| Message ID | 1420572250-32486-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Tue, Jan 06, 2015 at 07:24:10PM +0000, Luis Henriques wrote: > From: Andy Lutomirski <luto@amacapital.net> > > Installing a 16-bit RW data segment into the GDT defeats espfix. > AFAICT this will not affect glibc, Wine, or dosemu at all. > > Signed-off-by: Andy Lutomirski <luto@amacapital.net> > Acked-by: H. Peter Anvin <hpa@zytor.com> > Cc: stable@vger.kernel.org > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: security@kernel.org <security@kernel.org> > Cc: Willy Tarreau <w@1wt.eu> > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (cherry picked from commit 41bdc78544b8a93a9c6814b8bbbfef966272abbe) > CVE-2014-8133 > BugLink: http://bugs.launchpad.net/bugs/1403852 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c > index bcfec2d23769..7af73380ae4b 100644 > --- a/arch/x86/kernel/tls.c > +++ b/arch/x86/kernel/tls.c > @@ -28,6 +28,21 @@ static int get_free_idx(void) > return -ESRCH; > } > > +static bool tls_desc_okay(const struct user_desc *info) > +{ > + if (LDT_empty(info)) > + return true; > + > + /* > + * espfix is required for 16-bit data segments, but espfix > + * only works for LDT segments. > + */ > + if (!info->seg_32bit) > + return false; > + > + return true; > +} > + > static void set_tls_desc(struct task_struct *p, int idx, > const struct user_desc *info, int n) > { > @@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struct *p, int idx, > if (copy_from_user(&info, u_info, sizeof(info))) > return -EFAULT; > > + if (!tls_desc_okay(&info)) > + return -EINVAL; > + > if (idx == -1) > idx = info.entry_number; > > @@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, > { > struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; > const struct user_desc *info; > + int i; > > if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || > (pos % sizeof(struct user_desc)) != 0 || > @@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, > else > info = infobuf; > > + for (i = 0; i < count / sizeof(struct user_desc); i++) > + if (!tls_desc_okay(info + i)) > + return -EINVAL; > + > set_tls_desc(target, > GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), > info, count / sizeof(struct user_desc)); Looks ok to me: Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On Tue, Jan 06, 2015 at 07:24:10PM +0000, Luis Henriques wrote: > From: Andy Lutomirski <luto@amacapital.net> > > Installing a 16-bit RW data segment into the GDT defeats espfix. > AFAICT this will not affect glibc, Wine, or dosemu at all. > > Signed-off-by: Andy Lutomirski <luto@amacapital.net> > Acked-by: H. Peter Anvin <hpa@zytor.com> > Cc: stable@vger.kernel.org > Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: security@kernel.org <security@kernel.org> > Cc: Willy Tarreau <w@1wt.eu> > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (cherry picked from commit 41bdc78544b8a93a9c6814b8bbbfef966272abbe) > CVE-2014-8133 > BugLink: http://bugs.launchpad.net/bugs/1403852 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++ > 1 file changed, 23 insertions(+) > > diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c > index bcfec2d23769..7af73380ae4b 100644 > --- a/arch/x86/kernel/tls.c > +++ b/arch/x86/kernel/tls.c > @@ -28,6 +28,21 @@ static int get_free_idx(void) > return -ESRCH; > } > > +static bool tls_desc_okay(const struct user_desc *info) > +{ > + if (LDT_empty(info)) > + return true; > + > + /* > + * espfix is required for 16-bit data segments, but espfix > + * only works for LDT segments. > + */ > + if (!info->seg_32bit) > + return false; > + > + return true; > +} > + > static void set_tls_desc(struct task_struct *p, int idx, > const struct user_desc *info, int n) > { > @@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struct *p, int idx, > if (copy_from_user(&info, u_info, sizeof(info))) > return -EFAULT; > > + if (!tls_desc_okay(&info)) > + return -EINVAL; > + > if (idx == -1) > idx = info.entry_number; > > @@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, > { > struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; > const struct user_desc *info; > + int i; > > if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || > (pos % sizeof(struct user_desc)) != 0 || > @@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, > else > info = infobuf; > > + for (i = 0; i < count / sizeof(struct user_desc); i++) > + if (!tls_desc_okay(info + i)) > + return -EINVAL; > + > set_tls_desc(target, > GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), > info, count / sizeof(struct user_desc)); > -- > 2.1.4 > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Applied to Lucid master-next
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c index bcfec2d23769..7af73380ae4b 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -28,6 +28,21 @@ static int get_free_idx(void) return -ESRCH; } +static bool tls_desc_okay(const struct user_desc *info) +{ + if (LDT_empty(info)) + return true; + + /* + * espfix is required for 16-bit data segments, but espfix + * only works for LDT segments. + */ + if (!info->seg_32bit) + return false; + + return true; +} + static void set_tls_desc(struct task_struct *p, int idx, const struct user_desc *info, int n) { @@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struct *p, int idx, if (copy_from_user(&info, u_info, sizeof(info))) return -EFAULT; + if (!tls_desc_okay(&info)) + return -EINVAL; + if (idx == -1) idx = info.entry_number; @@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, { struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; const struct user_desc *info; + int i; if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || (pos % sizeof(struct user_desc)) != 0 || @@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset, else info = infobuf; + for (i = 0; i < count / sizeof(struct user_desc); i++) + if (!tls_desc_okay(info + i)) + return -EINVAL; + set_tls_desc(target, GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), info, count / sizeof(struct user_desc));