diff options
| author | Andy Lutomirski <luto@amacapital.net> | 2014-12-04 16:48:16 -0800 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2015-01-01 01:27:50 +0000 |
| commit | 106ed96d46fcaf9f2e72555035fa585403cf4dd3 (patch) | |
| tree | 018e92bb9c669471b184a86ad01795758fb8204f /arch/x86/kernel/tls.c | |
| parent | 1aded21661bda559a407cfb7c69d0e53b72bc671 (diff) | |
| download | kernel_samsung_smdk4412-106ed96d46fcaf9f2e72555035fa585403cf4dd3.zip kernel_samsung_smdk4412-106ed96d46fcaf9f2e72555035fa585403cf4dd3.tar.gz kernel_samsung_smdk4412-106ed96d46fcaf9f2e72555035fa585403cf4dd3.tar.bz2 | |
x86/tls: Validate TLS entries to protect espfix
commit 41bdc78544b8a93a9c6814b8bbbfef966272abbe upstream.
Installing a 16-bit RW data segment into the GDT defeats espfix.
AFAICT this will not affect glibc, Wine, or dosemu at all.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: security@kernel.org <security@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'arch/x86/kernel/tls.c')
| -rw-r--r-- | arch/x86/kernel/tls.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c index bcfec2d..7af7338 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -28,6 +28,21 @@ static int get_free_idx(void) return -ESRCH; } +static bool tls_desc_okay(const struct user_desc *info) +{ + if (LDT_empty(info)) + return true; + + /* + * espfix is required for 16-bit data segments, but espfix + * only works for LDT segments. + */ + if (!info->seg_32bit) + return false; + + return true; +} + static void set_tls_desc(struct task_struct *p, int idx, const struct user_desc *info, int n) { @@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struct *p, int idx, if (copy_from_user(&info, u_info, sizeof(info))) return -EFAULT; + if (!tls_desc_okay(&info)) + return -EINVAL; + if (idx == -1) idx = info.entry_number; @@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, { struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; const struct user_desc *info; + int i; if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || (pos % sizeof(struct user_desc)) != 0 || @@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, else info = infobuf; + for (i = 0; i < count / sizeof(struct user_desc); i++) + if (!tls_desc_okay(info + i)) + return -EINVAL; + set_tls_desc(target, GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), info, count / sizeof(struct user_desc)); |