mm/page_poison.c: enable PAGE_POISONING as a separate option

Page poisoning is currently set up as a feature if architectures don't
have architecture debug page_alloc to allow unmapping of pages.  It has
uses apart from that though.  Clearing of the pages on free provides an
increase in security as it helps to limit the risk of information leaks.
Allow page poisoning to be enabled as a separate option independent of
kernel_map pages since the two features do separate work.  Because of
how hiberanation is implemented, the checks on alloc cannot occur if
hibernation is enabled.  The runtime alloc checks can also be enabled
with an option when !HIBERNATION.

Credit to Grsecurity/PaX team for inspiring this work

Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Jianyu Zhan <nasa4836@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 208ae7287659a999010437ba566ae62787bfad4d..8e5abd640b0bc0ab6bfbb21ef7ff14d923a8e691 100644 (file)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2731,6 +2731,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        we can turn it on.
                        on: enable the feature
 
+       page_poison=    [KNL] Boot-time parameter changing the state of
+                       poisoning on the buddy allocator.
+                       off: turn off poisoning
+                       on: turn on poisoning
+
        panic=          [KNL] Kernel behaviour on panic: delay <timeout>
                        timeout > 0: seconds before rebooting
                        timeout = 0: wait forever

diff --git a/include/linux/mm.h b/include/linux/mm.h
index 69fd6bbb8cceb624e9b9418b4e2842c184f530a0..99dcc8f36e28f9c7e1c049d22f310bbbad27b156 100644 (file)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2176,6 +2176,15 @@ extern int apply_to_page_range(struct mm_struct *mm, unsigned long address,
                               unsigned long size, pte_fn_t fn, void *data);
 
 
+#ifdef CONFIG_PAGE_POISONING
+extern bool page_poisoning_enabled(void);
+extern void kernel_poison_pages(struct page *page, int numpages, int enable);
+#else
+static inline bool page_poisoning_enabled(void) { return false; }
+static inline void kernel_poison_pages(struct page *page, int numpages,
+                                       int enable) { }
+#endif
+
 #ifdef CONFIG_DEBUG_PAGEALLOC
 extern bool _debug_pagealloc_enabled;
 extern void __kernel_map_pages(struct page *page, int numpages, int enable);

diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index a0c136af9c91449b3333a82c09530f4f29850450..1f99f9a0deaeeda11ed8435856978ae75885d721 100644 (file)
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -41,4 +41,27 @@ config DEBUG_PAGEALLOC_ENABLE_DEFAULT
          can be overridden by debug_pagealloc=off|on.
 
 config PAGE_POISONING
-       bool
+       bool "Poison pages after freeing"
+       select PAGE_EXTENSION
+       select PAGE_POISONING_NO_SANITY if HIBERNATION
+       ---help---
+         Fill the pages with poison patterns after free_pages() and verify
+         the patterns before alloc_pages. The filling of the memory helps
+         reduce the risk of information leaks from freed data. This does
+         have a potential performance impact.
+
+         Note that "poison" here is not the same thing as the "HWPoison"
+         for CONFIG_MEMORY_FAILURE. This is software poisoning only.
+
+         If unsure, say N
+
+config PAGE_POISONING_NO_SANITY
+       depends on PAGE_POISONING
+       bool "Only poison, don't sanity check"
+       ---help---
+          Skip the sanity checking on alloc, only fill the pages with
+          poison on free. This reduces some of the overhead of the
+          poisoning feature.
+
+          If you are only interested in sanitization, say Y. Otherwise
+          say N.

diff --git a/mm/Makefile b/mm/Makefile
index 2ed43191fc3bf78f46f111e88fa9d5a01b8c661a..cfdd481d27a5d7344b1eeb706174b0ec393acade 100644 (file)
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -48,7 +48,7 @@ obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o
 obj-$(CONFIG_SLOB) += slob.o
 obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o
 obj-$(CONFIG_KSM) += ksm.o
-obj-$(CONFIG_PAGE_POISONING) += debug-pagealloc.o
+obj-$(CONFIG_PAGE_POISONING) += page_poison.o
 obj-$(CONFIG_SLAB) += slab.o
 obj-$(CONFIG_SLUB) += slub.o
 obj-$(CONFIG_KMEMCHECK) += kmemcheck.o

