Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1da177e4 LT |
2 | #include <linux/kernel.h> |
3 | #include <linux/errno.h> | |
4 | #include <linux/sched.h> | |
5 | #include <linux/user.h> | |
4c79a2d8 | 6 | #include <linux/regset.h> |
2cf09666 | 7 | #include <linux/syscalls.h> |
1da177e4 | 8 | |
7c0f6ba6 | 9 | #include <linux/uaccess.h> |
1da177e4 | 10 | #include <asm/desc.h> |
1da177e4 LT |
11 | #include <asm/ldt.h> |
12 | #include <asm/processor.h> | |
13 | #include <asm/proto.h> | |
14 | ||
4c79a2d8 RM |
15 | #include "tls.h" |
16 | ||
1da177e4 LT |
17 | /* |
18 | * sys_alloc_thread_area: get a yet unused TLS descriptor index. | |
19 | */ | |
20 | static int get_free_idx(void) | |
21 | { | |
22 | struct thread_struct *t = ¤t->thread; | |
23 | int idx; | |
24 | ||
25 | for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) | |
efd1ca52 | 26 | if (desc_empty(&t->tls_array[idx])) |
1da177e4 LT |
27 | return idx + GDT_ENTRY_TLS_MIN; |
28 | return -ESRCH; | |
29 | } | |
30 | ||
41bdc785 AL |
31 | static bool tls_desc_okay(const struct user_desc *info) |
32 | { | |
3669ef9f AL |
33 | /* |
34 | * For historical reasons (i.e. no one ever documented how any | |
35 | * of the segmentation APIs work), user programs can and do | |
36 | * assume that a struct user_desc that's all zeros except for | |
37 | * entry_number means "no segment at all". This never actually | |
38 | * worked. In fact, up to Linux 3.19, a struct user_desc like | |
39 | * this would create a 16-bit read-write segment with base and | |
40 | * limit both equal to zero. | |
41 | * | |
42 | * That was close enough to "no segment at all" until we | |
43 | * hardened this function to disallow 16-bit TLS segments. Fix | |
44 | * it up by interpreting these zeroed segments the way that they | |
45 | * were almost certainly intended to be interpreted. | |
46 | * | |
47 | * The correct way to ask for "no segment at all" is to specify | |
48 | * a user_desc that satisfies LDT_empty. To keep everything | |
49 | * working, we accept both. | |
50 | * | |
51 | * Note that there's a similar kludge in modify_ldt -- look at | |
52 | * the distinction between modes 1 and 0x11. | |
53 | */ | |
54 | if (LDT_empty(info) || LDT_zero(info)) | |
41bdc785 AL |
55 | return true; |
56 | ||
57 | /* | |
58 | * espfix is required for 16-bit data segments, but espfix | |
59 | * only works for LDT segments. | |
60 | */ | |
61 | if (!info->seg_32bit) | |
62 | return false; | |
63 | ||
0e58af4e AL |
64 | /* Only allow data segments in the TLS array. */ |
65 | if (info->contents > 1) | |
66 | return false; | |
67 | ||
68 | /* | |
69 | * Non-present segments with DPL 3 present an interesting attack | |
70 | * surface. The kernel should handle such segments correctly, | |
71 | * but TLS is very difficult to protect in a sandbox, so prevent | |
72 | * such segments from being created. | |
73 | * | |
74 | * If userspace needs to remove a TLS entry, it can still delete | |
75 | * it outright. | |
76 | */ | |
77 | if (info->seg_not_present) | |
78 | return false; | |
79 | ||
41bdc785 AL |
80 | return true; |
81 | } | |
82 | ||
1bd5718c | 83 | static void set_tls_desc(struct task_struct *p, int idx, |
4c79a2d8 | 84 | const struct user_desc *info, int n) |
1bd5718c RM |
85 | { |
86 | struct thread_struct *t = &p->thread; | |
87 | struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; | |
88 | int cpu; | |
89 | ||
90 | /* | |
91 | * We must not get preempted while modifying the TLS. | |
92 | */ | |
93 | cpu = get_cpu(); | |
94 | ||
4c79a2d8 | 95 | while (n-- > 0) { |
5b781c7e | 96 | if (LDT_empty(info) || LDT_zero(info)) { |
9a98e778 | 97 | memset(desc, 0, sizeof(*desc)); |
5b781c7e | 98 | } else { |
4c79a2d8 | 99 | fill_ldt(desc, info); |
5b781c7e AL |
100 | |
101 | /* | |
