[pve-kernel.git] / patches / kernel / 0200-x86-mm-pti-Share-entry-text-PMD.patch

From 9b8667a59df870d8f965d6681cb18843302c8510 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx@linutronix.de>
Date: Mon, 4 Dec 2017 15:07:47 +0100
Subject: [PATCH 200/241] x86/mm/pti: Share entry text PMD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

Share the entry text PMD of the kernel mapping with the user space
mapping. If large pages are enabled this is a single PMD entry and at the
point where it is copied into the user page table the RW bit has not been
cleared yet. Clear it right away so the user space visible map becomes RX.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Laight <David.Laight@aculab.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Eduardo Valentin <eduval@amazon.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will.deacon@arm.com>
Cc: aliguori@amazon.com
Cc: daniel.gruss@iaik.tugraz.at
Cc: hughd@google.com
Cc: keescook@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
(cherry picked from commit 6dc72c3cbca0580642808d677181cad4c6433893)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit ee98d7446b4a7c12a57a38b1a5f51e3df0ac2cf3)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/mm/pti.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
index 59290356f19f..0e78797650a7 100644
--- a/arch/x86/mm/pti.c
+++ b/arch/x86/mm/pti.c
@@ -287,6 +287,15 @@ static void __init pti_clone_user_shared(void)
 	pti_clone_p4d(CPU_ENTRY_AREA_BASE);
 }
 
+/*
+ * Clone the populated PMDs of the entry and irqentry text and force it RO.
+ */
+static void __init pti_clone_entry_text(void)
+{
+	pti_clone_pmds((unsigned long) __entry_text_start,
+			(unsigned long) __irqentry_text_end, _PAGE_RW);
+}
+
 /*
  * Initialize kernel page table isolation
  */
@@ -298,4 +307,5 @@ void __init pti_init(void)
 	pr_info("enabled\n");
 
 	pti_clone_user_shared();
+	pti_clone_entry_text();
 }
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From 9b8667a59df870d8f965d6681cb18843302c8510 Mon Sep 17 00:00:00 2001
	2	From: Thomas Gleixner <tglx@linutronix.de>
	3	Date: Mon, 4 Dec 2017 15:07:47 +0100
e4cdf2a5	4	Subject: [PATCH 200/241] x86/mm/pti: Share entry text PMD
321d628a FG	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	Share the entry text PMD of the kernel mapping with the user space
	12	mapping. If large pages are enabled this is a single PMD entry and at the
	13	point where it is copied into the user page table the RW bit has not been
	14	cleared yet. Clear it right away so the user space visible map becomes RX.
	15
	16	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	17	Cc: Andy Lutomirski <luto@kernel.org>
	18	Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
	19	Cc: Borislav Petkov <bp@alien8.de>
	20	Cc: Brian Gerst <brgerst@gmail.com>
	21	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	22	Cc: David Laight <David.Laight@aculab.com>
	23	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	24	Cc: Eduardo Valentin <eduval@amazon.com>
	25	Cc: Greg KH <gregkh@linuxfoundation.org>
	26	Cc: H. Peter Anvin <hpa@zytor.com>
	27	Cc: Josh Poimboeuf <jpoimboe@redhat.com>
	28	Cc: Juergen Gross <jgross@suse.com>
	29	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	30	Cc: Peter Zijlstra <peterz@infradead.org>
	31	Cc: Will Deacon <will.deacon@arm.com>
	32	Cc: aliguori@amazon.com
	33	Cc: daniel.gruss@iaik.tugraz.at
	34	Cc: hughd@google.com
	35	Cc: keescook@google.com
	36	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	37	(cherry picked from commit 6dc72c3cbca0580642808d677181cad4c6433893)
	38	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	39	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	40	(cherry picked from commit ee98d7446b4a7c12a57a38b1a5f51e3df0ac2cf3)
	41	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	42	---
	43	arch/x86/mm/pti.c \| 10 ++++++++++
	44	1 file changed, 10 insertions(+)
	45
	46	diff --git a/arch/x86/mm/pti.c b/arch/x86/mm/pti.c
	47	index 59290356f19f..0e78797650a7 100644
	48	--- a/arch/x86/mm/pti.c
	49	+++ b/arch/x86/mm/pti.c
	50	@@ -287,6 +287,15 @@ static void __init pti_clone_user_shared(void)
	51	pti_clone_p4d(CPU_ENTRY_AREA_BASE);
	52	}
	53
	54	+/*
	55	+ * Clone the populated PMDs of the entry and irqentry text and force it RO.
	56	+ */
	57	+static void __init pti_clone_entry_text(void)
	58	+{
	59	+ pti_clone_pmds((unsigned long) __entry_text_start,
	60	+ (unsigned long) __irqentry_text_end, _PAGE_RW);
	61	+}
	62	+
	63	/*
	64	* Initialize kernel page table isolation
	65	*/
	66	@@ -298,4 +307,5 @@ void __init pti_init(void)
	67	pr_info("enabled\n");
	68
69	pti_clone_user_shared();
70	+ pti_clone_entry_text();
71	}
72	--
73	2.14.2
74