[pve-kernel.git] / patches / kernel / 0169-x86-ldt-Rework-locking.patch

From b37d3e3a9b29caf78e2da6efba8959fc912e47a0 Mon Sep 17 00:00:00 2001
From: Peter Zijlstra <peterz@infradead.org>
Date: Thu, 14 Dec 2017 12:27:30 +0100
Subject: [PATCH 169/241] x86/ldt: Rework locking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

The LDT is duplicated on fork() and on exec(), which is wrong as exec()
should start from a clean state, i.e. without LDT. To fix this the LDT
duplication code will be moved into arch_dup_mmap() which is only called
for fork().

This introduces a locking problem. arch_dup_mmap() holds mmap_sem of the
parent process, but the LDT duplication code needs to acquire
mm->context.lock to access the LDT data safely, which is the reverse lock
order of write_ldt() where mmap_sem nests into context.lock.

Solve this by introducing a new rw semaphore which serializes the
read/write_ldt() syscall operations and use context.lock to protect the
actual installment of the LDT descriptor.

So context.lock stabilizes mm->context.ldt and can nest inside of the new
semaphore or mmap_sem.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: dan.j.williams@intel.com
Cc: hughd@google.com
Cc: keescook@google.com
Cc: kirill.shutemov@linux.intel.com
Cc: linux-mm@kvack.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit c2b3496bb30bd159e9de42e5c952e1f1f33c9a77)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit bf7ee649ccc71ef9acb713a00472886c19e78684)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/include/asm/mmu.h         |  4 +++-
 arch/x86/include/asm/mmu_context.h |  2 ++
 arch/x86/kernel/ldt.c              | 33 +++++++++++++++++++++------------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
index bb8c597c2248..2d7e852b2dad 100644
--- a/arch/x86/include/asm/mmu.h
+++ b/arch/x86/include/asm/mmu.h
@@ -2,6 +2,7 @@
 #define _ASM_X86_MMU_H
 
 #include <linux/spinlock.h>
+#include <linux/rwsem.h>
 #include <linux/mutex.h>
 #include <linux/atomic.h>
 
@@ -26,7 +27,8 @@ typedef struct {
 	atomic64_t tlb_gen;
 
 #ifdef CONFIG_MODIFY_LDT_SYSCALL
-	struct ldt_struct *ldt;
+	struct rw_semaphore	ldt_usr_sem;
+	struct ldt_struct	*ldt;
 #endif
 
 #ifdef CONFIG_X86_64
diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 9be54d9c04c4..dd865c2acb9d 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -131,6 +131,8 @@ void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk);
 static inline int init_new_context(struct task_struct *tsk,
 				   struct mm_struct *mm)
 {
+	mutex_init(&mm->context.lock);
+
 	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
 	atomic64_set(&mm->context.tlb_gen, 0);
 
diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index b8be2413cb74..3e7208f0c350 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -4,6 +4,11 @@
  * Copyright (C) 2002 Andi Kleen
  *
  * This handles calls from both 32bit and 64bit mode.
+ *
+ * Lock order:
+ *	contex.ldt_usr_sem
+ *	  mmap_sem
+ *	    context.lock
  */
 
 #include <linux/errno.h>
@@ -41,7 +46,7 @@ static void refresh_ldt_segments(void)
 #endif
 }
 
-/* context.lock is held for us, so we don't need any locking. */
+/* context.lock is held by the task which issued the smp function call */
 static void flush_ldt(void *__mm)
 {
 	struct mm_struct *mm = __mm;
@@ -98,15 +103,17 @@ static void finalize_ldt_struct(struct ldt_struct *ldt)
 	paravirt_alloc_ldt(ldt->entries, ldt->nr_entries);
 }
 
-/* context.lock is held */
-static void install_ldt(struct mm_struct *current_mm,
-			struct ldt_struct *ldt)
+static void install_ldt(struct mm_struct *mm, struct ldt_struct *ldt)
 {
+	mutex_lock(&mm->context.lock);
+
 	/* Synchronizes with READ_ONCE in load_mm_ldt. */
-	smp_store_release(&current_mm->context.ldt, ldt);
+	smp_store_release(&mm->context.ldt, ldt);
 
-	/* Activate the LDT for all CPUs using current_mm. */
-	on_each_cpu_mask(mm_cpumask(current_mm), flush_ldt, current_mm, true);
+	/* Activate the LDT for all CPUs using currents mm. */
+	on_each_cpu_mask(mm_cpumask(mm), flush_ldt, mm, true);
+
+	mutex_unlock(&mm->context.lock);
 }
 
 static void free_ldt_struct(struct ldt_struct *ldt)
@@ -132,7 +139,8 @@ int init_new_context_ldt(struct task_struct *tsk, struct mm_struct *mm)
 	struct mm_struct *old_mm;
 	int retval = 0;
 
