]>
Commit | Line | Data |
---|---|---|
59d5af67 | 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
321d628a FG |
2 | From: Andy Lutomirski <luto@kernel.org> |
3 | Date: Thu, 2 Nov 2017 00:59:17 -0700 | |
59d5af67 FG |
4 | Subject: [PATCH] x86/traps: Use a new on_thread_stack() helper to clean up an |
5 | assertion | |
321d628a FG |
6 | MIME-Version: 1.0 |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | CVE-2017-5754 | |
11 | ||
12 | Let's keep the stack-related logic together rather than open-coding | |
13 | a comparison in an assertion in the traps code. | |
14 | ||
15 | Signed-off-by: Andy Lutomirski <luto@kernel.org> | |
16 | Reviewed-by: Borislav Petkov <bp@suse.de> | |
17 | Cc: Borislav Petkov <bpetkov@suse.de> | |
18 | Cc: Brian Gerst <brgerst@gmail.com> | |
19 | Cc: Dave Hansen <dave.hansen@intel.com> | |
20 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
21 | Cc: Peter Zijlstra <peterz@infradead.org> | |
22 | Cc: Thomas Gleixner <tglx@linutronix.de> | |
23 | Link: http://lkml.kernel.org/r/856b15bee1f55017b8f79d3758b0d51c48a08cf8.1509609304.git.luto@kernel.org | |
24 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
25 | (backported from commit 3383642c2f9d4f5b4fa37436db4a109a1a10018c) | |
26 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
27 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
28 | (cherry picked from commit 243de7bd3434c50fb07dd0fc84c462236cfcba3e) | |
29 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
30 | --- | |
31 | arch/x86/include/asm/processor.h | 8 ++++++++ | |
32 | arch/x86/include/asm/thread_info.h | 22 +++++++++++----------- | |
33 | arch/x86/kernel/traps.c | 3 +-- | |
34 | 3 files changed, 20 insertions(+), 13 deletions(-) | |
35 | ||
36 | diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h | |
37 | index cec9a329c0f1..79739e5f939a 100644 | |
38 | --- a/arch/x86/include/asm/processor.h | |
39 | +++ b/arch/x86/include/asm/processor.h | |
40 | @@ -159,6 +159,8 @@ enum cpuid_regs_idx { | |
41 | extern struct cpuinfo_x86 boot_cpu_data; | |
42 | extern struct cpuinfo_x86 new_cpu_data; | |
43 | ||
44 | +#include <linux/thread_info.h> | |
45 | + | |
46 | extern struct tss_struct doublefault_tss; | |
47 | extern __u32 cpu_caps_cleared[NCAPINTS]; | |
48 | extern __u32 cpu_caps_set[NCAPINTS]; | |
49 | @@ -534,6 +536,12 @@ static inline unsigned long current_top_of_stack(void) | |
50 | #endif | |
51 | } | |
52 | ||
53 | +static inline bool on_thread_stack(void) | |
54 | +{ | |
55 | + return (unsigned long)(current_top_of_stack() - | |
56 | + current_stack_pointer()) < THREAD_SIZE; | |
57 | +} | |
58 | + | |
59 | #ifdef CONFIG_PARAVIRT | |
60 | #include <asm/paravirt.h> | |
61 | #else | |
62 | diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h | |
63 | index e00e1bd6e7b3..ec8ef3bbb7dc 100644 | |
64 | --- a/arch/x86/include/asm/thread_info.h | |
65 | +++ b/arch/x86/include/asm/thread_info.h | |
66 | @@ -48,6 +48,17 @@ | |
67 | * - this struct shares the supervisor stack pages | |
68 | */ | |
69 | #ifndef __ASSEMBLY__ | |
70 | +static inline unsigned long current_stack_pointer(void) | |
71 | +{ | |
72 | + unsigned long sp; | |
73 | +#ifdef CONFIG_X86_64 | |
74 | + asm("mov %%rsp,%0" : "=g" (sp)); | |
75 | +#else | |
76 | + asm("mov %%esp,%0" : "=g" (sp)); | |
77 | +#endif | |
78 | + return sp; | |
79 | +} | |
80 | + | |
81 | struct task_struct; | |
82 | #include <asm/cpufeature.h> | |
83 | #include <linux/atomic.h> | |
84 | @@ -155,17 +166,6 @@ struct thread_info { | |
85 | */ | |
86 | #ifndef __ASSEMBLY__ | |
87 | ||
88 | -static inline unsigned long current_stack_pointer(void) | |
89 | -{ | |
90 | - unsigned long sp; | |
91 | -#ifdef CONFIG_X86_64 | |
92 | - asm("mov %%rsp,%0" : "=g" (sp)); | |
93 | -#else | |
94 | - asm("mov %%esp,%0" : "=g" (sp)); | |
95 | -#endif | |
96 | - return sp; | |
97 | -} | |
98 | - | |
99 | /* | |
100 | * Walks up the stack frames to make sure that the specified object is | |
101 | * entirely contained by a single stack frame. | |
102 | diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c | |
103 | index b2157d4a5338..3a46cab2696e 100644 | |
104 | --- a/arch/x86/kernel/traps.c | |
105 | +++ b/arch/x86/kernel/traps.c | |
106 | @@ -153,8 +153,7 @@ void ist_begin_non_atomic(struct pt_regs *regs) | |
107 | * will catch asm bugs and any attempt to use ist_preempt_enable | |
108 | * from double_fault. | |
109 | */ | |
110 | - BUG_ON((unsigned long)(current_top_of_stack() - | |
111 | - current_stack_pointer()) >= THREAD_SIZE); | |
112 | + BUG_ON(!on_thread_stack()); | |
113 | ||
114 | preempt_enable_no_resched(); | |
115 | } | |
116 | -- | |
117 | 2.14.2 | |
118 |