X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=patches%2Fkernel%2F0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch;fp=patches%2Fkernel%2F0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch;h=0000000000000000000000000000000000000000;hb=f90505f3a2fcab14012d8465316c8f5b818fcea9;hp=0c4693224ec4346fc00286aea19ab366ceafb3f6;hpb=d7db7042bce2bb25dae10ff313bd6cbff8e5f60e;p=pve-kernel.git diff --git a/patches/kernel/0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch b/patches/kernel/0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch deleted file mode 100644 index 0c46932..0000000 --- a/patches/kernel/0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski -Date: Mon, 4 Dec 2017 15:07:17 +0100 -Subject: [PATCH] x86/entry: Fix assumptions that the HW TSS is at the - beginning of cpu_tss -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2017-5754 - -A future patch will move SYSENTER_stack to the beginning of cpu_tss -to help detect overflow. Before this can happen, fix several code -paths that hardcode assumptions about the old layout. - -Signed-off-by: Andy Lutomirski -Signed-off-by: Thomas Gleixner -Reviewed-by: Borislav Petkov -Reviewed-by: Dave Hansen -Reviewed-by: Thomas Gleixner -Cc: Boris Ostrovsky -Cc: Borislav Petkov -Cc: Borislav Petkov -Cc: Brian Gerst -Cc: Dave Hansen -Cc: David Laight -Cc: Denys Vlasenko -Cc: Eduardo Valentin -Cc: Greg KH -Cc: H. Peter Anvin -Cc: Josh Poimboeuf -Cc: Juergen Gross -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Rik van Riel -Cc: Will Deacon -Cc: aliguori@amazon.com -Cc: daniel.gruss@iaik.tugraz.at -Cc: hughd@google.com -Cc: keescook@google.com -Link: https://lkml.kernel.org/r/20171204150605.722425540@linutronix.de -Signed-off-by: Ingo Molnar -(backported from commit 7fb983b4dd569e08564134a850dfd4eb1c63d9b8) -Signed-off-by: Andy Whitcroft -Signed-off-by: Kleber Sacilotto de Souza -(cherry picked from commit 7123a5de72dc59dea18ce8886e7db726f7259caf) -Signed-off-by: Fabian Grünbichler ---- - arch/x86/include/asm/desc.h | 2 +- - arch/x86/include/asm/processor.h | 9 +++++++-- - arch/x86/kernel/cpu/common.c | 8 ++++---- - arch/x86/kernel/doublefault.c | 36 +++++++++++++++++------------------- - arch/x86/kvm/vmx.c | 2 +- - arch/x86/power/cpu.c | 13 +++++++------ - 6 files changed, 37 insertions(+), 33 deletions(-) - -diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h -index 81c9b1e8cae9..b817fe247506 100644 ---- a/arch/x86/include/asm/desc.h -+++ b/arch/x86/include/asm/desc.h -@@ -190,7 +190,7 @@ static inline void set_tssldt_descriptor(void *d, unsigned long addr, - #endif - } - --static inline void __set_tss_desc(unsigned cpu, unsigned int entry, void *addr) -+static inline void __set_tss_desc(unsigned cpu, unsigned int entry, struct x86_hw_tss *addr) - { - struct desc_struct *d = get_cpu_gdt_rw(cpu); - tss_desc tss; -diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h -index 5225917f9760..78123abdb046 100644 ---- a/arch/x86/include/asm/processor.h -+++ b/arch/x86/include/asm/processor.h -@@ -161,7 +161,7 @@ extern struct cpuinfo_x86 new_cpu_data; - - #include - --extern struct tss_struct doublefault_tss; -+extern struct x86_hw_tss doublefault_tss; - extern __u32 cpu_caps_cleared[NCAPINTS]; - extern __u32 cpu_caps_set[NCAPINTS]; - -@@ -246,6 +246,11 @@ static inline void load_cr3(pgd_t *pgdir) - write_cr3(__pa(pgdir)); - } - -+/* -+ * Note that while the legacy 'TSS' name comes from 'Task State Segment', -+ * on modern x86 CPUs the TSS also holds information important to 64-bit mode, -+ * unrelated to the task-switch mechanism: -+ */ - #ifdef CONFIG_X86_32 - /* This is the TSS defined by the hardware. */ - struct x86_hw_tss { -@@ -316,7 +321,7 @@ struct x86_hw_tss { - #define IO_BITMAP_BITS 65536 - #define IO_BITMAP_BYTES (IO_BITMAP_BITS/8) - #define IO_BITMAP_LONGS (IO_BITMAP_BYTES/sizeof(long)) --#define