-	mutex_init(&mm->context.lock);
+	init_rwsem(&mm->context.ldt_usr_sem);
+
 	old_mm = current->mm;
 	if (!old_mm) {
 		mm->context.ldt = NULL;
@@ -179,7 +187,7 @@ static int read_ldt(void __user *ptr, unsigned long bytecount)
 	unsigned long entries_size;
 	int retval;
 
-	mutex_lock(&mm->context.lock);
+	down_read(&mm->context.ldt_usr_sem);
 
 	if (!mm->context.ldt) {
 		retval = 0;
@@ -208,7 +216,7 @@ static int read_ldt(void __user *ptr, unsigned long bytecount)
 	retval = bytecount;
 
 out_unlock:
-	mutex_unlock(&mm->context.lock);
+	up_read(&mm->context.ldt_usr_sem);
 	return retval;
 }
 
@@ -268,7 +276,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
 			ldt.avl = 0;
 	}
 
-	mutex_lock(&mm->context.lock);
+	if (down_write_killable(&mm->context.ldt_usr_sem))
+		return -EINTR;
 
 	old_ldt       = mm->context.ldt;
 	old_nr_entries = old_ldt ? old_ldt->nr_entries : 0;
@@ -290,7 +299,7 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
 	error = 0;
 
 out_unlock:
-	mutex_unlock(&mm->context.lock);
+	up_write(&mm->context.ldt_usr_sem);
 out:
 	return error;
 }
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From b37d3e3a9b29caf78e2da6efba8959fc912e47a0 Mon Sep 17 00:00:00 2001
	2	From: Peter Zijlstra <peterz@infradead.org>
	3	Date: Thu, 14 Dec 2017 12:27:30 +0100
e4cdf2a5	4	Subject: [PATCH 169/241] x86/ldt: Rework locking
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	The LDT is duplicated on fork() and on exec(), which is wrong as exec()
	12	should start from a clean state, i.e. without LDT. To fix this the LDT
	13	duplication code will be moved into arch_dup_mmap() which is only called
	14	for fork().
	15
	16	This introduces a locking problem. arch_dup_mmap() holds mmap_sem of the
	17	parent process, but the LDT duplication code needs to acquire
	18	mm->context.lock to access the LDT data safely, which is the reverse lock
	19	order of write_ldt() where mmap_sem nests into context.lock.
	20
	21	Solve this by introducing a new rw semaphore which serializes the
	22	read/write_ldt() syscall operations and use context.lock to protect the
	23	actual installment of the LDT descriptor.
	24
	25	So context.lock stabilizes mm->context.ldt and can nest inside of the new
	26	semaphore or mmap_sem.
	27
	28	Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
	29	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	30	Cc: Andy Lutomirski <luto@kernel.org>
	31	Cc: Andy Lutomirsky <luto@kernel.org>
	32	Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	33	Cc: Borislav Petkov <bp@alien8.de>
	34	Cc: Borislav Petkov <bpetkov@suse.de>
	35	Cc: Brian Gerst <brgerst@gmail.com>
	36	Cc: Dave Hansen <dave.hansen@intel.com>
	37	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	38	Cc: David Laight <David.Laight@aculab.com>
	39	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	40	Cc: Eduardo Valentin <eduval@amazon.com>
	41	Cc: Greg KH <gregkh@linuxfoundation.org>
	42	Cc: H. Peter Anvin <hpa@zytor.com>
	43	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	44	Cc: Juergen Gross <jgross@suse.com>
	45	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	46	Cc: Peter Zijlstra <peterz@infradead.org>
	47	Cc: Will Deacon <will.deacon@arm.com>
	48	Cc: aliguori@amazon.com
	49	Cc: dan.j.williams@intel.com
	50	Cc: hughd@google.com
	51	Cc: keescook@google.com
	52	Cc: kirill.shutemov@linux.intel.com
	53	Cc: linux-mm@kvack.org
	54	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	55	(cherry picked from commit c2b3496bb30bd159e9de42e5c952e1f1f33c9a77)
	56	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	57	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	58	(cherry picked from commit bf7ee649ccc71ef9acb713a00472886c19e78684)
	59	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	60	---
	61	arch/x86/include/asm/mmu.h \| 4 +++-
	62	arch/x86/include/asm/mmu_context.h \| 2 ++
	63	arch/x86/kernel/ldt.c \| 33 +++++++++++++++++++++------------
	64	3 files changed, 26 insertions(+), 13 deletions(-)
	65
	66	diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
