]>
Commit | Line | Data |
---|---|---|
321d628a FG |
1 | From 6c390918ecf72524840bc174fb5f9d007db5a9a8 Mon Sep 17 00:00:00 2001 |
2 | From: Andy Lutomirski <luto@kernel.org> | |
3 | Date: Thu, 2 Nov 2017 00:58:59 -0700 | |
b378f209 | 4 | Subject: [PATCH 087/233] x86/entry/64: Split the IRET-to-user and |
321d628a FG |
5 | IRET-to-kernel paths |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5754 | |
11 | ||
12 | These code paths will diverge soon. | |
13 | ||
14 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
15 | Cc: Borislav Petkov <bpetkov@suse.de> | |
16 | Cc: Brian Gerst <brgerst@gmail.com> | |
17 | Cc: Dave Hansen <dave.hansen@intel.com> | |
18 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
19 | Cc: Peter Zijlstra <peterz@infradead.org> | |
20 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
21 | Link: http://lkml.kernel.org/r/dccf8c7b3750199b4b30383c812d4e2931811509.1509609304.git.luto@kernel.org | |
22 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
23 | (cherry picked from commit 26c4ef9c49d8a0341f6d97ce2cfdd55d1236ed29) | |
24 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
25 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
26 | (cherry picked from commit 64adfba0aeb668304d171c383ac80b22158ec128) | |
27 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
28 | --- | |
29 | arch/x86/entry/entry_64.S | 34 +++++++++++++++++++++++++--------- | |
30 | arch/x86/entry/entry_64_compat.S | 2 +- | |
31 | arch/x86/kernel/head_64.S | 2 +- | |
32 | 3 files changed, 27 insertions(+), 11 deletions(-) | |
33 | ||
34 | diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S | |
35 | index fac354ddf056..e546441fbec3 100644 | |
36 | --- a/arch/x86/entry/entry_64.S | |
37 | +++ b/arch/x86/entry/entry_64.S | |
38 | @@ -321,7 +321,7 @@ syscall_return_via_sysret: | |
39 | ||
40 | opportunistic_sysret_failed: | |
41 | SWAPGS | |
42 | - jmp restore_regs_and_iret | |
43 | + jmp restore_regs_and_return_to_usermode | |
44 | END(entry_SYSCALL_64) | |
45 | ||
46 | ENTRY(stub_ptregs_64) | |
47 | @@ -423,7 +423,7 @@ ENTRY(ret_from_fork) | |
48 | call syscall_return_slowpath /* returns with IRQs disabled */ | |
49 | TRACE_IRQS_ON /* user mode is traced as IRQS on */ | |
50 | SWAPGS | |
51 | - jmp restore_regs_and_iret | |
52 | + jmp restore_regs_and_return_to_usermode | |
53 | ||
54 | 1: | |
55 | /* kernel thread */ | |
56 | @@ -612,7 +612,20 @@ GLOBAL(retint_user) | |
57 | call prepare_exit_to_usermode | |
58 | TRACE_IRQS_IRETQ | |
59 | SWAPGS | |
60 | - jmp restore_regs_and_iret | |
61 | + | |
62 | +GLOBAL(restore_regs_and_return_to_usermode) | |
63 | +#ifdef CONFIG_DEBUG_ENTRY | |
64 | + /* Assert that pt_regs indicates user mode. */ | |
65 | + testl $3, CS(%rsp) | |
66 | + jnz 1f | |
67 | + ud2 | |
68 | +1: | |
69 | +#endif | |
70 | + RESTORE_EXTRA_REGS | |
71 | + RESTORE_C_REGS | |
72 | + REMOVE_PT_GPREGS_FROM_STACK 8 | |
73 | + INTERRUPT_RETURN | |
74 | + | |
75 | ||
76 | /* Returning to kernel space */ | |
77 | retint_kernel: | |
78 | @@ -632,11 +645,14 @@ retint_kernel: | |
79 | */ | |
80 | TRACE_IRQS_IRETQ | |
81 | ||
82 | -/* | |
83 | - * At this label, code paths which return to kernel and to user, | |
84 | - * which come from interrupts/exception and from syscalls, merge. | |
85 | - */ | |
86 | -GLOBAL(restore_regs_and_iret) | |
87 | +GLOBAL(restore_regs_and_return_to_kernel) | |
88 | +#ifdef CONFIG_DEBUG_ENTRY | |
89 | + /* Assert that pt_regs indicates kernel mode. */ | |
90 | + testl $3, CS(%rsp) | |
91 | + jz 1f | |
92 | + ud2 | |
93 | +1: | |
94 | +#endif | |
95 | RESTORE_EXTRA_REGS | |
96 | RESTORE_C_REGS | |
97 | REMOVE_PT_GPREGS_FROM_STACK 8 | |
98 | @@ -1340,7 +1356,7 @@ ENTRY(nmi) | |
99 | * work, because we don't want to enable interrupts. | |
100 | */ | |
101 | SWAPGS | |
102 | - jmp restore_regs_and_iret | |
103 | + jmp restore_regs_and_return_to_usermode | |
104 | ||
105 | .Lnmi_from_kernel: | |
106 | /* | |
107 | diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S | |
108 | index d8468ba24be0..2b3a88feaa2b 100644 | |
109 | --- a/arch/x86/entry/entry_64_compat.S | |
110 | +++ b/arch/x86/entry/entry_64_compat.S | |
111 | @@ -337,7 +337,7 @@ ENTRY(entry_INT80_compat) | |
112 | /* Go back to user mode. */ | |
113 | TRACE_IRQS_ON | |
114 | SWAPGS | |
115 | - jmp restore_regs_and_iret | |
116 | + jmp restore_regs_and_return_to_usermode | |
117 | END(entry_INT80_compat) | |
118 | ||
119 | ALIGN | |
120 | diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S | |
121 | index 4117c1e0b3d2..e785734980ad 100644 | |
122 | --- a/arch/x86/kernel/head_64.S | |
123 | +++ b/arch/x86/kernel/head_64.S | |
124 | @@ -311,7 +311,7 @@ early_idt_handler_common: | |
125 | ||
126 | 20: | |
127 | decl early_recursion_flag(%rip) | |
128 | - jmp restore_regs_and_iret | |
129 | + jmp restore_regs_and_return_to_kernel | |
130 | END(early_idt_handler_common) | |
131 | ||
132 | __INITDATA | |
133 | -- | |
134 | 2.14.2 | |
135 |