Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1da177e4 LT |
2 | #include <linux/kernel.h> |
3 | #include <linux/errno.h> | |
4 | #include <linux/sched.h> | |
5 | #include <linux/user.h> | |
4c79a2d8 | 6 | #include <linux/regset.h> |
2cf09666 | 7 | #include <linux/syscalls.h> |
993773d1 | 8 | #include <linux/nospec.h> |
1da177e4 | 9 | |
7c0f6ba6 | 10 | #include <linux/uaccess.h> |
1da177e4 | 11 | #include <asm/desc.h> |
1da177e4 LT |
12 | #include <asm/ldt.h> |
13 | #include <asm/processor.h> | |
14 | #include <asm/proto.h> | |
ae53fa18 | 15 | #include <asm/gsseg.h> |
1da177e4 | 16 | |
4c79a2d8 RM |
17 | #include "tls.h" |
18 | ||
1da177e4 LT |
19 | /* |
20 | * sys_alloc_thread_area: get a yet unused TLS descriptor index. | |
21 | */ | |
22 | static int get_free_idx(void) | |
23 | { | |
24 | struct thread_struct *t = ¤t->thread; | |
25 | int idx; | |
26 | ||
27 | for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) | |
efd1ca52 | 28 | if (desc_empty(&t->tls_array[idx])) |
1da177e4 LT |
29 | return idx + GDT_ENTRY_TLS_MIN; |
30 | return -ESRCH; | |
31 | } | |
32 | ||
41bdc785 AL |
33 | static bool tls_desc_okay(const struct user_desc *info) |
34 | { | |
3669ef9f AL |
35 | /* |
36 | * For historical reasons (i.e. no one ever documented how any | |
37 | * of the segmentation APIs work), user programs can and do | |
38 | * assume that a struct user_desc that's all zeros except for | |
39 | * entry_number means "no segment at all". This never actually | |
40 | * worked. In fact, up to Linux 3.19, a struct user_desc like | |
41 | * this would create a 16-bit read-write segment with base and | |
42 | * limit both equal to zero. | |
43 | * | |
44 | * That was close enough to "no segment at all" until we | |
45 | * hardened this function to disallow 16-bit TLS segments. Fix | |
46 | * it up by interpreting these zeroed segments the way that they | |
47 | * were almost certainly intended to be interpreted. | |
48 | * | |
49 | * The correct way to ask for "no segment at all" is to specify | |
50 | * a user_desc that satisfies LDT_empty. To keep everything | |
51 | * working, we accept both. | |
52 | * | |
53 | * Note that there's a similar kludge in modify_ldt -- look at | |
54 | * the distinction between modes 1 and 0x11. | |
55 | */ | |
56 | if (LDT_empty(info) || LDT_zero(info)) | |
41bdc785 AL |
57 | return true; |
58 | ||
59 | /* | |
60 | * espfix is required for 16-bit data segments, but espfix | |
61 | * only works for LDT segments. | |
62 | */ | |
63 | if (!info->seg_32bit) | |
64 | return false; | |
65 | ||
0e58af4e AL |
66 | /* Only allow data segments in the TLS array. */ |
67 | if (info->contents > 1) | |
68 | return false; | |
69 | ||
70 | /* | |
71 | * Non-present segments with DPL 3 present an interesting attack | |
72 | * surface. The kernel should handle such segments correctly, | |
73 | * but TLS is very difficult to protect in a sandbox, so prevent | |
74 | * such segments from being created. | |
75 | * | |
76 | * If userspace needs to remove a TLS entry, it can still delete | |
77 | * it outright. | |
78 | */ | |
79 | if (info->seg_not_present) | |
80 | return false; | |
81 | ||
41bdc785 AL |
82 | return true; |
83 | } | |
84 | ||
1bd5718c | 85 | static void set_tls_desc(struct task_struct *p, int idx, |
4c79a2d8 | 86 | const struct user_desc *info, int n) |
1bd5718c RM |
87 | { |
88 | struct thread_struct *t = &p->thread; | |
89 | struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; | |
