[pve-kernel.git] / patches / kernel / 0147-x86-entry-Fix-assumptions-that-the-HW-TSS-is-at-the-.patch

From 01e4ee94acbd960e302c23481529a5f5323d9969 Mon Sep 17 00:00:00 2001
From: Andy Lutomirski <luto@kernel.org>
Date: Mon, 4 Dec 2017 15:07:17 +0100
Subject: [PATCH 147/242] x86/entry: Fix assumptions that the HW TSS is at the
 beginning of cpu_tss
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

A future patch will move SYSENTER_stack to the beginning of cpu_tss
to help detect overflow.  Before this can happen, fix several code
paths that hardcode assumptions about the old layout.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Dave Hansen <dave.hansen@intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Link: https://lkml.kernel.org/r/20171204150605.722425540@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(backported from commit 7fb983b4dd569e08564134a850dfd4eb1c63d9b8)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 7123a5de72dc59dea18ce8886e7db726f7259caf)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/include/asm/desc.h      |  2 +-
 arch/x86/include/asm/processor.h |  9 +++++++--
 arch/x86/kernel/cpu/common.c     |  8 ++++----
 arch/x86/kernel/doublefault.c    | 36 +++++++++++++++++-------------------
 arch/x86/kvm/vmx.c               |  2 +-
 arch/x86/power/cpu.c             | 13 +++++++------
 6 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
index 81c9b1e8cae9..b817fe247506 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -190,7 +190,7 @@ static inline void set_tssldt_descriptor(void *d, unsigned long addr,
 #endif
 }
 
-static inline void __set_tss_desc(unsigned cpu, unsigned int entry, void *addr)
+static inline void __set_tss_desc(unsigned cpu, unsigned int entry, struct x86_hw_tss *addr)
 {
 	struct desc_struct *d = get_cpu_gdt_rw(cpu);
 	tss_desc tss;
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 5225917f9760..78123abdb046 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -161,7 +161,7 @@ extern struct cpuinfo_x86	new_cpu_data;
 
 #include <linux/thread_info.h>
 
-extern struct tss_struct	doublefault_tss;
+extern struct x86_hw_tss	doublefault_tss;
 extern __u32			cpu_caps_cleared[NCAPINTS];
 extern __u32			cpu_caps_set[NCAPINTS];
 
@@ -246,6 +246,11 @@ static inline void load_cr3(pgd_t *pgdir)
 	write_cr3(__pa(pgdir));
 }
 
+/*
+ * Note that while the legacy 'TSS' name comes from 'Task State Segment',
+ * on modern x86 CPUs the TSS also holds information important to 64-bit mode,
+ * unrelated to the task-switch mechanism:
+ */
 #ifdef CONFIG_X86_32
 /* This is the TSS defined by the hardware. */
 struct x86_hw_tss {
@@ -316,7 +321,7 @@ struct x86_hw_tss {
 #define IO_BITMAP_BITS			65536
 #define IO_BITMAP_BYTES			(IO_BITMAP_BITS/8)
 #define IO_BITMAP_LONGS			(IO_BITMAP_BYTES/sizeof(long))
-#define IO_BITMAP_OFFSET		offsetof(struct tss_struct, io_bitmap)
+#define IO_BITMAP_OFFSET		(offsetof(struct tss_struct, io_bitmap) - offsetof(struct tss_struct, x86_tss))
 #define INVALID_IO_BITMAP_OFFSET	0x8000
 
 struct tss_struct {
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index ffee73ec1af1..e526d82b546c 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1558,7 +1558,7 @@ void cpu_init(void)
 		}
 	}
 
-	t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
+	t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
 
 	/*
 	 * <= is required because the CPU will access up to
@@ -1576,7 +1576,7 @@ void cpu_init(void)
 	 * Initialize the TSS.  Don't bother initializing sp0, as the initial
 	 * task never enters user mode.
 	 */
-	set_tss_desc(cpu, t);
+	set_tss_desc(cpu, &t->x86_tss);
 	load_TR_desc();
 
 	load_mm_ldt(&init_mm);
@@ -1633,12 +1633,12 @@ void cpu_init(void)
 	 * Initialize the TSS.  Don't bother initializing sp0, as the initial
 	 * task never enters user mode.
 	 */
-	set_tss_desc(cpu, t);
+	set_tss_desc(cpu, &t->x86_tss);
 	load_TR_desc();
 
 	load_mm_ldt(&init_mm);
 
-	t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
+	t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
 