diff --git a/mm/debug-pagealloc.c b/mm/debug-pagealloc.c
deleted file mode 100644 (file)
index 5bf5906..0000000
--- a/mm/debug-pagealloc.c
+++ /dev/null
@@ -1,137 +0,0 @@
-#include <linux/kernel.h>
-#include <linux/string.h>
-#include <linux/mm.h>
-#include <linux/highmem.h>
-#include <linux/page_ext.h>
-#include <linux/poison.h>
-#include <linux/ratelimit.h>
-
-static bool page_poisoning_enabled __read_mostly;
-
-static bool need_page_poisoning(void)
-{
-       if (!debug_pagealloc_enabled())
-               return false;
-
-       return true;
-}
-
-static void init_page_poisoning(void)
-{
-       if (!debug_pagealloc_enabled())
-               return;
-
-       page_poisoning_enabled = true;
-}
-
-struct page_ext_operations page_poisoning_ops = {
-       .need = need_page_poisoning,
-       .init = init_page_poisoning,
-};
-
-static inline void set_page_poison(struct page *page)
-{
-       struct page_ext *page_ext;
-
-       page_ext = lookup_page_ext(page);
-       __set_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
-}
-
-static inline void clear_page_poison(struct page *page)
-{
-       struct page_ext *page_ext;
-
-       page_ext = lookup_page_ext(page);
-       __clear_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
-}
-
-static inline bool page_poison(struct page *page)
-{
-       struct page_ext *page_ext;
-
-       page_ext = lookup_page_ext(page);
-       return test_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
-}
-
-static void poison_page(struct page *page)
-{
-       void *addr = kmap_atomic(page);
-
-       set_page_poison(page);
-       memset(addr, PAGE_POISON, PAGE_SIZE);
-       kunmap_atomic(addr);
-}
-
-static void poison_pages(struct page *page, int n)
-{
-       int i;
-
-       for (i = 0; i < n; i++)
-               poison_page(page + i);
-}
-
-static bool single_bit_flip(unsigned char a, unsigned char b)
-{
-       unsigned char error = a ^ b;
-
-       return error && !(error & (error - 1));
-}
-
-static void check_poison_mem(unsigned char *mem, size_t bytes)
-{
-       static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 10);
-       unsigned char *start;
-       unsigned char *end;
-
-       start = memchr_inv(mem, PAGE_POISON, bytes);
-       if (!start)
-               return;
-
-       for (end = mem + bytes - 1; end > start; end--) {
-               if (*end != PAGE_POISON)
-                       break;
-       }
-
-       if (!__ratelimit(&ratelimit))
-               return;
-       else if (start == end && single_bit_flip(*start, PAGE_POISON))
-               printk(KERN_ERR "pagealloc: single bit error\n");
-       else
-               printk(KERN_ERR "pagealloc: memory corruption\n");
-
-       print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, start,
-                       end - start + 1, 1);
-       dump_stack();
-}
-
-static void unpoison_page(struct page *page)
-{
-       void *addr;
-
-       if (!page_poison(page))
-               return;
-
-       addr = kmap_atomic(page);
-       check_poison_mem(addr, PAGE_SIZE);
-       clear_page_poison(page);
-       kunmap_atomic(addr);
-}
-
-static void unpoison_pages(struct page *page, int n)
-{
-       int i;
-
-       for (i = 0; i < n; i++)
-               unpoison_page(page + i);
-}
-
-void __kernel_map_pages(struct page *page, int numpages, int enable)
-{
-       if (!page_poisoning_enabled)
-               return;
-
-       if (enable)
-               unpoison_pages(page, numpages);
-       else
-               poison_pages(page, numpages);
-}

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 0691403aed935c4441d708ecf2c9b16fd825b13a..2a08349fbab288222c26681c44eb1e91c6ebca2d 100644 (file)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1025,6 +1025,7 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
                                           PAGE_SIZE << order);
        }
        arch_free_page(page, order);
+       kernel_poison_pages(page, 1 << order, 0);
        kernel_map_pages(page, 1 << order, 0);
 
        return true;
@@ -1420,6 +1421,7 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
 
        arch_alloc_page(page, order);
        kernel_map_pages(page, 1 << order, 1);
+       kernel_poison_pages(page, 1 << order, 1);
        kasan_alloc_pages(page, order);
 
        if (gfp_flags & __GFP_ZERO)

