1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29#include <linux/kernel.h>
30#include <linux/timer.h>
31#include <linux/sched/signal.h>
32#include <linux/mm_types.h>
33#include <linux/syscalls.h>
34#include <linux/ratelimit.h>
35
36#include <asm/vsyscall.h>
37#include <asm/unistd.h>
38#include <asm/fixmap.h>
39#include <asm/traps.h>
40
41#define CREATE_TRACE_POINTS
42#include "vsyscall_trace.h"
43
44static enum { EMULATE, NATIVE, NONE } vsyscall_mode =
45#if defined(CONFIG_LEGACY_VSYSCALL_NATIVE)
46 NATIVE;
47#elif defined(CONFIG_LEGACY_VSYSCALL_NONE)
48 NONE;
49#else
50 EMULATE;
51#endif
52
53static int __init vsyscall_setup(char *str)
54{
55 if (str) {
56 if (!strcmp("emulate", str))
57 vsyscall_mode = EMULATE;
58 else if (!strcmp("native", str))
59 vsyscall_mode = NATIVE;
60 else if (!strcmp("none", str))
61 vsyscall_mode = NONE;
62 else
63 return -EINVAL;
64
65 return 0;
66 }
67
68 return -EINVAL;
69}
70early_param("vsyscall", vsyscall_setup);
71
72static void warn_bad_vsyscall(const char *level, struct pt_regs *regs,
73 const char *message)
74{
75 if (!show_unhandled_signals)
76 return;
77
78 printk_ratelimited("%s%s[%d] %s ip:%lx cs:%lx sp:%lx ax:%lx si:%lx di:%lx\n",
79 level, current->comm, task_pid_nr(current),
80 message, regs->ip, regs->cs,
81 regs->sp, regs->ax, regs->si, regs->di);
82}
83
84static int addr_to_vsyscall_nr(unsigned long addr)
85{
86 int nr;
87
88 if ((addr & ~0xC00UL) != VSYSCALL_ADDR)
89 return -EINVAL;
90
91 nr = (addr & 0xC00UL) >> 10;
92 if (nr >= 3)
93 return -EINVAL;
94
95 return nr;
96}
97
98static bool write_ok_or_segv(unsigned long ptr, size_t size)
99{
100
101
102
103
104
105 if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
106 siginfo_t info;
107 struct thread_struct *thread = ¤t->thread;
108
109 thread->error_code = 6;
110 thread->cr2 = ptr;
111 thread->trap_nr = X86_TRAP_PF;
112
113 memset(&info, 0, sizeof(info));
114 info.si_signo = SIGSEGV;
115 info.si_errno = 0;
116 info.si_code = SEGV_MAPERR;
117 info.si_addr = (void __user *)ptr;
118
119 force_sig_info(SIGSEGV, &info, current);
120 return false;
121 } else {
122 return true;
123 }
124}
125
126bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
127{
128 struct task_struct *tsk;
129 unsigned long caller;
130 int vsyscall_nr, syscall_nr, tmp;
131 int prev_sig_on_uaccess_err;
132 long ret;
133
134
135
136
137
138
139 WARN_ON_ONCE(address != regs->ip);
140
141 if (vsyscall_mode == NONE) {
142 warn_bad_vsyscall(KERN_INFO, regs,
143 "vsyscall attempted with vsyscall=none");
144 return false;
145 }
146
147 vsyscall_nr = addr_to_vsyscall_nr(address);
148
149 trace_emulate_vsyscall(vsyscall_nr);
150
151 if (vsyscall_nr < 0) {
152 warn_bad_vsyscall(KERN_WARNING, regs,
153 "misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround");
154 goto sigsegv;
155 }
156
157 if (get_user(caller, (unsigned long __user *)regs->sp) != 0) {
158 warn_bad_vsyscall(KERN_WARNING, regs,
159 "vsyscall with bad stack (exploit attempt?)");
160 goto sigsegv;
161 }
162
163 tsk = current;
164
165
166
167
168
169
170
171
172
173 switch (vsyscall_nr) {
174 case 0:
175 if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
176 !write_ok_or_segv(regs->si, sizeof(struct timezone))) {
177 ret = -EFAULT;
178 goto check_fault;
179 }
180
181 syscall_nr = __NR_gettimeofday;
