x86/ldt: Enable LDT user-mapping for PAE

CVE-2017-5754

This adds the needed special case for PAE to get the LDT mapped into the
user page-table when PTI is enabled. The big difference to the other paging
modes is that on PAE there is no full top-level PGD entry available for the
LDT, but only a PMD entry.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Pavel Machek <pavel@ucw.cz>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: linux-mm@kvack.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Waiman Long <llong@redhat.com>
Cc: "David H . Gutteridge" <dhgutteridge@sympatico.ca>
Cc: joro@8bytes.org
Link: https://lkml.kernel.org/r/1531906876-13451-37-git-send-email-joro@8bytes.org
(cherry picked from commit 6df934b92a549cb3badb6d576f71aeb133e2f110)
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index ed97ef3b48a75c7396997497e964019481f87f1b..d08aa1fd1e5d7e0389525a5411264125efbd79d0 100644 (file)
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -70,12 +70,7 @@ struct ldt_struct {
 
 static inline void *ldt_slot_va(int slot)
 {
-#ifdef CONFIG_X86_64
        return (void *)(LDT_BASE_ADDR + LDT_SLOT_STRIDE * slot);
-#else
-       BUG();
-       return (void *)fix_to_virt(FIX_HOLE);
-#endif
 }
 
 /*

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 69af9a0d57b71ed4c573d55f74b7c46efe384b0d..733e6ace0fa4e97dcb77e031d37c89ec82866e0f 100644 (file)
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -126,6 +126,57 @@ static void do_sanity_check(struct mm_struct *mm,
        }
 }
 
+#ifdef CONFIG_X86_PAE
+
+static pmd_t *pgd_to_pmd_walk(pgd_t *pgd, unsigned long va)
+{
+       p4d_t *p4d;
+       pud_t *pud;
+
+       if (pgd->pgd == 0)
+               return NULL;
+
+       p4d = p4d_offset(pgd, va);
+       if (p4d_none(*p4d))
+               return NULL;
+
+       pud = pud_offset(p4d, va);
+       if (pud_none(*pud))
+               return NULL;
+
+       return pmd_offset(pud, va);
+}
+
+static void map_ldt_struct_to_user(struct mm_struct *mm)
+{
+       pgd_t *k_pgd = pgd_offset(mm, LDT_BASE_ADDR);
+       pgd_t *u_pgd = kernel_to_user_pgdp(k_pgd);
+       pmd_t *k_pmd, *u_pmd;
+
+       k_pmd = pgd_to_pmd_walk(k_pgd, LDT_BASE_ADDR);
+       u_pmd = pgd_to_pmd_walk(u_pgd, LDT_BASE_ADDR);
+
+       if (static_cpu_has(X86_FEATURE_PTI) && !mm->context.ldt)
+               set_pmd(u_pmd, *k_pmd);
+}
+
+static void sanity_check_ldt_mapping(struct mm_struct *mm)
+{
+       pgd_t *k_pgd = pgd_offset(mm, LDT_BASE_ADDR);
+       pgd_t *u_pgd = kernel_to_user_pgdp(k_pgd);
+       bool had_kernel, had_user;
+       pmd_t *k_pmd, *u_pmd;
+
+       k_pmd      = pgd_to_pmd_walk(k_pgd, LDT_BASE_ADDR);
+       u_pmd      = pgd_to_pmd_walk(u_pgd, LDT_BASE_ADDR);
+       had_kernel = (k_pmd->pmd != 0);
+       had_user   = (u_pmd->pmd != 0);
+
+       do_sanity_check(mm, had_kernel, had_user);
+}
+
+#else /* !CONFIG_X86_PAE */
+
 static void map_ldt_struct_to_user(struct mm_struct *mm)
 {
        pgd_t *pgd = pgd_offset(mm, LDT_BASE_ADDR);
@@ -143,6 +194,8 @@ static void sanity_check_ldt_mapping(struct mm_struct *mm)
        do_sanity_check(mm, had_kernel, had_user);
 }
 
+#endif /* CONFIG_X86_PAE */
+
 /*
  * If PTI is enabled, this maps the LDT into the kernelmode and
  * usermode tables for the given mm.