diff --git a/mm/page_poison.c b/mm/page_poison.c
new file mode 100644 (file)
index 0000000..89d3bc7
--- /dev/null
+++ b/mm/page_poison.c
@@ -0,0 +1,173 @@
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/mm.h>
+#include <linux/highmem.h>
+#include <linux/page_ext.h>
+#include <linux/poison.h>
+#include <linux/ratelimit.h>
+
+static bool __page_poisoning_enabled __read_mostly;
+static bool want_page_poisoning __read_mostly;
+
+static int early_page_poison_param(char *buf)
+{
+       if (!buf)
+               return -EINVAL;
+
+       if (strcmp(buf, "on") == 0)
+               want_page_poisoning = true;
+       else if (strcmp(buf, "off") == 0)
+               want_page_poisoning = false;
+
+       return 0;
+}
+early_param("page_poison", early_page_poison_param);
+
+bool page_poisoning_enabled(void)
+{
+       return __page_poisoning_enabled;
+}
+
+static bool need_page_poisoning(void)
+{
+       return want_page_poisoning;
+}
+
+static void init_page_poisoning(void)
+{
+       /*
+        * page poisoning is debug page alloc for some arches. If either
+        * of those options are enabled, enable poisoning
+        */
+       if (!IS_ENABLED(CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC)) {
+               if (!want_page_poisoning && !debug_pagealloc_enabled())
+                       return;
+       } else {
+               if (!want_page_poisoning)
+                       return;
+       }
+
+       __page_poisoning_enabled = true;
+}
+
+struct page_ext_operations page_poisoning_ops = {
+       .need = need_page_poisoning,
+       .init = init_page_poisoning,
+};
+
+static inline void set_page_poison(struct page *page)
+{
+       struct page_ext *page_ext;
+
+       page_ext = lookup_page_ext(page);
+       __set_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
+}
+
+static inline void clear_page_poison(struct page *page)
+{
+       struct page_ext *page_ext;
+
+       page_ext = lookup_page_ext(page);
+       __clear_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
+}
+
+static inline bool page_poison(struct page *page)
+{
+       struct page_ext *page_ext;
+
+       page_ext = lookup_page_ext(page);
+       return test_bit(PAGE_EXT_DEBUG_POISON, &page_ext->flags);
+}
+
+static void poison_page(struct page *page)
+{
+       void *addr = kmap_atomic(page);
+
+       set_page_poison(page);
+       memset(addr, PAGE_POISON, PAGE_SIZE);
+       kunmap_atomic(addr);
+}
+
+static void poison_pages(struct page *page, int n)
+{
+       int i;
+
+       for (i = 0; i < n; i++)
+               poison_page(page + i);
+}
+
+static bool single_bit_flip(unsigned char a, unsigned char b)
+{
+       unsigned char error = a ^ b;
+
+       return error && !(error & (error - 1));
+}
+
+static void check_poison_mem(unsigned char *mem, size_t bytes)
+{
+       static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 10);
+       unsigned char *start;
+       unsigned char *end;
+
+       if (IS_ENABLED(CONFIG_PAGE_POISONING_NO_SANITY))
+               return;
+
+       start = memchr_inv(mem, PAGE_POISON, bytes);
+       if (!start)
+               return;
+
+       for (end = mem + bytes - 1; end > start; end--) {
+               if (*end != PAGE_POISON)
+                       break;
+       }
+
+       if (!__ratelimit(&ratelimit))
+               return;
+       else if (start == end && single_bit_flip(*start, PAGE_POISON))
+               pr_err("pagealloc: single bit error\n");
+       else
+               pr_err("pagealloc: memory corruption\n");
+
+       print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1, start,
+                       end - start + 1, 1);
+       dump_stack();
+}
+
+static void unpoison_page(struct page *page)
+{
+       void *addr;
+
+       if (!page_poison(page))
+               return;
+
+       addr = kmap_atomic(page);
+       check_poison_mem(addr, PAGE_SIZE);
+       clear_page_poison(page);
+       kunmap_atomic(addr);
+}
+
+static void unpoison_pages(struct page *page, int n)
+{
+       int i;
+
+       for (i = 0; i < n; i++)
+               unpoison_page(page + i);
+}
+
+void kernel_poison_pages(struct page *page, int numpages, int enable)
+{
+       if (!page_poisoning_enabled())
+               return;
+
+       if (enable)
+               unpoison_pages(page, numpages);
+       else
+               poison_pages(page, numpages);
+}
+
+#ifndef CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC
+void __kernel_map_pages(struct page *page, int numpages, int enable)
+{
+       /* This function does nothing, all work is done via poison pages */
+}
+#endif