 #ifdef CONFIG_DOUBLEFAULT
 	/* Set up doublefault TSS pointer in the GDT */
diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
index f9c324e08d85..a9fe79d49d39 100644
--- a/arch/x86/kernel/doublefault.c
+++ b/arch/x86/kernel/doublefault.c
@@ -49,25 +49,23 @@ static void doublefault_fn(void)
 		cpu_relax();
 }
 
-struct tss_struct doublefault_tss __cacheline_aligned = {
-	.x86_tss = {
-		.sp0		= STACK_START,
-		.ss0		= __KERNEL_DS,
-		.ldt		= 0,
-		.io_bitmap_base	= INVALID_IO_BITMAP_OFFSET,
-
-		.ip		= (unsigned long) doublefault_fn,
-		/* 0x2 bit is always set */
-		.flags		= X86_EFLAGS_SF | 0x2,
-		.sp		= STACK_START,
-		.es		= __USER_DS,
-		.cs		= __KERNEL_CS,
-		.ss		= __KERNEL_DS,
-		.ds		= __USER_DS,
-		.fs		= __KERNEL_PERCPU,
-
-		.__cr3		= __pa_nodebug(swapper_pg_dir),
-	}
+struct x86_hw_tss doublefault_tss __cacheline_aligned = {
+	.sp0		= STACK_START,
+	.ss0		= __KERNEL_DS,
+	.ldt		= 0,
+	.io_bitmap_base	= INVALID_IO_BITMAP_OFFSET,
+
+	.ip		= (unsigned long) doublefault_fn,
+	/* 0x2 bit is always set */
+	.flags		= X86_EFLAGS_SF | 0x2,
+	.sp		= STACK_START,
+	.es		= __USER_DS,
+	.cs		= __KERNEL_CS,
+	.ss		= __KERNEL_DS,
+	.ds		= __USER_DS,
+	.fs		= __KERNEL_PERCPU,
+
+	.__cr3		= __pa_nodebug(swapper_pg_dir),
 };
 
 /* dummy for do_double_fault() call */
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index dd4996a96c71..a7c5a47beab7 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2280,7 +2280,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
 		 * processors.  See 22.2.4.
 		 */
 		vmcs_writel(HOST_TR_BASE,
-			    (unsigned long)this_cpu_ptr(&cpu_tss));
+			    (unsigned long)this_cpu_ptr(&cpu_tss.x86_tss));
 		vmcs_writel(HOST_GDTR_BASE, (unsigned long)gdt);   /* 22.2.4 */
 
 		/*
diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
index 78459a6d455a..48cd87fc7222 100644
--- a/arch/x86/power/cpu.c
+++ b/arch/x86/power/cpu.c
@@ -165,12 +165,13 @@ static void fix_processor_context(void)
 	struct desc_struct *desc = get_cpu_gdt_rw(cpu);
 	tss_desc tss;
 #endif
-	set_tss_desc(cpu, t);	/*
-				 * This just modifies memory; should not be
-				 * necessary. But... This is necessary, because
-				 * 386 hardware has concept of busy TSS or some
-				 * similar stupidity.
-				 */
+
+	/*
+	 * This just modifies memory; should not be necessary. But... This is
+	 * necessary, because 386 hardware has concept of busy TSS or some
+	 * similar stupidity.
+	 */
+	set_tss_desc(cpu, &t->x86_tss);
 
