mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-28 21:33:52 +00:00
de54ebbe26
The kernel checks for cases of data structure corruption under some
CONFIGs (e.g. CONFIG_DEBUG_LIST). When corruption is detected, some
systems may want to BUG() immediately instead of letting the system run
with known corruption. Usually these kinds of manipulation primitives can
be used by security flaws to gain arbitrary memory write control. This
provides a new config CONFIG_BUG_ON_DATA_CORRUPTION and a corresponding
macro CHECK_DATA_CORRUPTION for handling these situations. Notably, even
if not BUGing, the kernel should not continue processing the corrupted
structure.
This is inspired by similar hardening by Syed Rameez Mustafa in MSM
kernels, and in PaX and Grsecurity, which is likely in response to earlier
removal of the BUG calls in commit 924d9addb9 ("list debugging: use
WARN() instead of BUG()").
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Rik van Riel <riel@redhat.com>
141 lines
4.4 KiB
C
141 lines
4.4 KiB
C
#ifndef _LINUX_BUG_H
|
|
#define _LINUX_BUG_H
|
|
|
|
#include <asm/bug.h>
|
|
#include <linux/compiler.h>
|
|
|
|
enum bug_trap_type {
|
|
BUG_TRAP_TYPE_NONE = 0,
|
|
BUG_TRAP_TYPE_WARN = 1,
|
|
BUG_TRAP_TYPE_BUG = 2,
|
|
};
|
|
|
|
struct pt_regs;
|
|
|
|
#ifdef __CHECKER__
|
|
#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) (0)
|
|
#define BUILD_BUG_ON_NOT_POWER_OF_2(n) (0)
|
|
#define BUILD_BUG_ON_ZERO(e) (0)
|
|
#define BUILD_BUG_ON_NULL(e) ((void*)0)
|
|
#define BUILD_BUG_ON_INVALID(e) (0)
|
|
#define BUILD_BUG_ON_MSG(cond, msg) (0)
|
|
#define BUILD_BUG_ON(condition) (0)
|
|
#define BUILD_BUG() (0)
|
|
#define MAYBE_BUILD_BUG_ON(cond) (0)
|
|
#else /* __CHECKER__ */
|
|
|
|
/* Force a compilation error if a constant expression is not a power of 2 */
|
|
#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) \
|
|
BUILD_BUG_ON(((n) & ((n) - 1)) != 0)
|
|
#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \
|
|
BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
|
|
|
|
/* Force a compilation error if condition is true, but also produce a
|
|
result (of value 0 and type size_t), so the expression can be used
|
|
e.g. in a structure initializer (or where-ever else comma expressions
|
|
aren't permitted). */
|
|
#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
|
|
#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
|
|
|
|
/*
|
|
* BUILD_BUG_ON_INVALID() permits the compiler to check the validity of the
|
|
* expression but avoids the generation of any code, even if that expression
|
|
* has side-effects.
|
|
*/
|
|
#define BUILD_BUG_ON_INVALID(e) ((void)(sizeof((__force long)(e))))
|
|
|
|
/**
|
|
* BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied
|
|
* error message.
|
|
* @condition: the condition which the compiler should know is false.
|
|
*
|
|
* See BUILD_BUG_ON for description.
|
|
*/
|
|
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
|
|
|
|
/**
|
|
* BUILD_BUG_ON - break compile if a condition is true.
|
|
* @condition: the condition which the compiler should know is false.
|
|
*
|
|
* If you have some code which relies on certain constants being equal, or
|
|
* some other compile-time-evaluated condition, you should use BUILD_BUG_ON to
|
|
* detect if someone changes it.
|
|
*
|
|
* The implementation uses gcc's reluctance to create a negative array, but gcc
|
|
* (as of 4.4) only emits that error for obvious cases (e.g. not arguments to
|
|
* inline functions). Luckily, in 4.3 they added the "error" function
|
|
* attribute just for this type of case. Thus, we use a negative sized array
|
|
* (should always create an error on gcc versions older than 4.4) and then call
|
|
* an undefined function with the error attribute (should always create an
|
|
* error on gcc 4.3 and later). If for some reason, neither creates a
|
|
* compile-time error, we'll still have a link-time error, which is harder to
|
|
* track down.
|
|
*/
|
|
#ifndef __OPTIMIZE__
|
|
#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
|
|
#else
|
|
#define BUILD_BUG_ON(condition) \
|
|
BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
|
|
#endif
|
|
|
|
/**
|
|
* BUILD_BUG - break compile if used.
|
|
*
|
|
* If you have some code that you expect the compiler to eliminate at
|
|
* build time, you should use BUILD_BUG to detect if it is
|
|
* unexpectedly used.
|
|
*/
|
|
#define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed")
|
|
|
|
#define MAYBE_BUILD_BUG_ON(cond) \
|
|
do { \
|
|
if (__builtin_constant_p((cond))) \
|
|
BUILD_BUG_ON(cond); \
|
|
else \
|
|
BUG_ON(cond); \
|
|
} while (0)
|
|
|
|
#endif /* __CHECKER__ */
|
|
|
|
#ifdef CONFIG_GENERIC_BUG
|
|
#include <asm-generic/bug.h>
|
|
|
|
static inline int is_warning_bug(const struct bug_entry *bug)
|
|
{
|
|
return bug->flags & BUGFLAG_WARNING;
|
|
}
|
|
|
|
const struct bug_entry *find_bug(unsigned long bugaddr);
|
|
|
|
enum bug_trap_type report_bug(unsigned long bug_addr, struct pt_regs *regs);
|
|
|
|
/* These are defined by the architecture */
|
|
int is_valid_bugaddr(unsigned long addr);
|
|
|
|
#else /* !CONFIG_GENERIC_BUG */
|
|
|
|
static inline enum bug_trap_type report_bug(unsigned long bug_addr,
|
|
struct pt_regs *regs)
|
|
{
|
|
return BUG_TRAP_TYPE_BUG;
|
|
}
|
|
|
|
#endif /* CONFIG_GENERIC_BUG */
|
|
|
|
/*
|
|
* Since detected data corruption should stop operation on the affected
|
|
* structures, this returns false if the corruption condition is found.
|
|
*/
|
|
#define CHECK_DATA_CORRUPTION(condition, fmt, ...) \
|
|
do { \
|
|
if (unlikely(condition)) { \
|
|
if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \
|
|
pr_err(fmt, ##__VA_ARGS__); \
|
|
BUG(); \
|
|
} else \
|
|
WARN(1, fmt, ##__VA_ARGS__); \
|
|
return false; \
|
|
} \
|
|
} while (0)
|
|
|
|
#endif /* _LINUX_BUG_H */
|