IO_BITMAP_OFFSET offsetof(struct tss_struct, io_bitmap) -+#define IO_BITMAP_OFFSET (offsetof(struct tss_struct, io_bitmap) - offsetof(struct tss_struct, x86_tss)) - #define INVALID_IO_BITMAP_OFFSET 0x8000 - - struct tss_struct { -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index ffee73ec1af1..e526d82b546c 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1558,7 +1558,7 @@ void cpu_init(void) - } - } - -- t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap); -+ t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET; - - /* - * <= is required because the CPU will access up to -@@ -1576,7 +1576,7 @@ void cpu_init(void) - * Initialize the TSS. Don't bother initializing sp0, as the initial - * task never enters user mode. - */ -- set_tss_desc(cpu, t); -+ set_tss_desc(cpu, &t->x86_tss); - load_TR_desc(); - - load_mm_ldt(&init_mm); -@@ -1633,12 +1633,12 @@ void cpu_init(void) - * Initialize the TSS. Don't bother initializing sp0, as the initial - * task never enters user mode. - */ -- set_tss_desc(cpu, t); -+ set_tss_desc(cpu, &t->x86_tss); - load_TR_desc(); - - load_mm_ldt(&init_mm); - -- t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap); -+ t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET; - - #ifdef CONFIG_DOUBLEFAULT - /* Set up doublefault TSS pointer in the GDT */ -diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c -index f9c324e08d85..a9fe79d49d39 100644 ---- a/arch/x86/kernel/doublefault.c -+++ b/arch/x86/kernel/doublefault.c -@@ -49,25 +49,23 @@ static void doublefault_fn(void) - cpu_relax(); - } - --struct tss_struct doublefault_tss __cacheline_aligned = { -- .x86_tss = { -- .sp0 = STACK_START, -- .ss0 = __KERNEL_DS, -- .ldt = 0, -- .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, -- -- .ip = (unsigned long) doublefault_fn, -- /* 0x2 bit is always set */ -- .flags = X86_EFLAGS_SF | 0x2, -- .sp = STACK_START, -- .es = __USER_DS, -- .cs = __KERNEL_CS, -- .ss = __KERNEL_DS, -- .ds = __USER_DS, -- .fs = __KERNEL_PERCPU, -- -- .__cr3 = __pa_nodebug(swapper_pg_dir), -- } -+struct x86_hw_tss doublefault_tss __cacheline_aligned = { -+ .sp0 = STACK_START, -+ .ss0 = __KERNEL_DS, -+ .ldt = 0, -+ .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, -+ -+ .ip = (unsigned long) doublefault_fn, -+ /* 0x2 bit is always set */ -+ .flags = X86_EFLAGS_SF | 0x2, -+ .sp = STACK_START, -+ .es = __USER_DS, -+ .cs = __KERNEL_CS, -+ .ss = __KERNEL_DS, -+ .ds = __USER_DS, -+ .fs = __KERNEL_PERCPU, -+ -+ .__cr3 = __pa_nodebug(swapper_pg_dir), - }; - - /* dummy for do_double_fault() call */ -diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c -index dd4996a96c71..a7c5a47beab7 100644 ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -2280,7 +2280,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu) - * processors. See 22.2.4. - */ - vmcs_writel(HOST_TR_BASE, -- (unsigned long)this_cpu_ptr(&cpu_tss)); -+ (unsigned long)this_cpu_ptr(&cpu_tss.x86_tss)); - vmcs_writel(HOST_GDTR_BASE, (unsigned long)gdt); /* 22.2.4 */ - - /* -diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c -index 78459a6d455a..48cd87fc7222 100644 ---- a/arch/x86/power/cpu.c -+++ b/arch/x86/power/cpu.c -@@ -165,12 +165,13 @@ static void fix_processor_context(void) - struct desc_struct *desc = get_cpu_gdt_rw(cpu); - tss_desc tss; - #endif -- set_tss_desc(cpu, t); /* -- * This just modifies memory; should not be -- * necessary. But... This is necessary, because -- * 386 hardware has concept of busy TSS or some -- * similar stupidity. -- */ -+ -+ /* -+ * This just modifies memory; should not be necessary. But... This is -+ * necessary, because 386 hardware has concept of busy TSS or some -+ * similar stupidity. -+ */ -+ set_tss_desc(cpu, &t->x86_tss); - - #ifdef CONFIG_X86_64 - memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc)); --- -2.14.2 -