182 break;
183
184 case 1:
185 if (!write_ok_or_segv(regs->di, sizeof(time_t))) {
186 ret = -EFAULT;
187 goto check_fault;
188 }
189
190 syscall_nr = __NR_time;
191 break;
192
193 case 2:
194 if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
195 !write_ok_or_segv(regs->si, sizeof(unsigned))) {
196 ret = -EFAULT;
197 goto check_fault;
198 }
199
200 syscall_nr = __NR_getcpu;
201 break;
202 }
203
204
205
206
207
208
209
210
211 regs->orig_ax = syscall_nr;
212 regs->ax = -ENOSYS;
213 tmp = secure_computing(NULL);
214 if ((!tmp && regs->orig_ax != syscall_nr) || regs->ip != address) {
215 warn_bad_vsyscall(KERN_DEBUG, regs,
216 "seccomp tried to change syscall nr or ip");
217 do_exit(SIGSYS);
218 }
219 regs->orig_ax = -1;
220 if (tmp)
221 goto do_ret;
222
223
224
225
226
227 prev_sig_on_uaccess_err = current->thread.sig_on_uaccess_err;
228 current->thread.sig_on_uaccess_err = 1;
229
230 ret = -EFAULT;
231 switch (vsyscall_nr) {
232 case 0:
233 ret = sys_gettimeofday(
234 (struct timeval __user *)regs->di,
235 (struct timezone __user *)regs->si);
236 break;
237
238 case 1:
239 ret = sys_time((time_t __user *)regs->di);
240 break;
241
242 case 2:
243 ret = sys_getcpu((unsigned __user *)regs->di,
244 (unsigned __user *)regs->si,
245 NULL);
246 break;
247 }
248
249 current->thread.sig_on_uaccess_err = prev_sig_on_uaccess_err;
250
251check_fault:
252 if (ret == -EFAULT) {
253
254 warn_bad_vsyscall(KERN_INFO, regs,
255 "vsyscall fault (exploit attempt?)");
256
257
258
259
260
261 if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
262 !sigismember(&tsk->pending.signal, SIGSEGV)))
263 goto sigsegv;
264
265 return true;
266 }
267
268 regs->ax = ret;
269
270do_ret:
271
272 regs->ip = caller;
273 regs->sp += 8;
274 return true;
275
276sigsegv:
277 force_sig(SIGSEGV, current);
278 return true;
279}
280
281
282
283
284
285
286static const char *gate_vma_name(struct vm_area_struct *vma)
287{
288 return "[vsyscall]";
289}
290static const struct vm_operations_struct gate_vma_ops = {
291 .name = gate_vma_name,
292};
293static struct vm_area_struct gate_vma = {
294 .vm_start = VSYSCALL_ADDR,
295 .vm_end = VSYSCALL_ADDR + PAGE_SIZE,
296 .vm_page_prot = PAGE_READONLY_EXEC,
297 .vm_flags = VM_READ | VM_EXEC,
298 .vm_ops = &gate_vma_ops,
299};
300
301struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
302{
303#ifdef CONFIG_COMPAT
304 if (!mm || mm->context.ia32_compat)
305 return NULL;
306#endif
307 if (vsyscall_mode == NONE)
308 return NULL;
309 return &gate_vma;
310}
311
312int in_gate_area(struct mm_struct *mm, unsigned long addr)
313{
314 struct vm_area_struct *vma = get_gate_vma(mm);
315
316 if (!vma)
317 return 0;
318
319 return (addr >= vma->vm_start) && (addr < vma->vm_end);
320}
321
322
323
324
325
326
327int in_gate_area_no_mm(unsigned long addr)
328{
329 return vsyscall_mode != NONE && (addr & PAGE_MASK) == VSYSCALL_ADDR;
330}
331
332void __init map_vsyscall(void)
333{
334 extern char __vsyscall_page;
335 unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
336
337 if (vsyscall_mode != NONE)
338 __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
339 vsyscall_mode == NATIVE
340 ? PAGE_KERNEL_VSYSCALL
341 : PAGE_KERNEL_VVAR);
342
343 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
344 (unsigned long)VSYSCALL_ADDR);
345}
346