]>
Commit | Line | Data |
---|---|---|
321d628a FG |
1 | From eb1bbc0f0023eadafe368704180f4af739aca9a9 Mon Sep 17 00:00:00 2001 |
2 | From: Andy Lutomirski <luto@kernel.org> | |
3 | Date: Mon, 4 Dec 2017 15:07:24 +0100 | |
633c5ed1 | 4 | Subject: [PATCH 154/242] x86/entry/64: Return to userspace from the trampoline |
321d628a FG |
5 | stack |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5754 | |
11 | ||
12 | By itself, this is useless. It gives us the ability to run some final code | |
13 | before exit that cannnot run on the kernel stack. This could include a CR3 | |
14 | switch a la PAGE_TABLE_ISOLATION or some kernel stack erasing, for | |
15 | example. (Or even weird things like *changing* which kernel stack gets | |
16 | used as an ASLR-strengthening mechanism.) | |
17 | ||
18 | The SYSRET32 path is not covered yet. It could be in the future or | |
19 | we could just ignore it and force the slow path if needed. | |
20 | ||
21 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
22 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
23 | Reviewed-by: Thomas Gleixner <tglx@linutronix.de> | |
24 | Reviewed-by: Borislav Petkov <bp@suse.de> | |
25 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
26 | Cc: Borislav Petkov <bp@alien8.de> | |
27 | Cc: Borislav Petkov <bpetkov@suse.de> | |
28 | Cc: Brian Gerst <brgerst@gmail.com> | |
29 | Cc: Dave Hansen <dave.hansen@intel.com> | |
30 | Cc: Dave Hansen <dave.hansen@linux.intel.com> | |
31 | Cc: David Laight <David.Laight@aculab.com> | |
32 | Cc: Denys Vlasenko <dvlasenk@redhat.com> | |
33 | Cc: Eduardo Valentin <eduval@amazon.com> | |
34 | Cc: Greg KH <gregkh@linuxfoundation.org> | |
35 | Cc: H. Peter Anvin <hpa@zytor.com> | |
36 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | |
37 | Cc: Juergen Gross <jgross@suse.com> | |
38 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
39 | Cc: Peter Zijlstra <peterz@infradead.org> | |
40 | Cc: Rik van Riel <riel@redhat.com> | |
41 | Cc: Will Deacon <will.deacon@arm.com> | |
42 | Cc: aliguori@amazon.com | |
43 | Cc: daniel.gruss@iaik.tugraz.at | |
44 | Cc: hughd@google.com | |
45 | Cc: keescook@google.com | |
46 | Link: https://lkml.kernel.org/r/20171204150606.306546484@linutronix.de | |
47 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
48 | (cherry picked from commit 3e3b9293d392c577b62e24e4bc9982320438e749) | |
49 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
50 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
51 | (cherry picked from commit 40eb58584f732a2fefb5959e79e408bedeaaa43c) | |
52 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
53 | --- | |
54 | arch/x86/entry/entry_64.S | 55 +++++++++++++++++++++++++++++++++++++++++++---- | |
55 | 1 file changed, 51 insertions(+), 4 deletions(-) | |
56 | ||
57 | diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S | |
58 | index f70fedc58bac..4abe5b806d2a 100644 | |
59 | --- a/arch/x86/entry/entry_64.S | |
60 | +++ b/arch/x86/entry/entry_64.S | |
61 | @@ -325,8 +325,24 @@ syscall_return_via_sysret: | |
62 | popq %rsi /* skip rcx */ | |
63 | popq %rdx | |
64 | popq %rsi | |
65 | + | |
66 | + /* | |
67 | + * Now all regs are restored except RSP and RDI. | |
68 | + * Save old stack pointer and switch to trampoline stack. | |
69 | + */ | |
70 | + movq %rsp, %rdi | |
71 | + movq PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp | |
72 | + | |
73 | + pushq RSP-RDI(%rdi) /* RSP */ | |
74 | + pushq (%rdi) /* RDI */ | |
75 | + | |
76 | + /* | |
77 | + * We are on the trampoline stack. All regs except RDI are live. | |
78 | + * We can do future final exit work right here. | |
79 | + */ | |
80 | + | |
81 | popq %rdi | |
82 | - movq RSP-ORIG_RAX(%rsp), %rsp | |
83 | + popq %rsp | |
84 | USERGS_SYSRET64 | |
85 | END(entry_SYSCALL_64) | |
86 | ||
87 | @@ -629,10 +645,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode) | |
88 | ud2 | |
89 | 1: | |
90 | #endif | |
91 | - SWAPGS | |
92 | POP_EXTRA_REGS | |
93 | - POP_C_REGS | |
94 | - addq $8, %rsp /* skip regs->orig_ax */ | |
95 | + popq %r11 | |
96 | + popq %r10 | |
97 | + popq %r9 | |
98 | + popq %r8 | |
99 | + popq %rax | |
100 | + popq %rcx | |
101 | + popq %rdx | |
102 | + popq %rsi | |
103 | + | |
104 | + /* | |
105 | + * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS. | |
106 | + * Save old stack pointer and switch to trampoline stack. | |
107 | + */ | |
108 | + movq %rsp, %rdi | |
109 | + movq PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp | |
110 | + | |
111 | + /* Copy the IRET frame to the trampoline stack. */ | |
112 | + pushq 6*8(%rdi) /* SS */ | |
113 | + pushq 5*8(%rdi) /* RSP */ | |
114 | + pushq 4*8(%rdi) /* EFLAGS */ | |
115 | + pushq 3*8(%rdi) /* CS */ | |
116 | + pushq 2*8(%rdi) /* RIP */ | |
117 | + | |
118 | + /* Push user RDI on the trampoline stack. */ | |
119 | + pushq (%rdi) | |
120 | + | |
121 | + /* | |
122 | + * We are on the trampoline stack. All regs except RDI are live. | |
123 | + * We can do future final exit work right here. | |
124 | + */ | |
125 | + | |
126 | + /* Restore RDI. */ | |
127 | + popq %rdi | |
128 | + SWAPGS | |
129 | INTERRUPT_RETURN | |
130 | ||
131 | ||
132 | -- | |
133 | 2.14.2 | |
134 |