mmap.c 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263
  1. /*
  2. * Flexible mmap layout support
  3. *
  4. * Based on code by Ingo Molnar and Andi Kleen, copyrighted
  5. * as follows:
  6. *
  7. * Copyright 2003-2009 Red Hat Inc.
  8. * All Rights Reserved.
  9. * Copyright 2005 Andi Kleen, SUSE Labs.
  10. * Copyright 2007 Jiri Kosina, SUSE Labs.
  11. *
  12. * This program is free software; you can redistribute it and/or modify
  13. * it under the terms of the GNU General Public License as published by
  14. * the Free Software Foundation; either version 2 of the License, or
  15. * (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU General Public License
  23. * along with this program; if not, write to the Free Software
  24. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  25. */
  26. #include <linux/personality.h>
  27. #include <linux/mm.h>
  28. #include <linux/random.h>
  29. #include <linux/limits.h>
  30. #include <linux/sched/signal.h>
  31. #include <linux/sched/mm.h>
  32. #include <linux/compat.h>
  33. #include <asm/elf.h>
  34. #include "physaddr.h"
  35. struct va_alignment __read_mostly va_align = {
  36. .flags = -1,
  37. };
  38. unsigned long task_size_32bit(void)
  39. {
  40. return IA32_PAGE_OFFSET;
  41. }
  42. unsigned long task_size_64bit(int full_addr_space)
  43. {
  44. return full_addr_space ? TASK_SIZE_MAX : DEFAULT_MAP_WINDOW;
  45. }
  46. static unsigned long stack_maxrandom_size(unsigned long task_size)
  47. {
  48. unsigned long max = 0;
  49. if (current->flags & PF_RANDOMIZE) {
  50. max = (-1UL) & __STACK_RND_MASK(task_size == task_size_32bit());
  51. max <<= PAGE_SHIFT;
  52. }
  53. return max;
  54. }
  55. #ifdef CONFIG_COMPAT
  56. # define mmap32_rnd_bits mmap_rnd_compat_bits
  57. # define mmap64_rnd_bits mmap_rnd_bits
  58. #else
  59. # define mmap32_rnd_bits mmap_rnd_bits
  60. # define mmap64_rnd_bits mmap_rnd_bits
  61. #endif
  62. #define SIZE_128M (128 * 1024 * 1024UL)
  63. static int mmap_is_legacy(void)
  64. {
  65. if (current->personality & ADDR_COMPAT_LAYOUT)
  66. return 1;
  67. return sysctl_legacy_va_layout;
  68. }
  69. static unsigned long arch_rnd(unsigned int rndbits)
  70. {
  71. if (!(current->flags & PF_RANDOMIZE))
  72. return 0;
  73. return (get_random_long() & ((1UL << rndbits) - 1)) << PAGE_SHIFT;
  74. }
  75. unsigned long arch_mmap_rnd(void)
  76. {
  77. return arch_rnd(mmap_is_ia32() ? mmap32_rnd_bits : mmap64_rnd_bits);
  78. }
  79. static unsigned long mmap_base(unsigned long rnd, unsigned long task_size,
  80. struct rlimit *rlim_stack)
  81. {
  82. unsigned long gap = rlim_stack->rlim_cur;
  83. unsigned long pad = stack_maxrandom_size(task_size) + stack_guard_gap;
  84. unsigned long gap_min, gap_max;
  85. /* Values close to RLIM_INFINITY can overflow. */
  86. if (gap + pad > gap)
  87. gap += pad;
  88. /*
  89. * Top of mmap area (just below the process stack).
  90. * Leave an at least ~128 MB hole with possible stack randomization.
  91. */
  92. gap_min = SIZE_128M;
  93. gap_max = (task_size / 6) * 5;
  94. if (gap < gap_min)
  95. gap = gap_min;
  96. else if (gap > gap_max)
  97. gap = gap_max;
  98. return PAGE_ALIGN(task_size - gap - rnd);
  99. }
  100. static unsigned long mmap_legacy_base(unsigned long rnd,
  101. unsigned long task_size)
  102. {
  103. return __TASK_UNMAPPED_BASE(task_size) + rnd;
  104. }
  105. /*
  106. * This function, called very early during the creation of a new
  107. * process VM image, sets up which VM layout function to use:
  108. */
  109. static void arch_pick_mmap_base(unsigned long *base, unsigned long *legacy_base,
  110. unsigned long random_factor, unsigned long task_size,
  111. struct rlimit *rlim_stack)
  112. {
  113. *legacy_base = mmap_legacy_base(random_factor, task_size);
  114. if (mmap_is_legacy())
  115. *base = *legacy_base;
  116. else
  117. *base = mmap_base(random_factor, task_size, rlim_stack);
  118. }
  119. void arch_pick_mmap_layout(struct mm_struct *mm, struct rlimit *rlim_stack)
  120. {
  121. if (mmap_is_legacy())
  122. mm->get_unmapped_area = arch_get_unmapped_area;
  123. else
  124. mm->get_unmapped_area = arch_get_unmapped_area_topdown;
  125. arch_pick_mmap_base(&mm->mmap_base, &mm->mmap_legacy_base,
  126. arch_rnd(mmap64_rnd_bits), task_size_64bit(0),
  127. rlim_stack);
  128. #ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
  129. /*
  130. * The mmap syscall mapping base decision depends solely on the
  131. * syscall type (64-bit or compat). This applies for 64bit
  132. * applications and 32bit applications. The 64bit syscall uses
  133. * mmap_base, the compat syscall uses mmap_compat_base.
