Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 633c5ed17f
Branches Tags
pve-edge-kernel
/
patches
/
kernel
/
0170-x86-ldt-Prevent-LDT-inheritance-on-exec.patch

0170-x86-ldt-Prevent-LDT-inheritance-on-exec.patch 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 
  1. From ac21d052bf1fbdb4162b1fa522703f4f003f37c1 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Thomas Gleixner <[email protected]>
    3. 

  3. Date: Thu, 14 Dec 2017 12:27:31 +0100
    4. 

  4. Subject: [PATCH 170/242] x86/ldt: Prevent LDT inheritance on exec
    5. 

  5. MIME-Version: 1.0
    6. 

  6. Content-Type: text/plain; charset=UTF-8
    7. 

  7. Content-Transfer-Encoding: 8bit
    8. 

  8. 

  9. CVE-2017-5754
    10. 

  10. 

  11. The LDT is inherited across fork() or exec(), but that makes no sense
    12. 

  12. at all because exec() is supposed to start the process clean.
    13. 

  13. 

  14. The reason why this happens is that init_new_context_ldt() is called from
    15. 

  15. init_new_context() which obviously needs to be called for both fork() and
    16. 

  16. exec().
    17. 

  17. 

  18. It would be surprising if anything relies on that behaviour, so it seems to
    19. 

  19. be safe to remove that misfeature.
    20. 

  20. 

  21. Split the context initialization into two parts. Clear the LDT pointer and
    22. 

  22. initialize the mutex from the general context init and move the LDT
    23. 

  23. duplication to arch_dup_mmap() which is only called on fork().
    24. 

  24. 

  25. Signed-off-by: Thomas Gleixner <[email protected]>
    26. 

  26. Signed-off-by: Peter Zijlstra <[email protected]>
    27. 

  27. Cc: Andy Lutomirski <[email protected]>
    28. 

  28. Cc: Andy Lutomirsky <[email protected]>
    29. 

  29. Cc: Boris Ostrovsky <[email protected]>
    30. 

  30. Cc: Borislav Petkov <[email protected]>
    31. 

  31. Cc: Borislav Petkov <[email protected]>
    32. 

  32. Cc: Brian Gerst <[email protected]>
    33. 

  33. Cc: Dave Hansen <[email protected]>
    34. 

  34. Cc: Dave Hansen <[email protected]>
    35. 

  35. Cc: David Laight <[email protected]>
    36. 

  36. Cc: Denys Vlasenko <[email protected]>
    37. 

  37. Cc: Eduardo Valentin <[email protected]>
    38. 

  38. Cc: Greg KH <[email protected]>
    39. 

  39. Cc: H. Peter Anvin <[email protected]>
    40. 

  40. Cc: Josh Poimboeuf <[email protected]>
    41. 

  41. Cc: Juergen Gross <[email protected]>
    42. 

  42. Cc: Linus Torvalds <[email protected]>
    43. 

  43. Cc: Will Deacon <[email protected]>
    44. 

  44. Cc: [email protected]
    45. 

  45. Cc: [email protected]
    46. 

  46. Cc: [email protected]
    47. 

  47. Cc: [email protected]
    48. 

  48. Cc: [email protected]
    49. 

  49. Cc: [email protected]
    50. 

  50. Signed-off-by: Ingo Molnar <[email protected]>
    51. 

  51. (cherry picked from commit a4828f81037f491b2cc986595e3a969a6eeb2fb5)
    52. 

  52. Signed-off-by: Andy Whitcroft <[email protected]>
    53. 

  53. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    54. 

  54. (cherry picked from commit f90d254204df4b336731f23bb5417226f51e8651)
    55. 

  55. Signed-off-by: Fabian Grünbichler <[email protected]>
    56. 

  56. ---
    57. 

  57.  arch/x86/include/asm/mmu_context.h    | 21 ++++++++++++++-------
    58. 

  58.  arch/x86/kernel/ldt.c                 | 18 +++++-------------
    59. 

  59.  tools/testing/selftests/x86/ldt_gdt.c |  9 +++------
    60. 

  60.  3 files changed, 22 insertions(+), 26 deletions(-)
    61. 

  61. 

  62. diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
    63. 

  63. index dd865c2acb9d..47ec51a821e8 100644
    64. 

  64. --- a/arch/x86/include/asm/mmu_context.h
    65. 

  65. +++ b/arch/x86/include/asm/mmu_context.h
    66. 

  66. @@ -56,11 +56,17 @@ struct ldt_struct {
    67. 

  67.  /*
    68. 

  68.   * Used for LDT copy/destruction.
    69. 

  69.   */
    70. 

  70. -int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm);
    71. 

  71. +static inline void init_new_context_ldt(struct mm_struct *mm)
    72. 

  72. +{
    73. 

  73. +	mm->context.ldt = NULL;
    74. 

  74. +	init_rwsem(&mm->context.ldt_usr_sem);
    75. 

  75. +}
    76. 

  76. +int ldt_dup_context(struct mm_struct *oldmm, struct mm_struct *mm);
    77. 

  77.  void destroy_context_ldt(struct mm_struct *mm);
    78. 

  78.  #else	/* CONFIG_MODIFY_LDT_SYSCALL */
    79. 

  79. -static inline int init_new_context_ldt(struct task_struct *tsk,
    80. 

  80. -				       struct mm_struct *mm)
    81. 

  81. +static inline void init_new_context_ldt(struct mm_struct *mm) { }
    82. 

