patches/kernel/0193-x86-mm-pti-Allow-NX-poison-to-be-set-in-p4d-pgd.patch

   1 From ea96d1e71945047c9e0af526e68b18782acc12c4 Mon Sep 17 00:00:00 2001
   2 From: Dave Hansen <dave.hansen@linux.intel.com>
   3 Date: Mon, 4 Dec 2017 15:07:38 +0100
   4 Subject: [PATCH 193/241] x86/mm/pti: Allow NX poison to be set in p4d/pgd
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 CVE-2017-5754
  10
  11 With PAGE_TABLE_ISOLATION the user portion of the kernel page tables is
  12 poisoned with the NX bit so if the entry code exits with the kernel page
  13 tables selected in CR3, userspace crashes.
  14
  15 But doing so trips the p4d/pgd_bad() checks.  Make sure it does not do
  16 that.
  17
  18 Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
  19 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
  20 Reviewed-by: Borislav Petkov <bp@suse.de>
  21 Cc: Andy Lutomirski <luto@kernel.org>
  22 Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
  23 Cc: Borislav Petkov <bp@alien8.de>
  24 Cc: Brian Gerst <brgerst@gmail.com>
  25 Cc: David Laight <David.Laight@aculab.com>
  26 Cc: Denys Vlasenko <dvlasenk@redhat.com>
  27 Cc: Eduardo Valentin <eduval@amazon.com>
  28 Cc: Greg KH <gregkh@linuxfoundation.org>
  29 Cc: H. Peter Anvin <hpa@zytor.com>
  30 Cc: Josh Poimboeuf <jpoimboe@redhat.com>
  31 Cc: Juergen Gross <jgross@suse.com>
  32 Cc: Linus Torvalds <torvalds@linux-foundation.org>
  33 Cc: Peter Zijlstra <peterz@infradead.org>
  34 Cc: Will Deacon <will.deacon@arm.com>
  35 Cc: aliguori@amazon.com
  36 Cc: daniel.gruss@iaik.tugraz.at
  37 Cc: hughd@google.com
  38 Cc: keescook@google.com
  39 Cc: linux-kernel@vger.kernel.org
  40 Signed-off-by: Ingo Molnar <mingo@kernel.org>
  41 (cherry picked from commit 1c4de1ff4fe50453b968579ee86fac3da80dd783)
  42 Signed-off-by: Andy Whitcroft <apw@canonical.com>
  43 Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
  44 (cherry picked from commit 889a8bd0e57e39e7ce337e87c55fa59c09644d4e)
  45 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
  46 ---
  47  arch/x86/include/asm/pgtable.h | 14 ++++++++++++--
  48  1 file changed, 12 insertions(+), 2 deletions(-)
  49
  50 diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
  51 index abbb47c75467..3ef8415b2358 100644
  52 --- a/arch/x86/include/asm/pgtable.h
  53 +++ b/arch/x86/include/asm/pgtable.h
  54 @@ -831,7 +831,12 @@ static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address)
  55
  56  static inline int p4d_bad(p4d_t p4d)
  57  {
  58 -       return (p4d_flags(p4d) & ~(_KERNPG_TABLE | _PAGE_USER)) != 0;
  59 +       unsigned long ignore_flags = _KERNPG_TABLE | _PAGE_USER;
  60 +
  61 +       if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION))
  62 +               ignore_flags |= _PAGE_NX;
  63 +
  64 +       return (p4d_flags(p4d) & ~ignore_flags) != 0;
  65  }
  66  #endif  /* CONFIG_PGTABLE_LEVELS > 3 */
  67
  68 @@ -865,7 +870,12 @@ static inline p4d_t *p4d_offset(pgd_t *pgd, unsigned long address)
  69
  70  static inline int pgd_bad(pgd_t pgd)
  71  {
  72 -       return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
  73 +       unsigned long ignore_flags = _PAGE_USER;
  74 +
  75 +       if (IS_ENABLED(CONFIG_PAGE_TABLE_ISOLATION))
  76 +               ignore_flags |= _PAGE_NX;
  77 +
  78 +       return (pgd_flags(pgd) & ~ignore_flags) != _KERNPG_TABLE;
  79  }
  80
  81  static inline int pgd_none(pgd_t pgd)
  82 --
  83 2.14.2
  84