 #ifdef CONFIG_X86_64
 	memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From 01e4ee94acbd960e302c23481529a5f5323d9969 Mon Sep 17 00:00:00 2001
	2	From: Andy Lutomirski <luto@kernel.org>
	3	Date: Mon, 4 Dec 2017 15:07:17 +0100
633c5ed1	4	Subject: [PATCH 147/242] x86/entry: Fix assumptions that the HW TSS is at the
321d628a FG	5	beginning of cpu_tss
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	CVE-2017-5754
	11
	12	A future patch will move SYSENTER_stack to the beginning of cpu_tss
	13	to help detect overflow. Before this can happen, fix several code
	14	paths that hardcode assumptions about the old layout.
	15
	16	Signed-off-by: Andy Lutomirski <luto@kernel.org>
	17	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	18	Reviewed-by: Borislav Petkov <bp@suse.de>
	19	Reviewed-by: Dave Hansen <dave.hansen@intel.com>
	20	Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
	21	Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	22	Cc: Borislav Petkov <bp@alien8.de>
	23	Cc: Borislav Petkov <bpetkov@suse.de>
	24	Cc: Brian Gerst <brgerst@gmail.com>
	25	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	26	Cc: David Laight <David.Laight@aculab.com>
	27	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	28	Cc: Eduardo Valentin <eduval@amazon.com>
	29	Cc: Greg KH <gregkh@linuxfoundation.org>
	30	Cc: H. Peter Anvin <hpa@zytor.com>
	31	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	32	Cc: Juergen Gross <jgross@suse.com>
	33	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	34	Cc: Peter Zijlstra <peterz@infradead.org>
	35	Cc: Rik van Riel <riel@redhat.com>
	36	Cc: Will Deacon <will.deacon@arm.com>
	37	Cc: aliguori@amazon.com
	38	Cc: daniel.gruss@iaik.tugraz.at
	39	Cc: hughd@google.com
	40	Cc: keescook@google.com
	41	Link: https://lkml.kernel.org/r/20171204150605.722425540@linutronix.de
	42	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	43	(backported from commit 7fb983b4dd569e08564134a850dfd4eb1c63d9b8)
	44	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	45	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	46	(cherry picked from commit 7123a5de72dc59dea18ce8886e7db726f7259caf)
	47	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	48	---
	49	arch/x86/include/asm/desc.h \| 2 +-
	50	arch/x86/include/asm/processor.h \| 9 +++++++--
	51	arch/x86/kernel/cpu/common.c \| 8 ++++----
	52	arch/x86/kernel/doublefault.c \| 36 +++++++++++++++++-------------------
	53	arch/x86/kvm/vmx.c \| 2 +-
	54	arch/x86/power/cpu.c \| 13 +++++++------
	55	6 files changed, 37 insertions(+), 33 deletions(-)
	56
	57	diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
	58	index 81c9b1e8cae9..b817fe247506 100644
	59	--- a/arch/x86/include/asm/desc.h
	60	+++ b/arch/x86/include/asm/desc.h
	61	@@ -190,7 +190,7 @@ static inline void set_tssldt_descriptor(void *d, unsigned long addr,
	62	#endif
	63	}
	64
	65	-static inline void __set_tss_desc(unsigned cpu, unsigned int entry, void *addr)
	66	+static inline void __set_tss_desc(unsigned cpu, unsigned int entry, struct x86_hw_tss *addr)
	67	{
	68	struct desc_struct *d = get_cpu_gdt_rw(cpu);
69	tss_desc tss;
70	diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
71	index 5225917f9760..78123abdb046 100644
72	--- a/arch/x86/include/asm/processor.h
73	+++ b/arch/x86/include/asm/processor.h
74	@@ -161,7 +161,7 @@ extern struct cpuinfo_x86 new_cpu_data;
75
76	#include <linux/thread_info.h>
77
78	-extern struct tss_struct doublefault_tss;
79	+extern struct x86_hw_tss doublefault_tss;
80	extern __u32 cpu_caps_cleared[NCAPINTS];
81	extern __u32 cpu_caps_set[NCAPINTS];
82
83	@@ -246,6 +246,11 @@ static inline void load_cr3(pgd_t *pgdir)
84	write_cr3(__pa(pgdir));
85	}
86
87	+/*
88	+ * Note that while the legacy 'TSS' name comes from 'Task State Segment',
89	+ * on modern x86 CPUs the TSS also holds information important to 64-bit mode,
90	+ * unrelated to the task-switch mechanism:
91	+ */
92	#ifdef CONFIG_X86_32
93	/* This is the TSS defined by the hardware. */
94	struct x86_hw_tss {
95	@@ -316,7 +321,7 @@ struct x86_hw_tss {
96	#define IO_BITMAP_BITS 65536
97	#define IO_BITMAP_BYTES (IO_BITMAP_BITS/8)
98	#define IO_BITMAP_LONGS (IO_BITMAP_BYTES/sizeof(long))
