[pve-kernel.git] / patches / kernel / 0028-x86-asm-Replace-access-to-desc_struct-a-b-fields.patch

From a0b37d5a5f250199b6df4e9404d2071802591de6 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 28 Aug 2017 08:47:40 +0200
Subject: [PATCH 028/233] x86/asm: Replace access to desc_struct:a/b fields
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

The union inside of desc_struct which allows access to the raw u32 parts of
the descriptors. This raw access part is about to go away.

Replace the few code parts which access those fields.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Link: http://lkml.kernel.org/r/20170828064958.120214366@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 9a98e7780022aa7cd201eb8a88a4f1d607b73cde)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 8469c76c61ea9c3b86b596352d1148bace5ea706)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/include/asm/xen/hypercall.h | 6 ++++--
 arch/x86/kernel/tls.c                | 2 +-
 arch/x86/xen/enlighten_pv.c          | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index 11071fcd630e..9606688caa4b 100644
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -552,6 +552,8 @@ static inline void
 MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
 			struct desc_struct desc)
 {
+	u32 *p = (u32 *) &desc;
+
 	mcl->op = __HYPERVISOR_update_descriptor;
 	if (sizeof(maddr) == sizeof(long)) {
 		mcl->args[0] = maddr;
@@ -559,8 +561,8 @@ MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
 	} else {
 		mcl->args[0] = maddr;
 		mcl->args[1] = maddr >> 32;
-		mcl->args[2] = desc.a;
-		mcl->args[3] = desc.b;
+		mcl->args[2] = *p++;
+		mcl->args[3] = *p;
 	}
 
 	trace_xen_mc_entry(mcl, sizeof(maddr) == sizeof(long) ? 2 : 4);
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
index dcd699baea1b..a106b9719c58 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -93,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
 
 	while (n-- > 0) {
 		if (LDT_empty(info) || LDT_zero(info)) {
-			desc->a = desc->b = 0;
+			memset(desc, 0, sizeof(*desc));
 		} else {
 			fill_ldt(desc, info);
 
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 49ee3315b9f7..c76f5ff4d0d7 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -501,7 +501,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
 static inline bool desc_equal(const struct desc_struct *d1,
 			      const struct desc_struct *d2)
 {
-	return d1->a == d2->a && d1->b == d2->b;
+	return !memcmp(d1, d2, sizeof(*d1));
 }
 
 static void load_TLS_descriptor(struct thread_struct *t,
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From a0b37d5a5f250199b6df4e9404d2071802591de6 Mon Sep 17 00:00:00 2001
	2	From: Thomas Gleixner <tglx@linutronix.de>
	3	Date: Mon, 28 Aug 2017 08:47:40 +0200
b378f209	4	Subject: [PATCH 028/233] x86/asm: Replace access to desc_struct:a/b fields
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	The union inside of desc_struct which allows access to the raw u32 parts of
	12	the descriptors. This raw access part is about to go away.
	13
	14	Replace the few code parts which access those fields.
	15
	16	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	17	Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	18	Cc: Andy Lutomirski <luto@kernel.org>
	19	Cc: Borislav Petkov <bp@alien8.de>
	20	Cc: Brian Gerst <brgerst@gmail.com>
	21	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	22	Cc: H. Peter Anvin <hpa@zytor.com>
	23	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	24	Cc: Juergen Gross <jgross@suse.com>
	25	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	26	Cc: Peter Zijlstra <peterz@infradead.org>
	27	Cc: Steven Rostedt <rostedt@goodmis.org>
	28	Link: http://lkml.kernel.org/r/20170828064958.120214366@linutronix.de
	29	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	30	(cherry picked from commit 9a98e7780022aa7cd201eb8a88a4f1d607b73cde)
	31	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	32	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	33	(cherry picked from commit 8469c76c61ea9c3b86b596352d1148bace5ea706)
	34	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	35	---
	36	arch/x86/include/asm/xen/hypercall.h \| 6 ++++--
	37	arch/x86/kernel/tls.c \| 2 +-
	38	arch/x86/xen/enlighten_pv.c \| 2 +-
	39	3 files changed, 6 insertions(+), 4 deletions(-)
	40
	41	diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
	42	index 11071fcd630e..9606688caa4b 100644
	43	--- a/arch/x86/include/asm/xen/hypercall.h
	44	+++ b/arch/x86/include/asm/xen/hypercall.h
	45	@@ -552,6 +552,8 @@ static inline void
	46	MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
	47	struct desc_struct desc)
	48	{
	49	+ u32 p = (u32 ) &desc;
	50	+
	51	mcl->op = __HYPERVISOR_update_descriptor;
	52	if (sizeof(maddr) == sizeof(long)) {
	53	mcl->args[0] = maddr;
	54	@@ -559,8 +561,8 @@ MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
	55	} else {
	56	mcl->args[0] = maddr;
	57	mcl->args[1] = maddr >> 32;
	58	- mcl->args[2] = desc.a;
	59	- mcl->args[3] = desc.b;
	60	+ mcl->args[2] = *p++;
	61	+ mcl->args[3] = *p;
	62	}
	63
	64	trace_xen_mc_entry(mcl, sizeof(maddr) == sizeof(long) ? 2 : 4);
	65	diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
	66	index dcd699baea1b..a106b9719c58 100644
	67	--- a/arch/x86/kernel/tls.c
	68	+++ b/arch/x86/kernel/tls.c
69	@@ -93,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
70
71	while (n-- > 0) {
72	if (LDT_empty(info) \|\| LDT_zero(info)) {
73	- desc->a = desc->b = 0;
74	+ memset(desc, 0, sizeof(*desc));
75	} else {
76	fill_ldt(desc, info);
77
78	diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
79	index 49ee3315b9f7..c76f5ff4d0d7 100644
80	--- a/arch/x86/xen/enlighten_pv.c
81	+++ b/arch/x86/xen/enlighten_pv.c
82	@@ -501,7 +501,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
83	static inline bool desc_equal(const struct desc_struct *d1,
84	const struct desc_struct *d2)
85	{
86	- return d1->a == d2->a && d1->b == d2->b;
87	+ return !memcmp(d1, d2, sizeof(*d1));
88	}
89
90	static void load_TLS_descriptor(struct thread_struct *t,
91	--
92	2.14.2
93