  82. +static inline int ldt_dup_context(struct mm_struct *oldmm,
    83. 

  83. +				  struct mm_struct *mm)
    84. 

  84.  {
    85. 

  85.  	return 0;
    86. 

  86.  }
    87. 

  87. @@ -136,15 +142,16 @@ static inline int init_new_context(struct task_struct *tsk,
    88. 

  88.  	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
    89. 

  89.  	atomic64_set(&mm->context.tlb_gen, 0);
    90. 

  90.  
    91. 

  91. -	#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
    92. 

  92. +#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
    93. 

  93.  	if (cpu_feature_enabled(X86_FEATURE_OSPKE)) {
    94. 

  94.  		/* pkey 0 is the default and always allocated */
    95. 

  95.  		mm->context.pkey_allocation_map = 0x1;
    96. 

  96.  		/* -1 means unallocated or invalid */
    97. 

  97.  		mm->context.execute_only_pkey = -1;
    98. 

  98.  	}
    99. 

  99. -	#endif
    100. 

  100. -	return init_new_context_ldt(tsk, mm);
    101. 

  101. +#endif
    102. 

  102. +	init_new_context_ldt(mm);
    103. 

  103. +	return 0;
    104. 

  104.  }
    105. 

  105.  static inline void destroy_context(struct mm_struct *mm)
    106. 

  106.  {
    107. 

  107. @@ -180,7 +187,7 @@ do {						\
    108. 

  108.  static inline int arch_dup_mmap(struct mm_struct *oldmm, struct mm_struct *mm)
    109. 

  109.  {
    110. 

  110.  	paravirt_arch_dup_mmap(oldmm, mm);
    111. 

  111. -	return 0;
    112. 

  112. +	return ldt_dup_context(oldmm, mm);
    113. 

  113.  }
    114. 

  114.  
    115. 

  115.  static inline void arch_exit_mmap(struct mm_struct *mm)
    116. 

  116. diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
    117. 

  117. index 3e7208f0c350..74a5aaf13f3c 100644
    118. 

  118. --- a/arch/x86/kernel/ldt.c
    119. 

  119. +++ b/arch/x86/kernel/ldt.c
    120. 

  120. @@ -130,28 +130,20 @@ static void free_ldt_struct(struct ldt_struct *ldt)
    121. 

  121.  }
    122. 

  122.  
    123. 

  123.  /*
    124. 

  124. - * we do not have to muck with descriptors here, that is
    125. 

  125. - * done in switch_mm() as needed.
    126. 

  126. + * Called on fork from arch_dup_mmap(). Just copy the current LDT state,
    127. 

  127. + * the new task is not running, so nothing can be installed.
    128. 

  128.   */
    129. 

  129. -int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
    130. 

  130. +int ldt_dup_context(struct mm_struct *old_mm, struct mm_struct *mm)
    131. 

  131.  {
    132. 

  132.  	struct ldt_struct *new_ldt;
    133. 

  133. -	struct mm_struct *old_mm;
    134. 

  134.  	int retval = 0;
    135. 

  135.  
    136. 

  136. -	init_rwsem(&mm->context.ldt_usr_sem);
    137. 

  137. -
    138. 

  138. -	old_mm = current->mm;
    139. 

  139. -	if (!old_mm) {
    140. 

  140. -		mm->context.ldt = NULL;
    141. 

  141. +	if (!old_mm)
    142. 

  142.  		return 0;
    143. 

  143. -	}
    144. 

  144.  
    145. 

  145.  	mutex_lock(&old_mm->context.lock);
    146. 

  146. -	if (!old_mm->context.ldt) {
    147. 

  147. -		mm->context.ldt = NULL;
    148. 

  148. +	if (!old_mm->context.ldt)
    149. 

  149.  		goto out_unlock;
    150. 

  150. -	}
    151. 

  151.  
    152. 

  152.  	new_ldt = alloc_ldt_struct(old_mm->context.ldt->nr_entries);
    153. 

  153.  	if (!new_ldt) {
    154. 

  154. diff --git a/tools/testing/selftests/x86/ldt_gdt.c b/tools/testing/selftests/x86/ldt_gdt.c
    155. 

  155. index 8e290c9b2c3f..783e1a754b78 100644
    156. 

  156. --- a/tools/testing/selftests/x86/ldt_gdt.c
    157. 

  157. +++ b/tools/testing/selftests/x86/ldt_gdt.c
    158. 

  158. @@ -626,13 +626,10 @@ static void do_multicpu_tests(void)
    159. 

  159.  static int finish_exec_test(void)
    160. 

  160.  {
    161. 

  161.  	/*
    162. 

  162. -	 * In a sensible world, this would be check_invalid_segment(0, 1);
    163. 

  163. -	 * For better or for worse, though, the LDT is inherited across exec.
    164. 

  164. -	 * We can probably change this safely, but for now we test it.
    165. 

  165. +	 * Older kernel versions did inherit the LDT on exec() which is
    166. 

  166. +	 * wrong because exec() starts from a clean state.
    167. 

  167.  	 */
    168. 

  168. -	check_valid_segment(0, 1,
    169. 

  169. -			    AR_DPL3 | AR_TYPE_XRCODE | AR_S | AR_P | AR_DB,
    170. 

  170. -			    42, true);
    171. 

  171. +	check_invalid_segment(0, 1);
    172. 

  172.  
    173. 

  173.  	return nerrs ? 1 : 0;
    174. 

  174.  }
    175. 

  175. -- 
    176. 

  176. 2.14.2
    177. 

  177.