[pve-kernel.git] / patches / kernel / 0154-x86-entry-64-Return-to-userspace-from-the-trampoline.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andy Lutomirski <luto@kernel.org>
Date: Mon, 4 Dec 2017 15:07:24 +0100
Subject: [PATCH] x86/entry/64: Return to userspace from the trampoline stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

By itself, this is useless.  It gives us the ability to run some final code
before exit that cannnot run on the kernel stack.  This could include a CR3
switch a la PAGE_TABLE_ISOLATION or some kernel stack erasing, for
example.  (Or even weird things like *changing* which kernel stack gets
used as an ASLR-strengthening mechanism.)

The SYSRET32 path is not covered yet.  It could be in the future or
we could just ignore it and force the slow path if needed.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Link: https://lkml.kernel.org/r/20171204150606.306546484@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 3e3b9293d392c577b62e24e4bc9982320438e749)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 40eb58584f732a2fefb5959e79e408bedeaaa43c)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/entry/entry_64.S | 55 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 51 insertions(+), 4 deletions(-)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index f70fedc58bac..4abe5b806d2a 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -325,8 +325,24 @@ syscall_return_via_sysret:
 	popq	%rsi	/* skip rcx */
 	popq	%rdx
 	popq	%rsi
+
+	/*
+	 * Now all regs are restored except RSP and RDI.
+	 * Save old stack pointer and switch to trampoline stack.
+	 */
+	movq	%rsp, %rdi
+	movq	PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
+
+	pushq	RSP-RDI(%rdi)	/* RSP */
+	pushq	(%rdi)		/* RDI */
+
+	/*
+	 * We are on the trampoline stack.  All regs except RDI are live.
+	 * We can do future final exit work right here.
+	 */
+
 	popq	%rdi
-	movq	RSP-ORIG_RAX(%rsp), %rsp
+	popq	%rsp
 	USERGS_SYSRET64
 END(entry_SYSCALL_64)
 
@@ -629,10 +645,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
 	ud2
 1:
 #endif
-	SWAPGS
 	POP_EXTRA_REGS
-	POP_C_REGS
-	addq	$8, %rsp	/* skip regs->orig_ax */
+	popq	%r11
+	popq	%r10
+	popq	%r9
+	popq	%r8
+	popq	%rax
+	popq	%rcx
+	popq	%rdx
+	popq	%rsi
+
+	/*
+	 * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
+	 * Save old stack pointer and switch to trampoline stack.
+	 */
+	movq	%rsp, %rdi
+	movq	PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
+
+	/* Copy the IRET frame to the trampoline stack. */
+	pushq	6*8(%rdi)	/* SS */
+	pushq	5*8(%rdi)	/* RSP */
+	pushq	4*8(%rdi)	/* EFLAGS */
+	pushq	3*8(%rdi)	/* CS */
+	pushq	2*8(%rdi)	/* RIP */
+
+	/* Push user RDI on the trampoline stack. */
+	pushq	(%rdi)
+
+	/*
+	 * We are on the trampoline stack.  All regs except RDI are live.
+	 * We can do future final exit work right here.
+	 */
+
+	/* Restore RDI. */
+	popq	%rdi
+	SWAPGS
 	INTERRUPT_RETURN
 
