]>
Commit | Line | Data |
---|---|---|
035dbe67 FG |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Dave Hansen <dave.hansen@linux.intel.com> | |
3 | Date: Wed, 10 Jan 2018 14:49:39 -0800 | |
4 | Subject: [PATCH] x86/pti: Make unpoison of pgd for trusted boot work for real | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5754 | |
10 | ||
11 | The inital fix for trusted boot and PTI potentially misses the pgd clearing | |
12 | if pud_alloc() sets a PGD. It probably works in *practice* because for two | |
13 | adjacent calls to map_tboot_page() that share a PGD entry, the first will | |
14 | clear NX, *then* allocate and set the PGD (without NX clear). The second | |
15 | call will *not* allocate but will clear the NX bit. | |
16 | ||
17 | Defer the NX clearing to a point after it is known that all top-level | |
18 | allocations have occurred. Add a comment to clarify why. | |
19 | ||
20 | [ tglx: Massaged changelog ] | |
21 | ||
22 | Fixes: 262b6b30087 ("x86/tboot: Unbreak tboot with PTI enabled") | |
23 | Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> | |
24 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
25 | Reviewed-by: Andrea Arcangeli <aarcange@redhat.com> | |
26 | Cc: Jon Masters <jcm@redhat.com> | |
27 | Cc: "Tim Chen" <tim.c.chen@linux.intel.com> | |
28 | Cc: gnomes@lxorguk.ukuu.org.uk | |
29 | Cc: peterz@infradead.org | |
30 | Cc: ning.sun@intel.com | |
31 | Cc: tboot-devel@lists.sourceforge.net | |
32 | Cc: andi@firstfloor.org | |
33 | Cc: luto@kernel.org | |
34 | Cc: law@redhat.com | |
35 | Cc: pbonzini@redhat.com | |
36 | Cc: torvalds@linux-foundation.org | |
37 | Cc: gregkh@linux-foundation.org | |
38 | Cc: dwmw@amazon.co.uk | |
39 | Cc: nickc@redhat.com | |
40 | Cc: stable@vger.kernel.org | |
41 | Link: https://lkml.kernel.org/r/20180110224939.2695CD47@viggo.jf.intel.com | |
42 | (cherry picked from commit 8a931d1e24bacf01f00a35d43bfe7917256c5c49) | |
43 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
44 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
45 | (cherry picked from commit 9935124a5c771c004a578423275633232fb7a006) | |
46 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
47 | --- | |
48 | arch/x86/kernel/tboot.c | 12 +++++++++++- | |
49 | 1 file changed, 11 insertions(+), 1 deletion(-) | |
50 | ||
51 | diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c | |
52 | index 75869a4b6c41..a2486f444073 100644 | |
53 | --- a/arch/x86/kernel/tboot.c | |
54 | +++ b/arch/x86/kernel/tboot.c | |
55 | @@ -127,7 +127,6 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn, | |
56 | p4d = p4d_alloc(&tboot_mm, pgd, vaddr); | |
57 | if (!p4d) | |
58 | return -1; | |
59 | - pgd->pgd &= ~_PAGE_NX; | |
60 | pud = pud_alloc(&tboot_mm, p4d, vaddr); | |
61 | if (!pud) | |
62 | return -1; | |
63 | @@ -139,6 +138,17 @@ static int map_tboot_page(unsigned long vaddr, unsigned long pfn, | |
64 | return -1; | |
65 | set_pte_at(&tboot_mm, vaddr, pte, pfn_pte(pfn, prot)); | |
66 | pte_unmap(pte); | |
67 | + | |
68 | + /* | |
69 | + * PTI poisons low addresses in the kernel page tables in the | |
70 | + * name of making them unusable for userspace. To execute | |
71 | + * code at such a low address, the poison must be cleared. | |
72 | + * | |
73 | + * Note: 'pgd' actually gets set in p4d_alloc() _or_ | |
74 | + * pud_alloc() depending on 4/5-level paging. | |
75 | + */ | |
76 | + pgd->pgd &= ~_PAGE_NX; | |
77 | + | |
78 | return 0; | |
79 | } | |
80 | ||
81 | -- | |
82 | 2.14.2 | |
83 |