Linux Kernel Audit

>>56913007
swap.h
2/?

/*
 * MAX_SWAPFILES defines the maximum number of swaptypes: things which can
 * be swapped to.  The swap type and the offset into that swap type are
 * encoded into pte's and into pgoff_t's in the swapcache.  Using five bits
 * for the type means that the maximum number of swapcache pages is 27 bits
 * on 32-bit-pgoff_t architectures.  And that assumes that the architecture packs
 * the type/offset into the pte as 5/27 as well.
 */
#define MAX_SWAPFILES_SHIFT    5

/*
 * Use some of the swap files numbers for other purposes. This
 * is a convenient way to hook into the VM to trigger special
 * actions on faults.
 */

/*
 * NUMA node memory migration support
 */
#ifdef CONFIG_MIGRATION
#define SWP_MIGRATION_NUM 2
#define SWP_MIGRATION_READ    (MAX_SWAPFILES + SWP_HWPOISON_NUM)
#define SWP_MIGRATION_WRITE    (MAX_SWAPFILES + SWP_HWPOISON_NUM + 1)
#else
#define SWP_MIGRATION_NUM 0
#endif

/*
 * Handling of hardware poisoned pages with memory corruption.
 */
#ifdef CONFIG_MEMORY_FAILURE
#define SWP_HWPOISON_NUM 1
#define SWP_HWPOISON        MAX_SWAPFILES
#else
#define SWP_HWPOISON_NUM 0
#endif

#define MAX_SWAPFILES \
    ((1 << MAX_SWAPFILES_SHIFT) - SWP_MIGRATION_NUM - SWP_HWPOISON_NUM)

>>56913014
swap.h
3/?

/*
 * Magic header for a swap area. The first part of the union is
 * what the swap magic looks like for the old (limited to 128MB)
 * swap area format, the second part of the union adds - in the
 * old reserved area - some extra information. Note that the first
 * kilobyte is reserved for boot loader or disk label stuff...
 *
 * Having the magic at the end of the PAGE_SIZE makes detecting swap
 * areas somewhat tricky on machines that support multiple page sizes.
 * For 2.5 we'll probably want to move the magic to just beyond the
 * bootbits...
 */
union swap_header {
    struct {
        char reserved[PAGE_SIZE - 10];
        char magic[10];            /* SWAP-SPACE or SWAPSPACE2 */
    } magic;
    struct {
        char        bootbits[1024];    /* Space for disklabel etc. */
        __u32        version;
        __u32        last_page;
        __u32        nr_badpages;
        unsigned char    sws_uuid[16];
        unsigned char    sws_volume[16];
        __u32        padding[117];
        __u32        badpages[1];
    } info;
};

/*
 * current->reclaim_state points to one of these when a task is running
 * memory reclaim
 */
struct reclaim_state {
    unsigned long reclaimed_slab;
};

#ifdef __KERNEL__

struct address_space;
struct sysinfo;
struct writeback_control;
struct zone;

/*
 * A swap extent maps a range of a swapfile's PAGE_SIZE pages onto a range of
 * disk blocks.  A list of swap extents maps the entire swapfile.  (Where the
 * term `swapfile' refers to either a blockdevice or an IS_REG file.  Apart
 * from setup, they're handled identically.
 *
 * We always assume that blocks are of size PAGE_SIZE.
 */
struct swap_extent {
    struct list_head list;
    pgoff_t start_page;
    pgoff_t nr_pages;
    sector_t start_block;
};

>>56913019
https://raw.githubusercontent.com/torvalds/linux/21f54ddae449f4bdd9f1498124901d67202243d9/include/linux/swap.h

>>56913007
>implying anyone here is capable of understanding such codes

kernel/kcmp.c
1/4

#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/fdtable.h>
#include <linux/string.h>
#include <linux/random.h>
#include <linux/module.h>
#include <linux/ptrace.h>
#include <linux/init.h>
#include <linux/errno.h>
#include <linux/cache.h>
#include <linux/bug.h>
#include <linux/err.h>
#include <linux/kcmp.h>

#include <asm/unistd.h>

/*
 * We don't expose the real in-memory order of objects for security reasons.
 * But still the comparison results should be suitable for sorting. So we
 * obfuscate kernel pointers values and compare the production instead.
 *
 * The obfuscation is done in two steps. First we xor the kernel pointer with
 * a random value, which puts pointer into a new position in a reordered space.
 * Secondly we multiply the xor production with a large odd random number to
 * permute its bits even more (the odd multiplier guarantees that the product
 * is unique ever after the high bits are truncated, since any odd number is
 * relative prime to 2^n).
 *
 * Note also that the obfuscation itself is invisible to userspace and if needed
 * it can be changed to an alternate scheme.
 */
static unsigned long cookies[KCMP_TYPES][2] __read_mostly;

static long kptr_obfuscate(long v, int type)
{
    return (v ^ cookies[type][0]) * cookies[type][1];
}

