kcmp.c 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257
  1. // SPDX-License-Identifier: GPL-2.0
  2. #include <linux/kernel.h>
  3. #include <linux/syscalls.h>
  4. #include <linux/fdtable.h>
  5. #include <linux/string.h>
  6. #include <linux/random.h>
  7. #include <linux/module.h>
  8. #include <linux/ptrace.h>
  9. #include <linux/init.h>
  10. #include <linux/errno.h>
  11. #include <linux/cache.h>
  12. #include <linux/bug.h>
  13. #include <linux/err.h>
  14. #include <linux/kcmp.h>
  15. #include <linux/capability.h>
  16. #include <linux/list.h>
  17. #include <linux/eventpoll.h>
  18. #include <linux/file.h>
  19. #include <asm/unistd.h>
  20. /*
  21. * We don't expose the real in-memory order of objects for security reasons.
  22. * But still the comparison results should be suitable for sorting. So we
  23. * obfuscate kernel pointers values and compare the production instead.
  24. *
  25. * The obfuscation is done in two steps. First we xor the kernel pointer with
  26. * a random value, which puts pointer into a new position in a reordered space.
  27. * Secondly we multiply the xor production with a large odd random number to
  28. * permute its bits even more (the odd multiplier guarantees that the product
  29. * is unique ever after the high bits are truncated, since any odd number is
  30. * relative prime to 2^n).
  31. *
  32. * Note also that the obfuscation itself is invisible to userspace and if needed
  33. * it can be changed to an alternate scheme.
  34. */
  35. static unsigned long cookies[KCMP_TYPES][2] __read_mostly;
  36. static long kptr_obfuscate(long v, int type)
  37. {
  38. return (v ^ cookies[type][0]) * cookies[type][1];
  39. }
  40. /*
  41. * 0 - equal, i.e. v1 = v2
  42. * 1 - less than, i.e. v1 < v2
  43. * 2 - greater than, i.e. v1 > v2
  44. * 3 - not equal but ordering unavailable (reserved for future)
  45. */
  46. static int kcmp_ptr(void *v1, void *v2, enum kcmp_type type)
  47. {
  48. long t1, t2;
  49. t1 = kptr_obfuscate((long)v1, type);
  50. t2 = kptr_obfuscate((long)v2, type);
  51. return (t1 < t2) | ((t1 > t2) << 1);
  52. }
  53. /* The caller must have pinned the task */
  54. static struct file *
  55. get_file_raw_ptr(struct task_struct *task, unsigned int idx)
  56. {
  57. struct file *file = NULL;
  58. task_lock(task);
  59. rcu_read_lock();
  60. if (task->files)
  61. file = fcheck_files(task->files, idx);
  62. rcu_read_unlock();
  63. task_unlock(task);
  64. return file;
  65. }
  66. static void kcmp_unlock(struct mutex *m1, struct mutex *m2)
  67. {
  68. if (likely(m2 != m1))
  69. mutex_unlock(m2);
  70. mutex_unlock(m1);
  71. }
  72. static int kcmp_lock(struct mutex *m1, struct mutex *m2)
  73. {
  74. int err;
  75. if (m2 > m1)
  76. swap(m1, m2);
  77. err = mutex_lock_killable(m1);
  78. if (!err && likely(m1 != m2)) {
  79. err = mutex_lock_killable_nested(m2, SINGLE_DEPTH_NESTING);
  80. if (err)
  81. mutex_unlock(m1);
  82. }
  83. return err;
  84. }
  85. #ifdef CONFIG_EPOLL
  86. static int kcmp_epoll_target(struct task_struct *task1,
  87. struct task_struct *task2,
  88. unsigned long idx1,
  89. struct kcmp_epoll_slot __user *uslot)
  90. {
  91. struct file *filp, *filp_epoll, *filp_tgt;
  92. struct kcmp_epoll_slot slot;
  93. struct files_struct *files;
  94. if (copy_from_user(&slot, uslot, sizeof(slot)))
  95. return -EFAULT;
  96. filp = get_file_raw_ptr(task1, idx1);
  97. if (!filp)
  98. return -EBADF;
  99. files = get_files_struct(task2);
  100. if (!files)
  101. return -EBADF;
  102. spin_lock(&files->file_lock);
  103. filp_epoll = fcheck_files(files, slot.efd);
  104. if (filp_epoll)
  105. get_file(filp_epoll);
  106. else
  107. filp_tgt = ERR_PTR(-EBADF);
  108. spin_unlock(&files->file_lock);
  109. put_files_struct(files);
  110. if (filp_epoll) {
  111. filp_tgt = get_epoll_tfile_raw_ptr(filp_epoll, slot.tfd, slot.toff);
  112. fput(filp_epoll);
  113. }
  114. if (IS_ERR(filp_tgt))
  115. return PTR_ERR(filp_tgt);
  116. return kcmp_ptr(filp, filp_tgt, KCMP_FILE);
  117. }
  118. #else
  119. static int kcmp_epoll_target(struct task_struct *task1,
  120. struct task_struct *task2,
  121. unsigned long idx1,
  122. struct kcmp_epoll_slot __user *uslot)
  123. {
  124. return -EOPNOTSUPP;
  125. }
  126. #endif
  127. SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
  128. unsigned long, idx1, unsigned long, idx2)
  129. {
  130. struct task_struct *task1, *task2;
  131. int ret;
  132. rcu_read_lock();
  133. /*
  134. * Tasks are looked up in caller's PID namespace only.
