nospec: Allow getting/setting on non-current task

Adjust arch_prctl_get/set_spec_ctrl() to operate on tasks other than
current.

This is needed both for /proc/$pid/status queries and for seccomp (since
thread-syncing can trigger seccomp in non-current threads).

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
CVE-2018-3639 (x86)

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index ec06501ec783986bd44ed304640d4285d02a0f15..cdf39837c80f13304081aaa22feefb633acd5ea7 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -489,31 +489,35 @@ static void ssb_select_mitigation()
 
 #undef pr_fmt
 
-static int ssb_prctl_set(unsigned long ctrl)
+static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
 {
-       bool rds = !!test_tsk_thread_flag(current, TIF_RDS);
+       bool rds = !!test_tsk_thread_flag(task, TIF_RDS);
 
        if (ssb_mode != SPEC_STORE_BYPASS_PRCTL)
                return -ENXIO;
 
        if (ctrl == PR_SPEC_ENABLE)
-               clear_tsk_thread_flag(current, TIF_RDS);
+               clear_tsk_thread_flag(task, TIF_RDS);
        else
-               set_tsk_thread_flag(current, TIF_RDS);
+               set_tsk_thread_flag(task, TIF_RDS);
 
-       if (rds != !!test_tsk_thread_flag(current, TIF_RDS))
+       /*
+        * If being set on non-current task, delay setting the CPU
+        * mitigation until it is next scheduled.
+        */
+       if (task == current && rds != !!test_tsk_thread_flag(task, TIF_RDS))
                speculative_store_bypass_update();
 
        return 0;
 }
 
-static int ssb_prctl_get(void)
+static int ssb_prctl_get(struct task_struct *task)
 {
        switch (ssb_mode) {
        case SPEC_STORE_BYPASS_DISABLE:
                return PR_SPEC_DISABLE;
        case SPEC_STORE_BYPASS_PRCTL:
-               if (test_tsk_thread_flag(current, TIF_RDS))
+               if (test_tsk_thread_flag(task, TIF_RDS))
                        return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
                return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
        default:
@@ -523,24 +527,25 @@ static int ssb_prctl_get(void)
        }
 }
 
-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                            unsigned long ctrl)
 {
        if (ctrl != PR_SPEC_ENABLE && ctrl != PR_SPEC_DISABLE)
                return -ERANGE;
 
        switch (which) {
        case PR_SPEC_STORE_BYPASS:
-               return ssb_prctl_set(ctrl);
+               return ssb_prctl_set(task, ctrl);
        default:
                return -ENODEV;
        }
 }
 
-int arch_prctl_spec_ctrl_get(unsigned long which)
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
 {
        switch (which) {
        case PR_SPEC_STORE_BYPASS:
-               return ssb_prctl_get();
+               return ssb_prctl_get(task);
        default:
                return -ENODEV;
        }

diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index 397a5390cb083c1516ae42efcf3dfe624f43afc8..0963fad9aff4e2c13065025f256def09bf35457b 100644 (file)
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -7,8 +7,11 @@
 #define _LINUX_NOSPEC_H
 #include <asm/barrier.h>
 
+struct task_struct;
+
 /* Speculation control prctl */
-int arch_prctl_spec_ctrl_get(unsigned long which);
-int arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl);
+int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                            unsigned long ctrl);
 
 #endif /* _LINUX_NOSPEC_H */

diff --git a/kernel/sys.c b/kernel/sys.c
index a1b0335b66b7ebf4c004f3589118712986b7d0b7..01df5c4b252fdf7ee91cc2610f0651fca0032c04 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2204,12 +2204,13 @@ static int propagate_has_child_subreaper(struct task_struct *p, void *data)
        return 1;
 }
 
-int __weak arch_prctl_spec_ctrl_get(unsigned long which)
+int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
 {
        return -EINVAL;
 }
 
-int __weak arch_prctl_spec_ctrl_set(unsigned long which, unsigned long ctrl)
+int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which,
+                                   unsigned long ctrl)
 {
        return -EINVAL;
 }
@@ -2419,12 +2420,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
        case PR_GET_SPECULATION_CTRL:
                if (arg3 || arg4 || arg5)
                        return -EINVAL;
-               error = arch_prctl_spec_ctrl_get(arg2);
+               error = arch_prctl_spec_ctrl_get(me, arg2);
                break;
        case PR_SET_SPECULATION_CTRL:
                if (arg4 || arg5)
                        return -EINVAL;
-               error = arch_prctl_spec_ctrl_set(arg2, arg3);
+               error = arch_prctl_spec_ctrl_set(me, arg2, arg3);
                break;
        default:
                error = -EINVAL;