]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit
projects / mirror_ubuntu-artful-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d74f438) | patch
arm64: kpti: Fix the interaction between ASID switching and software PAN
authorCatalin Marinas <catalin.marinas@arm.com>
Wed, 10 Jan 2018 13:18:30 +0000 (13:18 +0000)
committerKhalid Elmously <khalid.elmously@canonical.com>
Tue, 27 Feb 2018 16:32:52 +0000 (11:32 -0500)
commitba062308eb5c169e47c37618a8d74afb6f272acf
treee087fc58d4ae1efcf96de4cc374ff2959c721a19tree
parentd74f4384fe0ace6928a31631b6d2eecfaaf2aad6commit | diff
arm64: kpti: Fix the interaction between ASID switching and software PAN

Commit 6b88a32c7af6 upstream.

With ARM64_SW_TTBR0_PAN enabled, the exception entry code checks the
active ASID to decide whether user access was enabled (non-zero ASID)
when the exception was taken. On return from exception, if user access
was previously disabled, it re-instates TTBR0_EL1 from the per-thread
saved value (updated in switch_mm() or efi_set_pgd()).

Commit 7655abb95386 ("arm64: mm: Move ASID from TTBR0 to TTBR1") makes a
TTBR0_EL1 + ASID switching non-atomic. Subsequently, commit 27a921e75711
("arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN") changes the
__uaccess_ttbr0_disable() function and asm macro to first write the
reserved TTBR0_EL1 followed by the ASID=0 update in TTBR1_EL1. If an
exception occurs between these two, the exception return code will
re-instate a valid TTBR0_EL1. Similar scenario can happen in
cpu_switch_mm() between setting the reserved TTBR0_EL1 and the ASID
update in cpu_do_switch_mm().

This patch reverts the entry.S check for ASID == 0 to TTBR0_EL1 and
disables the interrupts around the TTBR0_EL1 and ASID switching code in
__uaccess_ttbr0_disable(). It also ensures that, when returning from the
EFI runtime services, efi_set_pgd() doesn't leave a non-zero ASID in
TTBR1_EL1 by using uaccess_ttbr0_{enable,disable}.

The accesses to current_thread_info()->ttbr0 are updated to use
READ_ONCE/WRITE_ONCE.

As a safety measure, __uaccess_ttbr0_enable() always masks out any
existing non-zero ASID TTBR1_EL1 before writing in the new ASID.

Fixes: 27a921e75711 ("arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN")
Acked-by: Will Deacon <will.deacon@arm.com>
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: James Morse <james.morse@arm.com>
Tested-by: James Morse <james.morse@arm.com>
Co-developed-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit fedf5a743cf2e024c5b557abfb1a45f3c06b3c81)

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
12 files changed:
arch/arm64/include/asm/asm-uaccess.h diff | blob | blame | history
arch/arm64/include/asm/efi.h diff | blob | blame | history
arch/arm64/include/asm/mmu_context.h diff | blob | blame | history
arch/arm64/include/asm/uaccess.h diff | blob | blame | history
arch/arm64/kernel/entry.S diff | blob | blame | history
arch/arm64/lib/clear_user.S diff | blob | blame | history
arch/arm64/lib/copy_from_user.S diff | blob | blame | history
arch/arm64/lib/copy_in_user.S diff | blob | blame | history
arch/arm64/lib/copy_to_user.S diff | blob | blame | history
arch/arm64/mm/cache.S diff | blob | blame | history
arch/arm64/mm/proc.S diff | blob | blame | history
arch/arm64/xen/hypercall.S diff | blob | blame | history
Ubuntu Artful kernel mirror