  135. */
  136. task1 = find_task_by_vpid(pid1);
  137. task2 = find_task_by_vpid(pid2);
  138. if (!task1 || !task2)
  139. goto err_no_task;
  140. get_task_struct(task1);
  141. get_task_struct(task2);
  142. rcu_read_unlock();
  143. /*
  144. * One should have enough rights to inspect task details.
  145. */
  146. ret = kcmp_lock(&task1->signal->cred_guard_mutex,
  147. &task2->signal->cred_guard_mutex);
  148. if (ret)
  149. goto err;
  150. if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
  151. !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
  152. ret = -EPERM;
  153. goto err_unlock;
  154. }
  155. switch (type) {
  156. case KCMP_FILE: {
  157. struct file *filp1, *filp2;
  158. filp1 = get_file_raw_ptr(task1, idx1);
  159. filp2 = get_file_raw_ptr(task2, idx2);
  160. if (filp1 && filp2)
  161. ret = kcmp_ptr(filp1, filp2, KCMP_FILE);
  162. else
  163. ret = -EBADF;
  164. break;
  165. }
  166. case KCMP_VM:
  167. ret = kcmp_ptr(task1->mm, task2->mm, KCMP_VM);
  168. break;
  169. case KCMP_FILES:
  170. ret = kcmp_ptr(task1->files, task2->files, KCMP_FILES);
  171. break;
  172. case KCMP_FS:
  173. ret = kcmp_ptr(task1->fs, task2->fs, KCMP_FS);
  174. break;
  175. case KCMP_SIGHAND:
  176. ret = kcmp_ptr(task1->sighand, task2->sighand, KCMP_SIGHAND);
  177. break;
  178. case KCMP_IO:
  179. ret = kcmp_ptr(task1->io_context, task2->io_context, KCMP_IO);
  180. break;
  181. case KCMP_SYSVSEM:
  182. #ifdef CONFIG_SYSVIPC
  183. ret = kcmp_ptr(task1->sysvsem.undo_list,
  184. task2->sysvsem.undo_list,
  185. KCMP_SYSVSEM);
  186. #else
  187. ret = -EOPNOTSUPP;
  188. #endif
  189. break;
  190. case KCMP_EPOLL_TFD:
  191. ret = kcmp_epoll_target(task1, task2, idx1, (void *)idx2);
  192. break;
  193. default:
  194. ret = -EINVAL;
  195. break;
  196. }
  197. err_unlock:
  198. kcmp_unlock(&task1->signal->cred_guard_mutex,
  199. &task2->signal->cred_guard_mutex);
  200. err:
  201. put_task_struct(task1);
  202. put_task_struct(task2);
  203. return ret;
  204. err_no_task:
  205. rcu_read_unlock();
  206. return -ESRCH;
  207. }
  208. static __init int kcmp_cookies_init(void)
  209. {
  210. int i;
  211. get_random_bytes(cookies, sizeof(cookies));
  212. for (i = 0; i < KCMP_TYPES; i++)
  213. cookies[i][1] |= (~(~0UL >> 1) | 1);
  214. return 0;
  215. }
  216. arch_initcall(kcmp_cookies_init);