC) << tk->shift;
110  vdata->monotonic_time_sec++;
111  }
112 
113  vdata->wall_time_coarse.tv_sec = tk->xtime_sec;
114  vdata->wall_time_coarse.tv_nsec = (long)(tk->xtime_nsec >> tk->shift);
115 
116  vdata->monotonic_time_coarse = timespec_add(vdata->wall_time_coarse,
117  tk->wall_to_monotonic);
118 
119  write_seqcount_end(&vdata->seq);
120 }
121 
122 static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
123  const char *message)
124 {
126  return;
127 
128  pr_notice_ratelimited("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
129  level, current->comm, task_pid_nr(current),
130  message, regs->ip, regs->cs,
131  regs->sp, regs->ax, regs->si, regs->di);
132 }
133 
134 static int addr_to_vsyscall_nr(unsigned long addr)
135 {
136  int nr;
137 
138  if ((addr & ~0xC00UL) != VSYSCALL_START)
139  return -EINVAL;
140 
141  nr = (addr & 0xC00UL) >> 10;
142  if (nr >= 3)
143  return -EINVAL;
144 
145  return nr;
146 }
147 
148 #ifdef CONFIG_SECCOMP
149 static int vsyscall_seccomp(struct task_struct *tsk, int syscall_nr)
150 {
151  if (!seccomp_mode(&tsk->seccomp))
152  return 0;
153  task_pt_regs(tsk)->orig_ax = syscall_nr;
154  task_pt_regs(tsk)->ax = syscall_nr;
155  return __secure_computing(syscall_nr);
156 }
157 #else
158 #define vsyscall_seccomp(_tsk, _nr) 0
159 #endif
160 
161 static bool write_ok_or_segv(unsigned long ptr, size_t size)
162 {
163  /*
164  * XXX: if access_ok, get_user, and put_user handled
165  * sig_on_uaccess_error, this could go away.
166  */
167 
168  if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
169  siginfo_t info;
170  struct thread_struct *thread = &current->thread;
171 
172  thread->error_code = 6; /* user fault, no page, write */
173  thread->cr2 = ptr;
174  thread->trap_nr = X86_TRAP_PF;
175 
176  memset(&info, 0, sizeof(info));
177  info.si_signo = SIGSEGV;
178  info.si_errno = 0;
179  info.si_code = SEGV_MAPERR;
180  info.si_addr = (void __user *)ptr;
181 
182  force_sig_info(SIGSEGV, &info, current);
183  return false;
184  } else {
185  return true;
186  }
187 }
188 
189 bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
190 {
191  struct task_struct *tsk;
192  unsigned long caller;
193  int vsyscall_nr;
194  int prev_sig_on_uaccess_error;
195  long ret;
196  int skip;
197 
198  /*
199  * No point in checking CS -- the only way to get here is a user mode
200  * trap to a high address, which means that we're in 64-bit user code.
201  */
202 
203  WARN_ON_ONCE(address != regs->ip);
204 
205  if (vsyscall_mode == NONE) {
206  warn_bad_vsyscall(KERN_INFO, regs,
207  "vsyscall attempted with vsyscall=none");
208  return false;
209  }
210 
211  vsyscall_nr = addr_to_vsyscall_nr(address);
212 
213  trace_emulate_vsyscall(vsyscall_nr);
214 
215  if (vsyscall_nr < 0) {
216  warn_bad_vsyscall(KERN_WARNING, regs,
217  "misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround");
218  goto sigsegv;
219  }
220 
221  if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
222  warn_bad_vsyscall(KERN_WARNING, regs,
223  "vsyscall with bad stack (exploit attempt?)");
224  goto sigsegv;
225  }
226 
227  tsk = current;
228  /*
229  * With a real vsyscall, page faults cause SIGSEGV. We want to
230  * preserve that behavior to make writing exploits harder.
231  */
232  prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
233  current_thread_info()->sig_on_uaccess_error = 1;
234 
235  /*
236  * NULL is a valid user pointer (in the access_ok sense) on 32-bit and
237  * 64-bit, so we don't need to special-case it here. For all the
238  * vsyscalls, NULL means "don't write anything" not "write it at
239  * address 0".