90 | int cpu; | |
91 | ||
92 | /* | |
93 | * We must not get preempted while modifying the TLS. | |
94 | */ | |
95 | cpu = get_cpu(); | |
96 | ||
4c79a2d8 | 97 | while (n-- > 0) { |
9f5cb6b3 | 98 | if (LDT_empty(info) || LDT_zero(info)) |
9a98e778 | 99 | memset(desc, 0, sizeof(*desc)); |
9f5cb6b3 | 100 | else |
4c79a2d8 RM |
101 | fill_ldt(desc, info); |
102 | ++info; | |
103 | ++desc; | |
104 | } | |
1bd5718c RM |
105 | |
106 | if (t == ¤t->thread) | |
107 | load_TLS(t, cpu); | |
108 | ||
109 | put_cpu(); | |
110 | } | |
111 | ||
1da177e4 LT |
112 | /* |
113 | * Set a given TLS descriptor: | |
1da177e4 | 114 | */ |
efd1ca52 RM |
115 | int do_set_thread_area(struct task_struct *p, int idx, |
116 | struct user_desc __user *u_info, | |
117 | int can_allocate) | |
1da177e4 LT |
118 | { |
119 | struct user_desc info; | |
c9867f86 | 120 | unsigned short __maybe_unused sel, modified_sel; |
1da177e4 LT |
121 | |
122 | if (copy_from_user(&info, u_info, sizeof(info))) | |
123 | return -EFAULT; | |
124 | ||
41bdc785 AL |
125 | if (!tls_desc_okay(&info)) |
126 | return -EINVAL; | |
127 | ||
efd1ca52 RM |
128 | if (idx == -1) |
129 | idx = info.entry_number; | |
1da177e4 LT |
130 | |
131 | /* | |
132 | * index -1 means the kernel should try to find and | |
133 | * allocate an empty descriptor: | |
134 | */ | |
efd1ca52 | 135 | if (idx == -1 && can_allocate) { |
1da177e4 LT |
136 | idx = get_free_idx(); |
137 | if (idx < 0) | |
138 | return idx; | |
139 | if (put_user(idx, &u_info->entry_number)) | |
140 | return -EFAULT; | |
141 | } | |
142 | ||
143 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) | |
144 | return -EINVAL; | |
145 | ||
4c79a2d8 | 146 | set_tls_desc(p, idx, &info, 1); |
1da177e4 | 147 | |
c9867f86 AL |
148 | /* |
149 | * If DS, ES, FS, or GS points to the modified segment, forcibly | |
150 | * refresh it. Only needed on x86_64 because x86_32 reloads them | |
151 | * on return to user mode. | |
152 | */ | |
153 | modified_sel = (idx << 3) | 3; | |
154 | ||
155 | if (p == current) { | |
156 | #ifdef CONFIG_X86_64 | |
157 | savesegment(ds, sel); | |
158 | if (sel == modified_sel) | |
159 | loadsegment(ds, sel); | |
160 | ||
161 | savesegment(es, sel); | |
162 | if (sel == modified_sel) | |
163 | loadsegment(es, sel); | |
164 | ||
165 | savesegment(fs, sel); | |
166 | if (sel == modified_sel) | |
167 | loadsegment(fs, sel); | |
c9867f86 AL |
168 | #endif |
169 | ||
c9867f86 AL |
170 | savesegment(gs, sel); |
171 | if (sel == modified_sel) | |
3fb0fdb3 | 172 | load_gs_index(sel); |
c9867f86 AL |
173 | } else { |
174 | #ifdef CONFIG_X86_64 | |
175 | if (p->thread.fsindex == modified_sel) | |
176 | p->thread.fsbase = info.base_addr; | |
177 | ||
178 | if (p->thread.gsindex == modified_sel) | |
179 | p->thread.gsbase = info.base_addr; | |
180 | #endif | |
181 | } | |
182 | ||
1da177e4 LT |
183 | return 0; |
184 | } | |
185 | ||
2cf09666 | 186 | SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) |
13abd0e5 | 187 | { |
2cf09666 | 188 | return do_set_thread_area(current, -1, u_info, 1); |
13abd0e5 | 189 | } |
1da177e4 LT |
190 | |
191 | ||
192 | /* | |
193 | * Get the current Thread-Local Storage area: | |
194 | */ | |
195 | ||
1bd5718c RM |
196 | static void fill_user_desc(struct user_desc *info, int idx, |
197 | const struct desc_struct *desc) | |
198 | ||
199 | { | |
200 | memset(info, 0, sizeof(*info)); | |
201 | info->entry_number = idx; | |