  134. */
  135. arch_pick_mmap_base(&mm->mmap_compat_base, &mm->mmap_compat_legacy_base,
  136. arch_rnd(mmap32_rnd_bits), task_size_32bit(),
  137. rlim_stack);
  138. #endif
  139. }
  140. unsigned long get_mmap_base(int is_legacy)
  141. {
  142. struct mm_struct *mm = current->mm;
  143. #ifdef CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES
  144. if (in_compat_syscall()) {
  145. return is_legacy ? mm->mmap_compat_legacy_base
  146. : mm->mmap_compat_base;
  147. }
  148. #endif
  149. return is_legacy ? mm->mmap_legacy_base : mm->mmap_base;
  150. }
  151. const char *arch_vma_name(struct vm_area_struct *vma)
  152. {
  153. if (vma->vm_flags & VM_MPX)
  154. return "[mpx]";
  155. return NULL;
  156. }
  157. /**
  158. * mmap_address_hint_valid - Validate the address hint of mmap
  159. * @addr: Address hint
  160. * @len: Mapping length
  161. *
  162. * Check whether @addr and @addr + @len result in a valid mapping.
  163. *
  164. * On 32bit this only checks whether @addr + @len is <= TASK_SIZE.
  165. *
  166. * On 64bit with 5-level page tables another sanity check is required
  167. * because mappings requested by mmap(@addr, 0) which cross the 47-bit
  168. * virtual address boundary can cause the following theoretical issue:
  169. *
  170. * An application calls mmap(addr, 0), i.e. without MAP_FIXED, where @addr
  171. * is below the border of the 47-bit address space and @addr + @len is
  172. * above the border.
  173. *
  174. * With 4-level paging this request succeeds, but the resulting mapping
  175. * address will always be within the 47-bit virtual address space, because
  176. * the hint address does not result in a valid mapping and is
  177. * ignored. Hence applications which are not prepared to handle virtual
  178. * addresses above 47-bit work correctly.
  179. *
  180. * With 5-level paging this request would be granted and result in a
  181. * mapping which crosses the border of the 47-bit virtual address
  182. * space. If the application cannot handle addresses above 47-bit this
  183. * will lead to misbehaviour and hard to diagnose failures.
  184. *
  185. * Therefore ignore address hints which would result in a mapping crossing
  186. * the 47-bit virtual address boundary.
  187. *
  188. * Note, that in the same scenario with MAP_FIXED the behaviour is
  189. * different. The request with @addr < 47-bit and @addr + @len > 47-bit
  190. * fails on a 4-level paging machine but succeeds on a 5-level paging
  191. * machine. It is reasonable to expect that an application does not rely on
  192. * the failure of such a fixed mapping request, so the restriction is not
  193. * applied.
  194. */
  195. bool mmap_address_hint_valid(unsigned long addr, unsigned long len)
  196. {
  197. if (TASK_SIZE - len < addr)
  198. return false;
  199. return (addr > DEFAULT_MAP_WINDOW) == (addr + len > DEFAULT_MAP_WINDOW);
  200. }
  201. /* Can we access it for direct reading/writing? Must be RAM: */
  202. int valid_phys_addr_range(phys_addr_t addr, size_t count)
  203. {
  204. return addr + count - 1 <= __pa(high_memory - 1);
  205. }
  206. /* Can we access it through mmap? Must be a valid physical address: */
  207. int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
  208. {
  209. phys_addr_t addr = (phys_addr_t)pfn << PAGE_SHIFT;
  210. return phys_addr_valid(addr + count - 1);
  211. }
  212. /*
  213. * Only allow root to set high MMIO mappings to PROT_NONE.
  214. * This prevents an unpriv. user to set them to PROT_NONE and invert
  215. * them, then pointing to valid memory for L1TF speculation.
  216. *
  217. * Note: for locked down kernels may want to disable the root override.
  218. */
  219. bool pfn_modify_allowed(unsigned long pfn, pgprot_t prot)
  220. {
  221. if (!boot_cpu_has_bug(X86_BUG_L1TF))
  222. return true;
  223. if (!__pte_needs_invert(pgprot_val(prot)))
  224. return true;
  225. /* If it's real memory always allow */
  226. if (pfn_valid(pfn))
  227. return true;
  228. if (pfn >= l1tf_pfn_limit() && !capable(CAP_SYS_ADMIN))
  229. return false;
  230. return true;
  231. }