99	-#define IO_BITMAP_OFFSET offsetof(struct tss_struct, io_bitmap)
100	+#define IO_BITMAP_OFFSET (offsetof(struct tss_struct, io_bitmap) - offsetof(struct tss_struct, x86_tss))
101	#define INVALID_IO_BITMAP_OFFSET 0x8000
102
103	struct tss_struct {
104	diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
105	index ffee73ec1af1..e526d82b546c 100644
106	--- a/arch/x86/kernel/cpu/common.c
107	+++ b/arch/x86/kernel/cpu/common.c
108	@@ -1558,7 +1558,7 @@ void cpu_init(void)
109	}
110	}
111
112	- t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
113	+ t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
114
115	/*
116	* <= is required because the CPU will access up to
117	@@ -1576,7 +1576,7 @@ void cpu_init(void)
118	* Initialize the TSS. Don't bother initializing sp0, as the initial
119	* task never enters user mode.
120	*/
121	- set_tss_desc(cpu, t);
122	+ set_tss_desc(cpu, &t->x86_tss);
123	load_TR_desc();
124
125	load_mm_ldt(&init_mm);
126	@@ -1633,12 +1633,12 @@ void cpu_init(void)
127	* Initialize the TSS. Don't bother initializing sp0, as the initial
128	* task never enters user mode.
129	*/
130	- set_tss_desc(cpu, t);
131	+ set_tss_desc(cpu, &t->x86_tss);
132	load_TR_desc();
133
134	load_mm_ldt(&init_mm);
135
136	- t->x86_tss.io_bitmap_base = offsetof(struct tss_struct, io_bitmap);
137	+ t->x86_tss.io_bitmap_base = IO_BITMAP_OFFSET;
138
139	#ifdef CONFIG_DOUBLEFAULT
140	/* Set up doublefault TSS pointer in the GDT */
141	diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
142	index f9c324e08d85..a9fe79d49d39 100644
143	--- a/arch/x86/kernel/doublefault.c
144	+++ b/arch/x86/kernel/doublefault.c
145	@@ -49,25 +49,23 @@ static void doublefault_fn(void)
146	cpu_relax();
147	}
148
149	-struct tss_struct doublefault_tss __cacheline_aligned = {
150	- .x86_tss = {
151	- .sp0 = STACK_START,
152	- .ss0 = __KERNEL_DS,
153	- .ldt = 0,
154	- .io_bitmap_base = INVALID_IO_BITMAP_OFFSET,
155	-
156	- .ip = (unsigned long) doublefault_fn,
157	- /* 0x2 bit is always set */
158	- .flags = X86_EFLAGS_SF \| 0x2,
159	- .sp = STACK_START,
160	- .es = __USER_DS,
161	- .cs = __KERNEL_CS,
162	- .ss = __KERNEL_DS,
163	- .ds = __USER_DS,
164	- .fs = __KERNEL_PERCPU,
165	-
166	- .__cr3 = __pa_nodebug(swapper_pg_dir),
167	- }
168	+struct x86_hw_tss doublefault_tss __cacheline_aligned = {
169	+ .sp0 = STACK_START,
170	+ .ss0 = __KERNEL_DS,
171	+ .ldt = 0,
172	+ .io_bitmap_base = INVALID_IO_BITMAP_OFFSET,
173	+
174	+ .ip = (unsigned long) doublefault_fn,
175	+ /* 0x2 bit is always set */
176	+ .flags = X86_EFLAGS_SF \| 0x2,
177	+ .sp = STACK_START,
178	+ .es = __USER_DS,
179	+ .cs = __KERNEL_CS,
180	+ .ss = __KERNEL_DS,
181	+ .ds = __USER_DS,
182	+ .fs = __KERNEL_PERCPU,
183	+
184	+ .__cr3 = __pa_nodebug(swapper_pg_dir),
185	};
186
187	/* dummy for do_double_fault() call */
188	diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
189	index dd4996a96c71..a7c5a47beab7 100644
190	--- a/arch/x86/kvm/vmx.c
191	+++ b/arch/x86/kvm/vmx.c
192	@@ -2280,7 +2280,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
193	* processors. See 22.2.4.
194	*/
195	vmcs_writel(HOST_TR_BASE,
196	- (unsigned long)this_cpu_ptr(&cpu_tss));
197	+ (unsigned long)this_cpu_ptr(&cpu_tss.x86_tss));
198	vmcs_writel(HOST_GDTR_BASE, (unsigned long)gdt); /* 22.2.4 */
199
200	/*
201	diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
202	index 78459a6d455a..48cd87fc7222 100644
203	--- a/arch/x86/power/cpu.c
204	+++ b/arch/x86/power/cpu.c
205	@@ -165,12 +165,13 @@ static void fix_processor_context(void)
206	struct desc_struct *desc = get_cpu_gdt_rw(cpu);
207	tss_desc tss;
208	#endif
209	- set_tss_desc(cpu, t); /*
210	- * This just modifies memory; should not be
211	- * necessary. But... This is necessary, because
212	- * 386 hardware has concept of busy TSS or some
213	- * similar stupidity.
214	- */
215	+
216	+ /*
217	+ * This just modifies memory; should not be necessary. But... This is
218	+ * necessary, because 386 hardware has concept of busy TSS or some
219	+ * similar stupidity.
220	+ */
221	+ set_tss_desc(cpu, &t->x86_tss);
222
223	#ifdef CONFIG_X86_64
224	memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
225	--
226	2.14.2
227