	67	index bb8c597c2248..2d7e852b2dad 100644
	68	--- a/arch/x86/include/asm/mmu.h
69	+++ b/arch/x86/include/asm/mmu.h
70	@@ -2,6 +2,7 @@
71	#define _ASM_X86_MMU_H
72
73	#include <linux/spinlock.h>
74	+#include <linux/rwsem.h>
75	#include <linux/mutex.h>
76	#include <linux/atomic.h>
77
78	@@ -26,7 +27,8 @@ typedef struct {
79	atomic64_t tlb_gen;
80
81	#ifdef CONFIG_MODIFY_LDT_SYSCALL
82	- struct ldt_struct *ldt;
83	+ struct rw_semaphore ldt_usr_sem;
84	+ struct ldt_struct *ldt;
85	#endif
86
87	#ifdef CONFIG_X86_64
88	diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
89	index 9be54d9c04c4..dd865c2acb9d 100644
90	--- a/arch/x86/include/asm/mmu_context.h
91	+++ b/arch/x86/include/asm/mmu_context.h
92	@@ -131,6 +131,8 @@ void enter_lazy_tlb(struct mm_struct mm, struct task_struct tsk);
93	static inline int init_new_context(struct task_struct *tsk,
94	struct mm_struct *mm)
95	{
96	+ mutex_init(&mm->context.lock);
97	+
98	mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
99	atomic64_set(&mm->context.tlb_gen, 0);
100
101	diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
102	index b8be2413cb74..3e7208f0c350 100644
103	--- a/arch/x86/kernel/ldt.c
104	+++ b/arch/x86/kernel/ldt.c
105	@@ -4,6 +4,11 @@
106	* Copyright (C) 2002 Andi Kleen
107	*
108	* This handles calls from both 32bit and 64bit mode.
109	+ *
110	+ * Lock order:
111	+ * contex.ldt_usr_sem
112	+ * mmap_sem
113	+ * context.lock
114	*/
115
116	#include <linux/errno.h>
117	@@ -41,7 +46,7 @@ static void refresh_ldt_segments(void)
118	#endif
119	}
120
121	-/* context.lock is held for us, so we don't need any locking. */
122	+/* context.lock is held by the task which issued the smp function call */
123	static void flush_ldt(void *__mm)
124	{
125	struct mm_struct *mm = __mm;
126	@@ -98,15 +103,17 @@ static void finalize_ldt_struct(struct ldt_struct *ldt)
127	paravirt_alloc_ldt(ldt->entries, ldt->nr_entries);
128	}
129
130	-/* context.lock is held */
131	-static void install_ldt(struct mm_struct *current_mm,
132	- struct ldt_struct *ldt)
133	+static void install_ldt(struct mm_struct mm, struct ldt_struct ldt)
134	{
135	+ mutex_lock(&mm->context.lock);
136	+
137	/* Synchronizes with READ_ONCE in load_mm_ldt. */
138	- smp_store_release(&current_mm->context.ldt, ldt);
139	+ smp_store_release(&mm->context.ldt, ldt);
140
141	- /* Activate the LDT for all CPUs using current_mm. */
142	- on_each_cpu_mask(mm_cpumask(current_mm), flush_ldt, current_mm, true);
143	+ /* Activate the LDT for all CPUs using currents mm. */
144	+ on_each_cpu_mask(mm_cpumask(mm), flush_ldt, mm, true);
145	+
146	+ mutex_unlock(&mm->context.lock);
147	}
148
149	static void free_ldt_struct(struct ldt_struct *ldt)
150	@@ -132,7 +139,8 @@ int init_new_context_ldt(struct task_struct tsk, struct mm_struct mm)
151	struct mm_struct *old_mm;
152	int retval = 0;
153
154	- mutex_init(&mm->context.lock);
155	+ init_rwsem(&mm->context.ldt_usr_sem);
156	+
157	old_mm = current->mm;
158	if (!old_mm) {
159	mm->context.ldt = NULL;
160	@@ -179,7 +187,7 @@ static int read_ldt(void __user *ptr, unsigned long bytecount)
161	unsigned long entries_size;
162	int retval;
163
164	- mutex_lock(&mm->context.lock);
165	+ down_read(&mm->context.ldt_usr_sem);
166
167	if (!mm->context.ldt) {
168	retval = 0;
169	@@ -208,7 +216,7 @@ static int read_ldt(void __user *ptr, unsigned long bytecount)
170	retval = bytecount;
171
172	out_unlock:
173	- mutex_unlock(&mm->context.lock);
174	+ up_read(&mm->context.ldt_usr_sem);
175	return retval;
176	}
177
178	@@ -268,7 +276,8 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
179	ldt.avl = 0;
180	}
181
182	- mutex_lock(&mm->context.lock);
183	+ if (down_write_killable(&mm->context.ldt_usr_sem))
184	+ return -EINTR;
185
186	old_ldt = mm->context.ldt;
187	old_nr_entries = old_ldt ? old_ldt->nr_entries : 0;
188	@@ -290,7 +299,7 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
189	error = 0;
190
191	out_unlock:
192	- mutex_unlock(&mm->context.lock);
193	+ up_write(&mm->context.ldt_usr_sem);
194	out:
195	return error;
196	}
197	--
198	2.14.2
199