projects / pve-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 321d628a FG |
1 | From ea96d1e71945047c9e0af526e68b18782acc12c4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Dave Hansen <dave.hansen@linux.intel.com> | |
| 3 | Date: Mon, 4 Dec 2017 15:07:38 +0100 | |
| e4cdf2a5 | 4 | Subject: [PATCH 193/241] x86/mm/pti: Allow NX poison to be set in p4d/pgd |
| 321d628a FG |
5 | MIME-Version: 1.0 |
| 6 | Content-Type: text/plain; charset=UTF-8 | |
| 7 | Content-Transfer-Encoding: 8bit | |
| 8 | ||
| 9 | CVE-2017-5754 | |
| 10 | ||
| 11 | With PAGE_TABLE_ISOLATION the user portion of the kernel page tables is | |
| 12 | poisoned with the NX bit so if the entry code exits with the kernel page | |
| 13 | tables selected in CR3, userspace crashes. | |
| 14 | ||
| 15 | But doing so trips the p4d/pgd_bad() checks. Make sure it does not do | |
| 16 | that. | |
| 17 | ||
| 18 | Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> | |
| 19 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
| 20 | Reviewed-by: Borislav Petkov <bp@suse.de> | |
| 21 | Cc: Andy Lutomirski <luto@kernel.org> | |
| 22 | Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> | |
| 23 | Cc: Borislav Petkov <bp@alien8.de> | |
| 24 | Cc: Brian Gerst <brgerst@gmail.com> | |
| 25 | Cc: David Laight <David.Laight@aculab.com> | |
| 26 | Cc: Denys Vlasenko <dvlasenk@redhat.com> | |
| 27 | Cc: Eduardo Valentin <eduval@amazon.com> | |
| 28 | Cc: Greg KH <gregkh@linuxfoundation.org> | |
| 29 | Cc: H. Peter Anvin <hpa@zytor.com> | |
| 30 | Cc: Josh Poimboeuf <jpoimboe@redhat.com> | |
| 31 | Cc: Juergen Gross <jgross@suse.com> | |
| 32 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
| 33 | Cc: Peter Zijlstra <peterz@infradead.org> | |
| 34 | Cc: Will Deacon <will.deacon@arm.com> | |
| 35 | Cc: aliguori@amazon.com | |
| 36 | Cc: daniel.gruss@iaik.tugraz.at | |
| 37 | Cc: hughd@google.com | |
| 38 | Cc: keescook@google.com | |
| 39 | Cc: linux-kernel@vger.kernel.org | |
| 40 | Signed-off-by: Ingo Molnar <mingo@kernel.org> | |
| 41 | (cherry picked from commit 1c4de1ff4fe50453b968579ee86fac3da80dd783) | |
| 42 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
| 43 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
| 44 | (cherry picked from commit 889a8bd0e57e39e7ce337e87c55fa59c09644d4e) | |
| 45 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
| 46 | --- | |
| 47 | arch/x86/include/asm/pgtable.h | 14 ++++++++++++-- | |
| 48 | 1 file changed, 12 insertions(+), 2 deletions(-) | |
| 49 | ||
| 50 | diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h | |
| 51 | index abbb47c75467..3ef8415b2358 100644 | |
| 52 | --- a/arch/x86/include/asm/pgtable.h | |
| 53 | +++ b/arch/x86/include/asm/pgtable.h | |
| 54 | @@ -831,7 +831,12 @@ static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address) | |
| 55 | ||
| 56 | static inline int p4d_bad(p4d_t p4d) | |
| 57 | { | |
| 58 | - return (p4d_flags(p4d) & ~(_KERNPG_TABLE | _PAGE_USER)) != 0; | |
| 59 | + unsigned long ignore_flags = _KERNPG_TABLE | _PAGE_USER; | |
| 60 | + | |
| 61 | + if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION)) | |
| 62 | + ignore_flags |= _PAGE_NX; | |
| 63 | + | |
| 64 | + return (p4d_flags(p4d) & ~ignore_flags) != 0; | |
| 65 | } | |
| 66 | #endif /* CONFIG_PGTABLE_LEVELS > 3 */ | |
| 67 | ||
| 68 | @@ -865,7 +870,12 @@ static inline p4d_t *p4d_offset(pgd_t *pgd, unsigned long address) | |
| 69 | ||
| 70 | static inline int pgd_bad(pgd_t pgd) | |
| 71 | { | |
| 72 | - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE; | |
| 73 | + unsigned long ignore_flags = _PAGE_USER; | |
| 74 | + | |
| 75 | + if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION)) | |
| 76 | + ignore_flags |= _PAGE_NX; | |
| 77 | + | |
| 78 | + return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE; | |
| 79 | } | |
| 80 | ||
| 81 | static inline int pgd_none(pgd_t pgd) | |
| 82 | -- | |
| 83 | 2.14.2 | |
| 84 |