[pve-kernel.git] / patches / kernel / 0248-x86-pti-Unbreak-EFI-old_memmap.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jiri Kosina <jkosina@suse.cz>
Date: Fri, 5 Jan 2018 22:35:41 +0100
Subject: [PATCH] x86/pti: Unbreak EFI old_memmap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2017-5754

EFI_OLD_MEMMAP's efi_call_phys_prolog() calls set_pgd() with swapper PGD that
has PAGE_USER set, which makes PTI set NX on it, and therefore EFI can't
execute it's code.

Fix that by forcefully clearing _PAGE_NX from the PGD (this can't be done
by the pgprot API).

_PAGE_NX will be automatically reintroduced in efi_call_phys_epilog(), as
_set_pgd() will again notice that this is _PAGE_USER, and set _PAGE_NX on
it.

Tested-by: Dimitri Sivanich <sivanich@hpe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1801052215460.11852@cbobk.fhfr.pm
(cherry picked from commit de53c3786a3ce162a1c815d0c04c766c23ec9c0a)
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 31afacd8089f54061e718e5d491f11747755c503)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 arch/x86/platform/efi/efi_64.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index b104224d3d6c..987a38e82f73 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -133,7 +133,9 @@ pgd_t * __init efi_call_phys_prolog(void)
 				pud[j] = *pud_offset(p4d_k, vaddr);
 			}
 		}
+		pgd_offset_k(pgd * PGDIR_SIZE)->pgd &= ~_PAGE_NX;
 	}
+
 out:
 	__flush_tlb_all();
 
-- 
2.14.2
Commit	Line	Data
035dbe67 FG	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Jiri Kosina <jkosina@suse.cz>
	3	Date: Fri, 5 Jan 2018 22:35:41 +0100
	4	Subject: [PATCH] x86/pti: Unbreak EFI old_memmap
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	CVE-2017-5754
	10
	11	EFI_OLD_MEMMAP's efi_call_phys_prolog() calls set_pgd() with swapper PGD that
	12	has PAGE_USER set, which makes PTI set NX on it, and therefore EFI can't
	13	execute it's code.
	14
	15	Fix that by forcefully clearing _PAGE_NX from the PGD (this can't be done
	16	by the pgprot API).
	17
	18	_PAGE_NX will be automatically reintroduced in efi_call_phys_epilog(), as
	19	_set_pgd() will again notice that this is _PAGE_USER, and set _PAGE_NX on
	20	it.
	21
	22	Tested-by: Dimitri Sivanich <sivanich@hpe.com>
	23	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
	24	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	25	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	26	Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
	27	Cc: Andrea Arcangeli <aarcange@redhat.com>
	28	Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
	29	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	30	Cc: Matt Fleming <matt@codeblueprint.co.uk>
	31	Cc: Peter Zijlstra <peterz@infradead.org>
	32	Cc: Thomas Gleixner <tglx@linutronix.de>
	33	Cc: linux-efi@vger.kernel.org
	34	Cc: stable@vger.kernel.org
	35	Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1801052215460.11852@cbobk.fhfr.pm
	36	(cherry picked from commit de53c3786a3ce162a1c815d0c04c766c23ec9c0a)
	37	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	38	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	39	(cherry picked from commit 31afacd8089f54061e718e5d491f11747755c503)
	40	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	41	---
	42	arch/x86/platform/efi/efi_64.c \| 2 ++
	43	1 file changed, 2 insertions(+)
	44
	45	diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
	46	index b104224d3d6c..987a38e82f73 100644
	47	--- a/arch/x86/platform/efi/efi_64.c
	48	+++ b/arch/x86/platform/efi/efi_64.c
	49	@@ -133,7 +133,9 @@ pgd_t * __init efi_call_phys_prolog(void)
	50	pud[j] = *pud_offset(p4d_k, vaddr);
	51	}
	52	}
	53	+ pgd_offset_k(pgd * PGDIR_SIZE)->pgd &= ~_PAGE_NX;
	54	}
	55	+
	56	out:
	57	__flush_tlb_all();
	58
	59	--
	60	2.14.2
	61