diff options
| author | Kees Cook <keescook@chromium.org> | 2016-08-17 14:42:11 -0700 |
|---|---|---|
| committer | Satya Tangirala <satyat@google.com> | 2018-09-21 14:51:06 -0700 |
| commit | 7514f97280fdf4373f99ca28e573925cfb828aa7 (patch) | |
| tree | 15b6bd282da67b0741de1e70490d06bc519be9cd /include/linux/bug.h | |
| parent | 10c8c8a765f1335c46817d6dbf3e288dd45884df (diff) | |
UPSTREAM: bug: Provide toggle for BUG on data corruption
(cherry-picked from de54ebbe26bb371a6f1fbc0593372232f04e3107)
The kernel checks for cases of data structure corruption under some
CONFIGs (e.g. CONFIG_DEBUG_LIST). When corruption is detected, some
systems may want to BUG() immediately instead of letting the system run
with known corruption. Usually these kinds of manipulation primitives can
be used by security flaws to gain arbitrary memory write control. This
provides a new config CONFIG_BUG_ON_DATA_CORRUPTION and a corresponding
macro CHECK_DATA_CORRUPTION for handling these situations. Notably, even
if not BUGing, the kernel should not continue processing the corrupted
structure.
This is inspired by similar hardening by Syed Rameez Mustafa in MSM
kernels, and in PaX and Grsecurity, which is likely in response to earlier
removal of the BUG calls in commit 924d9addb9b1 ("list debugging: use
WARN() instead of BUG()").
Change-Id: I4cdfa9fbebe32a990a111d051e4ec4e421f77a09
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Satya Tangirala <satyat@google.com>
Diffstat (limited to 'include/linux/bug.h')
| -rw-r--r-- | include/linux/bug.h | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/include/linux/bug.h b/include/linux/bug.h index 7f4818673c41..2bafb1d6ee89 100644 --- a/include/linux/bug.h +++ b/include/linux/bug.h @@ -109,4 +109,21 @@ static inline enum bug_trap_type report_bug(unsigned long bug_addr, } #endif /* CONFIG_GENERIC_BUG */ + +/* + * Since detected data corruption should stop operation on the affected + * structures, this returns false if the corruption condition is found. + */ +#define CHECK_DATA_CORRUPTION(condition, fmt, ...) \ + do { \ + if (unlikely(condition)) { \ + if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \ + pr_err(fmt, ##__VA_ARGS__); \ + BUG(); \ + } else \ + WARN(1, fmt, ##__VA_ARGS__); \ + return false; \ + } \ + } while (0) + #endif /* _LINUX_BUG_H */ |