patches/kernel/0157-x86-entry-64-Remove-the-SYSENTER-stack-canary.patch

   1 From b153f8e687bf0739b113445d3cfe029593e9484a Mon Sep 17 00:00:00 2001
   2 From: Andy Lutomirski <luto@kernel.org>
   3 Date: Mon, 4 Dec 2017 15:07:27 +0100
   4 Subject: [PATCH 157/241] x86/entry/64: Remove the SYSENTER stack canary
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 CVE-2017-5754
  10
  11 Now that the SYSENTER stack has a guard page, there's no need for a canary
  12 to detect overflow after the fact.
  13
  14 Signed-off-by: Andy Lutomirski <luto@kernel.org>
  15 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  16 Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
  17 Reviewed-by: Borislav Petkov <bp@suse.de>
  18 Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
  19 Cc: Borislav Petkov <bp@alien8.de>
  20 Cc: Borislav Petkov <bpetkov@suse.de>
  21 Cc: Brian Gerst <brgerst@gmail.com>
  22 Cc: Dave Hansen <dave.hansen@intel.com>
  23 Cc: Dave Hansen <dave.hansen@linux.intel.com>
  24 Cc: David Laight <David.Laight@aculab.com>
  25 Cc: Denys Vlasenko <dvlasenk@redhat.com>
  26 Cc: Eduardo Valentin <eduval@amazon.com>
  27 Cc: Greg KH <gregkh@linuxfoundation.org>
  28 Cc: H. Peter Anvin <hpa@zytor.com>
  29 Cc: Josh Poimboeuf <jpoimboe@redhat.com>
  30 Cc: Juergen Gross <jgross@suse.com>
  31 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  32 Cc: Peter Zijlstra <peterz@infradead.org>
  33 Cc: Rik van Riel <riel@redhat.com>
  34 Cc: Will Deacon <will.deacon@arm.com>
  35 Cc: aliguori@amazon.com
  36 Cc: daniel.gruss@iaik.tugraz.at
  37 Cc: hughd@google.com
  38 Cc: keescook@google.com
  39 Link: https://lkml.kernel.org/r/20171204150606.572577316@linutronix.de
  40 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  41 (cherry picked from commit 7fbbd5cbebf118a9e09f5453f686656a167c3d1c)
  42 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  43 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  44 (cherry picked from commit 8158adf795cb48be67891feacacc36d7a247afdf)
  45 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  46 ---
  47  arch/x86/include/asm/processor.h | 1 -
  48  arch/x86/kernel/dumpstack.c      | 3 +--
  49  arch/x86/kernel/process.c        | 1 -
  50  arch/x86/kernel/traps.c          | 7 -------
  51  4 files changed, 1 insertion(+), 11 deletions(-)
  52
  53 diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
  54 index 1bfe4bad797a..4737d378d7b5 100644
  55 --- a/arch/x86/include/asm/processor.h
  56 +++ b/arch/x86/include/asm/processor.h
  57 @@ -335,7 +335,6 @@ struct tss_struct {
  58          * Space for the temporary SYSENTER stack, used for SYSENTER
  59          * and the entry trampoline as well.
  60          */
  61 -       unsigned long           SYSENTER_stack_canary;
  62         unsigned long           SYSENTER_stack[64];
  63
  64         /*
  65 diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
  66 index c1f503673f1e..c32c6cce9dcc 100644
  67 --- a/arch/x86/kernel/dumpstack.c
  68 +++ b/arch/x86/kernel/dumpstack.c
  69 @@ -48,8 +48,7 @@ bool in_sysenter_stack(unsigned long *stack, struct stack_info *info)
  70         int cpu = smp_processor_id();
  71         struct tss_struct *tss = &get_cpu_entry_area(cpu)->tss;
  72
  73 -       /* Treat the canary as part of the stack for unwinding purposes. */
  74 -       void *begin = &tss->SYSENTER_stack_canary;
  75 +       void *begin = &tss->SYSENTER_stack;
  76         void *end = (void *)&tss->SYSENTER_stack + sizeof(tss->SYSENTER_stack);
  77
  78         if ((void *)stack < begin || (void *)stack >= end)
  79 diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
  80 index 407fc37a8718..ec758390d24e 100644
  81 --- a/arch/x86/kernel/process.c
  82 +++ b/arch/x86/kernel/process.c
  83 @@ -80,7 +80,6 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
  84           */
  85         .io_bitmap              = { [0 ... IO_BITMAP_LONGS] = ~0 },
  86  #endif
  87 -       .SYSENTER_stack_canary  = STACK_END_MAGIC,
  88  };
  89  EXPORT_PER_CPU_SYMBOL(cpu_tss);
  90
  91 diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
  92 index fd4d47e8672e..2818c83892b3 100644
  93 --- a/arch/x86/kernel/traps.c
  94 +++ b/arch/x86/kernel/traps.c
  95 @@ -826,13 +826,6 @@ dotraplinkage void do_debug(struct pt_regs *regs, long error_code)
  96         debug_stack_usage_dec();
  97
  98  exit:
  99 -       /*
 100 -        * This is the most likely code path that involves non-trivial use
 101 -        * of the SYSENTER stack.  Check that we haven't overrun it.
 102 -        */
 103 -       WARN(this_cpu_read(cpu_tss.SYSENTER_stack_canary) != STACK_END_MAGIC,
 104 -            "Overran or corrupted SYSENTER stack\n");
 105 -
 106         ist_exit(regs);
 107  }
 108  NOKPROBE_SYMBOL(do_debug);
 109 --
 110 2.14.2
 111