]>
Commit | Line | Data |
---|---|---|
321d628a FG |
1 | From 6ef121f444bab6ac294e1eda62eb727ee639c6d7 Mon Sep 17 00:00:00 2001 |
2 | From: Josh Poimboeuf <jpoimboe@redhat.com> | |
3 | Date: Mon, 18 Sep 2017 21:43:37 -0500 | |
e4cdf2a5 | 4 | Subject: [PATCH 059/241] x86/head: Add unwind hint annotations |
321d628a FG |
5 | MIME-Version: 1.0 |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5754 | |
10 | ||
11 | Jiri Slaby reported an ORC issue when unwinding from an idle task. The | |
12 | stack was: | |
13 | ||
14 | ffffffff811083c2 do_idle+0x142/0x1e0 | |
15 | ffffffff8110861d cpu_startup_entry+0x5d/0x60 | |
16 | ffffffff82715f58 start_kernel+0x3ff/0x407 | |
17 | ffffffff827153e8 x86_64_start_kernel+0x14e/0x15d | |
18 | ffffffff810001bf secondary_startup_64+0x9f/0xa0 | |
19 | ||
20 | The ORC unwinder errored out at secondary_startup_64 because the head | |
21 | code isn't annotated yet so there wasn't a corresponding ORC entry. | |
22 | ||
23 | Fix that and any other head-related unwinding issues by adding unwind | |
24 | hints to the head code. | |
25 | ||
26 | Reported-by: Jiri Slaby <jslaby@suse.cz> | |
27 | Tested-by: Jiri Slaby <jslaby@suse.cz> | |
28 | Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> | |
29 | Cc: Andy Lutomirski <luto@kernel.org> | |
30 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
31 | Cc: Juergen Gross <jgross@suse.com> | |
32 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
33 | Cc: Peter Zijlstra <peterz@infradead.org> | |
34 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
35 | Link: http://lkml.kernel.org/r/78ef000a2f68f545d6eef44ee912edceaad82ccf.1505764066.git.jpoimboe@redhat.com | |
36 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
37 | (cherry picked from commit 2704fbb672d0d9a19414907fda7949283dcef6a1) | |
38 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
39 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
40 | (cherry picked from commit b63a868e404e64172afefea553c6a40963a151db) | |
41 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
42 | --- | |
43 | arch/x86/kernel/Makefile | 1 - | |
44 | arch/x86/kernel/head_64.S | 14 ++++++++++++-- | |
45 | 2 files changed, 12 insertions(+), 3 deletions(-) | |
46 | ||
47 | diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile | |
48 | index 287eac7d207f..e2315aecc441 100644 | |
49 | --- a/arch/x86/kernel/Makefile | |
50 | +++ b/arch/x86/kernel/Makefile | |
51 | @@ -26,7 +26,6 @@ KASAN_SANITIZE_dumpstack.o := n | |
52 | KASAN_SANITIZE_dumpstack_$(BITS).o := n | |
53 | KASAN_SANITIZE_stacktrace.o := n | |
54 | ||
55 | -OBJECT_FILES_NON_STANDARD_head_$(BITS).o := y | |
56 | OBJECT_FILES_NON_STANDARD_relocate_kernel_$(BITS).o := y | |
57 | OBJECT_FILES_NON_STANDARD_ftrace_$(BITS).o := y | |
58 | OBJECT_FILES_NON_STANDARD_test_nx.o := y | |
59 | diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S | |
60 | index 45b18b1a6417..d081bc7a027d 100644 | |
61 | --- a/arch/x86/kernel/head_64.S | |
62 | +++ b/arch/x86/kernel/head_64.S | |
63 | @@ -49,6 +49,7 @@ L3_START_KERNEL = pud_index(__START_KERNEL_map) | |
64 | .code64 | |
65 | .globl startup_64 | |
66 | startup_64: | |
67 | + UNWIND_HINT_EMPTY | |
68 | /* | |
69 | * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 0, | |
70 | * and someone has loaded an identity mapped page table | |
71 | @@ -81,6 +82,7 @@ startup_64: | |
72 | movq $(early_top_pgt - __START_KERNEL_map), %rax | |
73 | jmp 1f | |
74 | ENTRY(secondary_startup_64) | |
75 | + UNWIND_HINT_EMPTY | |
76 | /* | |
77 | * At this point the CPU runs in 64bit mode CS.L = 1 CS.D = 0, | |
78 | * and someone has loaded a mapped page table. | |
79 | @@ -116,6 +118,7 @@ ENTRY(secondary_startup_64) | |
80 | movq $1f, %rax | |
81 | jmp *%rax | |
82 | 1: | |
83 | + UNWIND_HINT_EMPTY | |
84 | ||
85 | /* Check if nx is implemented */ | |
86 | movl $0x80000001, %eax | |
87 | @@ -230,6 +233,7 @@ END(secondary_startup_64) | |
88 | */ | |
89 | ENTRY(start_cpu0) | |
90 | movq initial_stack(%rip), %rsp | |
91 | + UNWIND_HINT_EMPTY | |
92 | jmp .Ljump_to_C_code | |
93 | ENDPROC(start_cpu0) | |
94 | #endif | |
95 | @@ -254,13 +258,18 @@ ENTRY(early_idt_handler_array) | |
96 | i = 0 | |
97 | .rept NUM_EXCEPTION_VECTORS | |
98 | .ifeq (EXCEPTION_ERRCODE_MASK >> i) & 1 | |
99 | - pushq $0 # Dummy error code, to make stack frame uniform | |
100 | + UNWIND_HINT_IRET_REGS | |
101 | + pushq $0 # Dummy error code, to make stack frame uniform | |
102 | + .else | |
103 | + UNWIND_HINT_IRET_REGS offset=8 | |
104 | .endif | |
105 | pushq $i # 72(%rsp) Vector number | |
106 | jmp early_idt_handler_common | |
107 | + UNWIND_HINT_IRET_REGS | |
108 | i = i + 1 | |
109 | .fill early_idt_handler_array + i*EARLY_IDT_HANDLER_SIZE - ., 1, 0xcc | |
110 | .endr | |
111 | + UNWIND_HINT_IRET_REGS offset=16 | |
112 | END(early_idt_handler_array) | |
113 | ||
114 | early_idt_handler_common: | |
115 | @@ -289,6 +298,7 @@ early_idt_handler_common: | |
116 | pushq %r13 /* pt_regs->r13 */ | |
117 | pushq %r14 /* pt_regs->r14 */ | |
118 | pushq %r15 /* pt_regs->r15 */ | |
119 | + UNWIND_HINT_REGS | |
120 | ||
121 | cmpq $14,%rsi /* Page fault? */ | |
122 | jnz 10f | |
123 | @@ -411,7 +421,7 @@ ENTRY(phys_base) | |
124 | EXPORT_SYMBOL(phys_base) | |
125 | ||
126 | #include "../../x86/xen/xen-head.S" | |
127 | - | |
128 | + | |
129 | __PAGE_ALIGNED_BSS | |
130 | NEXT_PAGE(empty_zero_page) | |
131 | .skip PAGE_SIZE | |
132 | -- | |
133 | 2.14.2 | |
134 |