 
-- 
2.14.2
Commit	Line	Data
59d5af67	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
321d628a FG	2	From: Andy Lutomirski <luto@kernel.org>
321d628a FG	3	Date: Mon, 4 Dec 2017 15:07:24 +0100
59d5af67	4	Subject: [PATCH] x86/entry/64: Return to userspace from the trampoline stack
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	By itself, this is useless. It gives us the ability to run some final code
	12	before exit that cannnot run on the kernel stack. This could include a CR3
	13	switch a la PAGE_TABLE_ISOLATION or some kernel stack erasing, for
	14	example. (Or even weird things like changing which kernel stack gets
	15	used as an ASLR-strengthening mechanism.)
	16
	17	The SYSRET32 path is not covered yet. It could be in the future or
	18	we could just ignore it and force the slow path if needed.
	19
	20	Signed-off-by: Andy Lutomirski <luto@kernel.org>
	21	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	22	Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
	23	Reviewed-by: Borislav Petkov <bp@suse.de>
	24	Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	25	Cc: Borislav Petkov <bp@alien8.de>
	26	Cc: Borislav Petkov <bpetkov@suse.de>
	27	Cc: Brian Gerst <brgerst@gmail.com>
	28	Cc: Dave Hansen <dave.hansen@intel.com>
	29	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	30	Cc: David Laight <David.Laight@aculab.com>
	31	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	32	Cc: Eduardo Valentin <eduval@amazon.com>
	33	Cc: Greg KH <gregkh@linuxfoundation.org>
	34	Cc: H. Peter Anvin <hpa@zytor.com>
	35	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	36	Cc: Juergen Gross <jgross@suse.com>
	37	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	38	Cc: Peter Zijlstra <peterz@infradead.org>
	39	Cc: Rik van Riel <riel@redhat.com>
	40	Cc: Will Deacon <will.deacon@arm.com>
	41	Cc: aliguori@amazon.com
	42	Cc: daniel.gruss@iaik.tugraz.at
	43	Cc: hughd@google.com
	44	Cc: keescook@google.com
	45	Link: https://lkml.kernel.org/r/20171204150606.306546484@linutronix.de
	46	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	47	(cherry picked from commit 3e3b9293d392c577b62e24e4bc9982320438e749)
	48	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	49	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	50	(cherry picked from commit 40eb58584f732a2fefb5959e79e408bedeaaa43c)
	51	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	52	---
	53	arch/x86/entry/entry_64.S \| 55 +++++++++++++++++++++++++++++++++++++++++++----
	54	1 file changed, 51 insertions(+), 4 deletions(-)
	55
	56	diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
	57	index f70fedc58bac..4abe5b806d2a 100644
	58	--- a/arch/x86/entry/entry_64.S
	59	+++ b/arch/x86/entry/entry_64.S
	60	@@ -325,8 +325,24 @@ syscall_return_via_sysret:
	61	popq %rsi /* skip rcx */
	62	popq %rdx
	63	popq %rsi
	64	+
	65	+ /*
	66	+ * Now all regs are restored except RSP and RDI.
	67	+ * Save old stack pointer and switch to trampoline stack.
	68	+ */
69	+ movq %rsp, %rdi
70	+ movq PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
71	+
72	+ pushq RSP-RDI(%rdi) /* RSP */
73	+ pushq (%rdi) /* RDI */
74	+
75	+ /*
76	+ * We are on the trampoline stack. All regs except RDI are live.
77	+ * We can do future final exit work right here.
78	+ */
79	+
80	popq %rdi
81	- movq RSP-ORIG_RAX(%rsp), %rsp
82	+ popq %rsp
83	USERGS_SYSRET64
84	END(entry_SYSCALL_64)
85
86	@@ -629,10 +645,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
87	ud2
88	1:
89	#endif
90	- SWAPGS
91	POP_EXTRA_REGS
92	- POP_C_REGS
93	- addq $8, %rsp /* skip regs->orig_ax */
94	+ popq %r11
95	+ popq %r10
96	+ popq %r9
97	+ popq %r8
98	+ popq %rax
99	+ popq %rcx
100	+ popq %rdx
101	+ popq %rsi
102	+
103	+ /*
104	+ * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
105	+ * Save old stack pointer and switch to trampoline stack.
106	+ */
107	+ movq %rsp, %rdi
108	+ movq PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
109	+
110	+ /* Copy the IRET frame to the trampoline stack. */
111	+ pushq 68(%rdi) / SS */
112	+ pushq 58(%rdi) / RSP */
113	+ pushq 48(%rdi) / EFLAGS */
114	+ pushq 38(%rdi) / CS */
115	+ pushq 28(%rdi) / RIP */
116	+
117	+ /* Push user RDI on the trampoline stack. */
118	+ pushq (%rdi)
119	+
120	+ /*
121	+ * We are on the trampoline stack. All regs except RDI are live.
122	+ * We can do future final exit work right here.
123	+ */
124	+
125	+ /* Restore RDI. */
126	+ popq %rdi
127	+ SWAPGS
128	INTERRUPT_RETURN
129
130
131	--
132	2.14.2
133