patches/kernel/0154-x86-entry-64-Return-to-userspace-from-the-trampoline.patch

   1 From eb1bbc0f0023eadafe368704180f4af739aca9a9 Mon Sep 17 00:00:00 2001
   2 From: Andy Lutomirski <luto@kernel.org>
   3 Date: Mon, 4 Dec 2017 15:07:24 +0100
   4 Subject: [PATCH 154/241] x86/entry/64: Return to userspace from the trampoline
   5  stack
   6 MIME-Version: 1.0
   7 Content-Type: text/plain; charset=UTF-8
   8 Content-Transfer-Encoding: 8bit
   9
  10 CVE-2017-5754
  11
  12 By itself, this is useless.  It gives us the ability to run some final code
  13 before exit that cannnot run on the kernel stack.  This could include a CR3
  14 switch a la PAGE_TABLE_ISOLATION or some kernel stack erasing, for
  15 example.  (Or even weird things like *changing* which kernel stack gets
  16 used as an ASLR-strengthening mechanism.)
  17
  18 The SYSRET32 path is not covered yet.  It could be in the future or
  19 we could just ignore it and force the slow path if needed.
  20
  21 Signed-off-by: Andy Lutomirski <luto@kernel.org>
  22 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  23 Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
  24 Reviewed-by: Borislav Petkov <bp@suse.de>
  25 Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
  26 Cc: Borislav Petkov <bp@alien8.de>
  27 Cc: Borislav Petkov <bpetkov@suse.de>
  28 Cc: Brian Gerst <brgerst@gmail.com>
  29 Cc: Dave Hansen <dave.hansen@intel.com>
  30 Cc: Dave Hansen <dave.hansen@linux.intel.com>
  31 Cc: David Laight <David.Laight@aculab.com>
  32 Cc: Denys Vlasenko <dvlasenk@redhat.com>
  33 Cc: Eduardo Valentin <eduval@amazon.com>
  34 Cc: Greg KH <gregkh@linuxfoundation.org>
  35 Cc: H. Peter Anvin <hpa@zytor.com>
  36 Cc: Josh Poimboeuf <jpoimboe@redhat.com>
  37 Cc: Juergen Gross <jgross@suse.com>
  38 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  39 Cc: Peter Zijlstra <peterz@infradead.org>
  40 Cc: Rik van Riel <riel@redhat.com>
  41 Cc: Will Deacon <will.deacon@arm.com>
  42 Cc: aliguori@amazon.com
  43 Cc: daniel.gruss@iaik.tugraz.at
  44 Cc: hughd@google.com
  45 Cc: keescook@google.com
  46 Link: https://lkml.kernel.org/r/20171204150606.306546484@linutronix.de
  47 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  48 (cherry picked from commit 3e3b9293d392c577b62e24e4bc9982320438e749)
  49 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  50 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  51 (cherry picked from commit 40eb58584f732a2fefb5959e79e408bedeaaa43c)
  52 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  53 ---
  54  arch/x86/entry/entry_64.S | 55 +++++++++++++++++++++++++++++++++++++++++++----
  55  1 file changed, 51 insertions(+), 4 deletions(-)
  56
  57 diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
  58 index f70fedc58bac..4abe5b806d2a 100644
  59 --- a/arch/x86/entry/entry_64.S
  60 +++ b/arch/x86/entry/entry_64.S
  61 @@ -325,8 +325,24 @@ syscall_return_via_sysret:
  62         popq    %rsi    /* skip rcx */
  63         popq    %rdx
  64         popq    %rsi
  65 +
  66 +       /*
  67 +        * Now all regs are restored except RSP and RDI.
  68 +        * Save old stack pointer and switch to trampoline stack.
  69 +        */
  70 +       movq    %rsp, %rdi
  71 +       movq    PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
  72 +
  73 +       pushq   RSP-RDI(%rdi)   /* RSP */
  74 +       pushq   (%rdi)          /* RDI */
  75 +
  76 +       /*
  77 +        * We are on the trampoline stack.  All regs except RDI are live.
  78 +        * We can do future final exit work right here.
  79 +        */
  80 +
  81         popq    %rdi
  82 -       movq    RSP-ORIG_RAX(%rsp), %rsp
  83 +       popq    %rsp
  84         USERGS_SYSRET64
  85  END(entry_SYSCALL_64)
  86
  87 @@ -629,10 +645,41 @@ GLOBAL(swapgs_restore_regs_and_return_to_usermode)
  88         ud2
  89  1:
  90  #endif
  91 -       SWAPGS
  92         POP_EXTRA_REGS
  93 -       POP_C_REGS
  94 -       addq    $8, %rsp        /* skip regs->orig_ax */
  95 +       popq    %r11
  96 +       popq    %r10
  97 +       popq    %r9
  98 +       popq    %r8
  99 +       popq    %rax
 100 +       popq    %rcx
 101 +       popq    %rdx
 102 +       popq    %rsi
 103 +
 104 +       /*
 105 +        * The stack is now user RDI, orig_ax, RIP, CS, EFLAGS, RSP, SS.
 106 +        * Save old stack pointer and switch to trampoline stack.
 107 +        */
 108 +       movq    %rsp, %rdi
 109 +       movq    PER_CPU_VAR(cpu_tss + TSS_sp0), %rsp
 110 +
 111 +       /* Copy the IRET frame to the trampoline stack. */
 112 +       pushq   6*8(%rdi)       /* SS */
 113 +       pushq   5*8(%rdi)       /* RSP */
 114 +       pushq   4*8(%rdi)       /* EFLAGS */
 115 +       pushq   3*8(%rdi)       /* CS */
 116 +       pushq   2*8(%rdi)       /* RIP */
 117 +
 118 +       /* Push user RDI on the trampoline stack. */
 119 +       pushq   (%rdi)
 120 +
 121 +       /*
 122 +        * We are on the trampoline stack.  All regs except RDI are live.
 123 +        * We can do future final exit work right here.
 124 +        */
 125 +
 126 +       /* Restore RDI. */
 127 +       popq    %rdi
 128 +       SWAPGS
 129         INTERRUPT_RETURN
 130
 131
 132 --
 133 2.14.2
 134