240  */
241  ret = -EFAULT;
242  skip = 0;
243  switch (vsyscall_nr) {
244  case 0:
245  skip = vsyscall_seccomp(tsk, __NR_gettimeofday);
246  if (skip)
247  break;
248 
249  if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
250  !write_ok_or_segv(regs->si, sizeof(struct timezone)))
251  break;
252 
253  ret = sys_gettimeofday(
254  (struct timeval __user *)regs->di,
255  (struct timezone __user *)regs->si);
256  break;
257 
258  case 1:
259  skip = vsyscall_seccomp(tsk, __NR_time);
260  if (skip)
261  break;
262 
263  if (!write_ok_or_segv(regs->di, sizeof(time_t)))
264  break;
265 
266  ret = sys_time((time_t __user *)regs->di);
267  break;
268 
269  case 2:
270  skip = vsyscall_seccomp(tsk, __NR_getcpu);
271  if (skip)
272  break;
273 
274  if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
275  !write_ok_or_segv(regs->si, sizeof(unsigned)))
276  break;
277 
278  ret = sys_getcpu((unsigned __user *)regs->di,
279  (unsigned __user *)regs->si,
280  NULL);
281  break;
282  }
283 
284  current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
285 
286  if (skip) {
287  if ((long)regs->ax <= 0L) /* seccomp errno emulation */
288  goto do_ret;
289  goto done; /* seccomp trace/trap */
290  }
291 
292  if (ret == -EFAULT) {
293  /* Bad news -- userspace fed a bad pointer to a vsyscall. */
294  warn_bad_vsyscall(KERN_INFO, regs,
295  "vsyscall fault (exploit attempt?)");
296 
297  /*
298  * If we failed to generate a signal for any reason,
299  * generate one here. (This should be impossible.)
300  */
301  if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
302  !sigismember(&tsk->pending.signal, SIGSEGV)))
303  goto sigsegv;
304 
305  return true; /* Don't emulate the ret. */
306  }
307 
308  regs->ax = ret;
309 
310 do_ret:
311  /* Emulate a ret instruction. */
312  regs->ip = caller;
313  regs->sp += 8;
314 done:
315  return true;
316 
317 sigsegv:
319  return true;
320 }
321 
322 /*
323  * Assume __initcall executes before all user space. Hopefully kmod
324  * doesn't violate that. We'll find out if it does.
325  */
326 static void __cpuinit vsyscall_set_cpu(int cpu)
327 {
328  unsigned long d;
329  unsigned long node = 0;
330 #ifdef CONFIG_NUMA
331  node = cpu_to_node(cpu);
332 #endif
333  if (cpu_has(&cpu_data(cpu), X86_FEATURE_RDTSCP))
334  write_rdtscp_aux((node << 12) | cpu);
335 
336  /*
337  * Store cpu number in limit so that it can be loaded quickly
338  * in user space in vgetcpu. (12 bits for the CPU and 8 bits for the node)
339  */
340  d = 0x0f40000000000ULL;
341  d |= cpu;
342  d |= (node & 0xf) << 12;
343  d |= (node >> 4) << 48;
344 
345  write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_PER_CPU, &d, DESCTYPE_S);
346 }
347 
348 static void __cpuinit cpu_vsyscall_init(void *arg)
349 {
350  /* preemption should be already off */
351  vsyscall_set_cpu(raw_smp_processor_id());
352 }
353 
354 static int __cpuinit
355 cpu_vsyscall_notifier(struct notifier_block *n, unsigned long action, void *arg)
356 {
357  long cpu = (long)arg;
358 
359  if (action == CPU_ONLINE || action == CPU_ONLINE_FROZEN)
360  smp_call_function_single(cpu, cpu_vsyscall_init, NULL, 1);
361 
362  return NOTIFY_DONE;
363 }
364 
366 {
367  extern char __vsyscall_page;
368  unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
369  extern char __vvar_page;
370  unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
371 
372  __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
373  vsyscall_mode == NATIVE
375  : PAGE_KERNEL_VVAR);
377  (unsigned long)VSYSCALL_START);
378 
379  __set_fixmap(VVAR_PAGE, physaddr_vvar_page, PAGE_KERNEL_VVAR);
380  BUILD_BUG_ON((unsigned long)__fix_to_virt(VVAR_PAGE) !=
381  (unsigned long)VVAR_ADDRESS);
382 }
383 
384 static int __init vsyscall_init(void)
385 {
387 
388  on_each_cpu(cpu_vsyscall_init, NULL, 1);
389  /* notifier priority > KVM */
390  hotcpu_notifier(cpu_vsyscall_notifier, 30);
391 
392  return 0;
393 }