202 | info->base_addr = get_desc_base(desc); | |
203 | info->limit = get_desc_limit(desc); | |
204 | info->seg_32bit = desc->d; | |
205 | info->contents = desc->type >> 2; | |
206 | info->read_exec_only = !(desc->type & 2); | |
207 | info->limit_in_pages = desc->g; | |
208 | info->seg_not_present = !desc->p; | |
209 | info->useable = desc->avl; | |
210 | #ifdef CONFIG_X86_64 | |
211 | info->lm = desc->l; | |
212 | #endif | |
213 | } | |
efd1ca52 RM |
214 | |
215 | int do_get_thread_area(struct task_struct *p, int idx, | |
216 | struct user_desc __user *u_info) | |
1da177e4 LT |
217 | { |
218 | struct user_desc info; | |
993773d1 | 219 | int index; |
1da177e4 | 220 | |
efd1ca52 | 221 | if (idx == -1 && get_user(idx, &u_info->entry_number)) |
1da177e4 | 222 | return -EFAULT; |
1bd5718c | 223 | |
1da177e4 LT |
224 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
225 | return -EINVAL; | |
226 | ||
993773d1 DC |
227 | index = idx - GDT_ENTRY_TLS_MIN; |
228 | index = array_index_nospec(index, | |
229 | GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); | |
230 | ||
231 | fill_user_desc(&info, idx, &p->thread.tls_array[index]); | |
1da177e4 LT |
232 | |
233 | if (copy_to_user(u_info, &info, sizeof(info))) | |
234 | return -EFAULT; | |
235 | return 0; | |
236 | } | |
237 | ||
2cf09666 | 238 | SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) |
1da177e4 | 239 | { |
2cf09666 | 240 | return do_get_thread_area(current, -1, u_info); |
1da177e4 | 241 | } |
4c79a2d8 RM |
242 | |
243 | int regset_tls_active(struct task_struct *target, | |
244 | const struct user_regset *regset) | |
245 | { | |
246 | struct thread_struct *t = &target->thread; | |
247 | int n = GDT_ENTRY_TLS_ENTRIES; | |
248 | while (n > 0 && desc_empty(&t->tls_array[n - 1])) | |
249 | --n; | |
250 | return n; | |
251 | } | |
252 | ||
253 | int regset_tls_get(struct task_struct *target, const struct user_regset *regset, | |
0557d64d | 254 | struct membuf to) |
4c79a2d8 RM |
255 | { |
256 | const struct desc_struct *tls; | |
0557d64d AV |
257 | struct user_desc v; |
258 | int pos; | |
4c79a2d8 | 259 | |
0557d64d AV |
260 | for (pos = 0, tls = target->thread.tls_array; to.left; pos++, tls++) { |
261 | fill_user_desc(&v, GDT_ENTRY_TLS_MIN + pos, tls); | |
262 | membuf_write(&to, &v, sizeof(v)); | |
4c79a2d8 | 263 | } |
4c79a2d8 RM |
264 | return 0; |
265 | } | |
266 | ||
267 | int regset_tls_set(struct task_struct *target, const struct user_regset *regset, | |
268 | unsigned int pos, unsigned int count, | |
269 | const void *kbuf, const void __user *ubuf) | |
270 | { | |
271 | struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; | |
272 | const struct user_desc *info; | |
41bdc785 | 273 | int i; |
4c79a2d8 | 274 | |
8f0750f1 | 275 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
276 | (pos % sizeof(struct user_desc)) != 0 || |
277 | (count % sizeof(struct user_desc)) != 0) | |
278 | return -EINVAL; | |
279 | ||
280 | if (kbuf) | |
281 | info = kbuf; | |
282 | else if (__copy_from_user(infobuf, ubuf, count)) | |
283 | return -EFAULT; | |
284 | else | |
285 | info = infobuf; | |
286 | ||
41bdc785 AL |
287 | for (i = 0; i < count / sizeof(struct user_desc); i++) |
288 | if (!tls_desc_okay(info + i)) | |
289 | return -EINVAL; | |
290 | ||
4c79a2d8 RM |
291 | set_tls_desc(target, |
292 | GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), | |
293 | info, count / sizeof(struct user_desc)); | |
294 | ||
295 | return 0; | |
296 | } |