/*
 * 0 - equal, i.e. v1 = v2
 * 1 - less than, i.e. v1 < v2
 * 2 - greater than, i.e. v1 > v2
 * 3 - not equal but ordering unavailable (reserved for future)
 */
static int kcmp_ptr(void *v1, void *v2, enum kcmp_type type)
{
    long t1, t2;

    t1 = kptr_obfuscate((long)v1, type);
    t2 = kptr_obfuscate((long)v2, type);

    return (t1 < t2) | ((t1 > t2) << 1);
}

kernel/kcmp.c
2/4

/* The caller must have pinned the task */
static struct file *
get_file_raw_ptr(struct task_struct *task, unsigned int idx)
{
    struct file *file = NULL;

    task_lock(task);
    rcu_read_lock();

    if (task->files)
        file = fcheck_files(task->files, idx);

    rcu_read_unlock();
    task_unlock(task);

    return file;
}

static void kcmp_unlock(struct mutex *m1, struct mutex *m2)
{
    if (likely(m2 != m1))
        mutex_unlock(m2);
    mutex_unlock(m1);
}

static int kcmp_lock(struct mutex *m1, struct mutex *m2)
{
    int err;

    if (m2 > m1)
        swap(m1, m2);

    err = mutex_lock_killable(m1);
    if (!err && likely(m1 != m2)) {
        err = mutex_lock_killable_nested(m2, SINGLE_DEPTH_NESTING);
        if (err)
            mutex_unlock(m1);
    }

    return err;
}

>>56913007
>static inline
I really wish they would start using GNU11/C11 instead of this "GNU89, but not really" crap.

kernel/kcmp.c
3/4

SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
        unsigned long, idx1, unsigned long, idx2)
{
    struct task_struct *task1, *task2;
    int ret;

    rcu_read_lock();

    /*
     * Tasks are looked up in caller's PID namespace only.
     */
    task1 = find_task_by_vpid(pid1);
    task2 = find_task_by_vpid(pid2);
    if (!task1 || !task2)
        goto err_no_task;

    get_task_struct(task1);
    get_task_struct(task2);

    rcu_read_unlock();

    /*
     * One should have enough rights to inspect task details.
     */
    ret = kcmp_lock(&task1->signal->cred_guard_mutex,
            &task2->signal->cred_guard_mutex);
    if (ret)
        goto err;
    if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
        !ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
        ret = -EPERM;
        goto err_unlock;
    }

    switch (type) {
    case KCMP_FILE: {
        struct file *filp1, *filp2;

        filp1 = get_file_raw_ptr(task1, idx1);
        filp2 = get_file_raw_ptr(task2, idx2);

        if (filp1 && filp2)
            ret = kcmp_ptr(filp1, filp2, KCMP_FILE);
        else
            ret = -EBADF;
        break;
    }
    case KCMP_VM:
        ret = kcmp_ptr(task1->mm, task2->mm, KCMP_VM);
        break;
    case KCMP_FILES:
        ret = kcmp_ptr(task1->files, task2->files, KCMP_FILES);
        break;
    case KCMP_FS:
        ret = kcmp_ptr(task1->fs, task2->fs, KCMP_FS);
        break;
    case KCMP_SIGHAND:
        ret = kcmp_ptr(task1->sighand, task2->sighand, KCMP_SIGHAND);
        break;
    case KCMP_IO:
        ret = kcmp_ptr(task1->io_context, task2->io_context, KCMP_IO);
        break;
    case KCMP_SYSVSEM:
#ifdef CONFIG_SYSVIPC
        ret = kcmp_ptr(task1->sysvsem.undo_list,
                   task2->sysvsem.undo_list,
                   KCMP_SYSVSEM);
#else
        ret = -EOPNOTSUPP;
#endif
        break;
    default:
        ret = -EINVAL;
        break;
    }

err_unlock:
    kcmp_unlock(&task1->signal->cred_guard_mutex,
            &task2->signal->cred_guard_mutex);
err:
    put_task_struct(task1);
    put_task_struct(task2);

    return ret;

err_no_task:
    rcu_read_unlock();
    return -ESRCH;
}

kernel/kcmp.c
4/4

static __init int kcmp_cookies_init(void)
{
    int i;

    get_random_bytes(cookies, sizeof(cookies));

    for (i = 0; i < KCMP_TYPES; i++)
        cookies[i][1] |= (~(~0UL >>  1) | 1);

    return 0;
}
arch_initcall(kcmp_cookies_init);