[pve-kernel.git] / patches / kernel / 0146-x86-kasan-64-Teach-KASAN-about-the-cpu_entry_area.patch

From 37fa97179211b36e3b5d3eb2dae94ad420ea9732 Mon Sep 17 00:00:00 2001
From: Andy Lutomirski <luto@kernel.org>
Date: Mon, 4 Dec 2017 15:07:16 +0100
Subject: [PATCH 146/241] x86/kasan/64: Teach KASAN about the cpu_entry_area
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

The cpu_entry_area will contain stacks.  Make sure that KASAN has
appropriate shadow mappings for them.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Potapenko <glider@google.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: kasan-dev@googlegroups.com
Cc: keescook@google.com
Link: https://lkml.kernel.org/r/20171204150605.642806442@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 21506525fb8ddb0342f2a2370812d47f6a1f3833)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 17833d4cfca7e4284f68fb9f3804a91f2541a83a)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/mm/kasan_init_64.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
index 3d7341986e13..d8836e45bc07 100644
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -276,6 +276,7 @@ void __init kasan_early_init(void)
 void __init kasan_init(void)
 {
 	int i;
+	void *shadow_cpu_entry_begin, *shadow_cpu_entry_end;
 
 #ifdef CONFIG_KASAN_INLINE
 	register_die_notifier(&kasan_die_notifier);
@@ -328,8 +329,23 @@ void __init kasan_init(void)
 			      (unsigned long)kasan_mem_to_shadow(_end),
 			      early_pfn_to_nid(__pa(_stext)));
 
+	shadow_cpu_entry_begin = (void *)__fix_to_virt(FIX_CPU_ENTRY_AREA_BOTTOM);
+	shadow_cpu_entry_begin = kasan_mem_to_shadow(shadow_cpu_entry_begin);
+	shadow_cpu_entry_begin = (void *)round_down((unsigned long)shadow_cpu_entry_begin,
+						PAGE_SIZE);
+
+	shadow_cpu_entry_end = (void *)(__fix_to_virt(FIX_CPU_ENTRY_AREA_TOP) + PAGE_SIZE);
+	shadow_cpu_entry_end = kasan_mem_to_shadow(shadow_cpu_entry_end);
+	shadow_cpu_entry_end = (void *)round_up((unsigned long)shadow_cpu_entry_end,
+					PAGE_SIZE);
+
 	kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END),
-			(void *)KASAN_SHADOW_END);
+				   shadow_cpu_entry_begin);
+
+	kasan_populate_shadow((unsigned long)shadow_cpu_entry_begin,
+			      (unsigned long)shadow_cpu_entry_end, 0);
+
+	kasan_populate_zero_shadow(shadow_cpu_entry_end, (void *)KASAN_SHADOW_END);
 
 	load_cr3(init_top_pgt);
 	__flush_tlb_all();
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From 37fa97179211b36e3b5d3eb2dae94ad420ea9732 Mon Sep 17 00:00:00 2001
	2	From: Andy Lutomirski <luto@kernel.org>
	3	Date: Mon, 4 Dec 2017 15:07:16 +0100
e4cdf2a5	4	Subject: [PATCH 146/241] x86/kasan/64: Teach KASAN about the cpu_entry_area
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	The cpu_entry_area will contain stacks. Make sure that KASAN has
	12	appropriate shadow mappings for them.
	13
	14	Signed-off-by: Andy Lutomirski <luto@kernel.org>
	15	Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
	16	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	17	Cc: Alexander Potapenko <glider@google.com>
	18	Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	19	Cc: Borislav Petkov <bp@alien8.de>
	20	Cc: Borislav Petkov <bpetkov@suse.de>
	21	Cc: Brian Gerst <brgerst@gmail.com>
	22	Cc: Dave Hansen <dave.hansen@intel.com>
	23	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	24	Cc: David Laight <David.Laight@aculab.com>
	25	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	26	Cc: Dmitry Vyukov <dvyukov@google.com>
	27	Cc: Eduardo Valentin <eduval@amazon.com>
	28	Cc: Greg KH <gregkh@linuxfoundation.org>
	29	Cc: H. Peter Anvin <hpa@zytor.com>
	30	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	31	Cc: Juergen Gross <jgross@suse.com>
	32	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	33	Cc: Peter Zijlstra <peterz@infradead.org>
	34	Cc: Rik van Riel <riel@redhat.com>
	35	Cc: Will Deacon <will.deacon@arm.com>
	36	Cc: aliguori@amazon.com
	37	Cc: daniel.gruss@iaik.tugraz.at
	38	Cc: hughd@google.com
	39	Cc: kasan-dev@googlegroups.com
	40	Cc: keescook@google.com
	41	Link: https://lkml.kernel.org/r/20171204150605.642806442@linutronix.de
	42	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	43	(cherry picked from commit 21506525fb8ddb0342f2a2370812d47f6a1f3833)
	44	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	45	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	46	(cherry picked from commit 17833d4cfca7e4284f68fb9f3804a91f2541a83a)
	47	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	48	---
	49	arch/x86/mm/kasan_init_64.c \| 18 +++++++++++++++++-
	50	1 file changed, 17 insertions(+), 1 deletion(-)
	51
	52	diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
	53	index 3d7341986e13..d8836e45bc07 100644
	54	--- a/arch/x86/mm/kasan_init_64.c
	55	+++ b/arch/x86/mm/kasan_init_64.c
	56	@@ -276,6 +276,7 @@ void __init kasan_early_init(void)
	57	void __init kasan_init(void)
	58	{
	59	int i;
	60	+ void shadow_cpu_entry_begin, shadow_cpu_entry_end;
	61
	62	#ifdef CONFIG_KASAN_INLINE
	63	register_die_notifier(&kasan_die_notifier);
	64	@@ -328,8 +329,23 @@ void __init kasan_init(void)
	65	(unsigned long)kasan_mem_to_shadow(_end),
	66	early_pfn_to_nid(__pa(_stext)));
	67
	68	+ shadow_cpu_entry_begin = (void *)__fix_to_virt(FIX_CPU_ENTRY_AREA_BOTTOM);
69	+ shadow_cpu_entry_begin = kasan_mem_to_shadow(shadow_cpu_entry_begin);
70	+ shadow_cpu_entry_begin = (void *)round_down((unsigned long)shadow_cpu_entry_begin,
71	+ PAGE_SIZE);
72	+
73	+ shadow_cpu_entry_end = (void *)(__fix_to_virt(FIX_CPU_ENTRY_AREA_TOP) + PAGE_SIZE);
74	+ shadow_cpu_entry_end = kasan_mem_to_shadow(shadow_cpu_entry_end);
75	+ shadow_cpu_entry_end = (void *)round_up((unsigned long)shadow_cpu_entry_end,
76	+ PAGE_SIZE);
77	+
78	kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END),
79	- (void *)KASAN_SHADOW_END);
80	+ shadow_cpu_entry_begin);
81	+
82	+ kasan_populate_shadow((unsigned long)shadow_cpu_entry_begin,
83	+ (unsigned long)shadow_cpu_entry_end, 0);
84	+
85	+ kasan_populate_zero_shadow(shadow_cpu_entry_end, (void *)KASAN_SHADOW_END);
86
87	load_cr3(init_top_pgt);
88	__flush_tlb_all();
89	--
90	2.14.2
91