102 | * Always set the accessed bit so that the CPU | |
103 | * doesn't try to write to the (read-only) GDT. | |
104 | */ | |
105 | desc->type |= 1; | |
106 | } | |
4c79a2d8 RM |
107 | ++info; |
108 | ++desc; | |
109 | } | |
1bd5718c RM |
110 | |
111 | if (t == ¤t->thread) | |
112 | load_TLS(t, cpu); | |
113 | ||
114 | put_cpu(); | |
115 | } | |
116 | ||
1da177e4 LT |
117 | /* |
118 | * Set a given TLS descriptor: | |
1da177e4 | 119 | */ |
efd1ca52 RM |
120 | int do_set_thread_area(struct task_struct *p, int idx, |
121 | struct user_desc __user *u_info, | |
122 | int can_allocate) | |
1da177e4 LT |
123 | { |
124 | struct user_desc info; | |
c9867f86 | 125 | unsigned short __maybe_unused sel, modified_sel; |
1da177e4 LT |
126 | |
127 | if (copy_from_user(&info, u_info, sizeof(info))) | |
128 | return -EFAULT; | |
129 | ||
41bdc785 AL |
130 | if (!tls_desc_okay(&info)) |
131 | return -EINVAL; | |
132 | ||
efd1ca52 RM |
133 | if (idx == -1) |
134 | idx = info.entry_number; | |
1da177e4 LT |
135 | |
136 | /* | |
137 | * index -1 means the kernel should try to find and | |
138 | * allocate an empty descriptor: | |
139 | */ | |
efd1ca52 | 140 | if (idx == -1 && can_allocate) { |
1da177e4 LT |
141 | idx = get_free_idx(); |
142 | if (idx < 0) | |
143 | return idx; | |
144 | if (put_user(idx, &u_info->entry_number)) | |
145 | return -EFAULT; | |
146 | } | |
147 | ||
148 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) | |
149 | return -EINVAL; | |
150 | ||
4c79a2d8 | 151 | set_tls_desc(p, idx, &info, 1); |
1da177e4 | 152 | |
c9867f86 AL |
153 | /* |
154 | * If DS, ES, FS, or GS points to the modified segment, forcibly | |
155 | * refresh it. Only needed on x86_64 because x86_32 reloads them | |
156 | * on return to user mode. | |
157 | */ | |
158 | modified_sel = (idx << 3) | 3; | |
159 | ||
160 | if (p == current) { | |
161 | #ifdef CONFIG_X86_64 | |
162 | savesegment(ds, sel); | |
163 | if (sel == modified_sel) | |
164 | loadsegment(ds, sel); | |
165 | ||
166 | savesegment(es, sel); | |
167 | if (sel == modified_sel) | |
168 | loadsegment(es, sel); | |
169 | ||
170 | savesegment(fs, sel); | |
171 | if (sel == modified_sel) | |
172 | loadsegment(fs, sel); | |
173 | ||
174 | savesegment(gs, sel); | |
175 | if (sel == modified_sel) | |
176 | load_gs_index(sel); | |
177 | #endif | |
178 | ||
179 | #ifdef CONFIG_X86_32_LAZY_GS | |
180 | savesegment(gs, sel); | |
181 | if (sel == modified_sel) | |
182 | loadsegment(gs, sel); | |
183 | #endif | |
184 | } else { | |
185 | #ifdef CONFIG_X86_64 | |
186 | if (p->thread.fsindex == modified_sel) | |
187 | p->thread.fsbase = info.base_addr; | |
188 | ||
189 | if (p->thread.gsindex == modified_sel) | |
190 | p->thread.gsbase = info.base_addr; | |
191 | #endif | |
192 | } | |
193 | ||
1da177e4 LT |
194 | return 0; |
195 | } | |
196 | ||
2cf09666 | 197 | SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) |
13abd0e5 | 198 | { |
2cf09666 | 199 | return do_set_thread_area(current, -1, u_info, 1); |
13abd0e5 | 200 | } |
1da177e4 LT |
201 | |
202 | ||
203 | /* | |
204 | * Get the current Thread-Local Storage area: | |
205 | */ | |
206 | ||
1bd5718c RM |
207 | static void fill_user_desc(struct user_desc *info, int idx, |
208 | const struct desc_struct *desc) | |
209 | ||
210 | { | |
211 | memset(info, 0, sizeof(*info)); | |
212 | info->entry_number = idx; | |
213 | info->base_addr = get_desc_base(desc); | |
214 | info->limit = get_desc_limit(desc); | |
215 | info->seg_32bit = desc->d; | |
216 | info->contents = desc->type >> 2; | |
217 | info->read_exec_only = !(desc->type & 2); | |
218 | info->limit_in_pages = desc->g; | |
219 | info->seg_not_present = !desc->p; | |
220 | info->useable = desc->avl; | |
221 | #ifdef CONFIG_X86_64 | |
222 | info->lm = desc->l; | |
223 | #endif | |
224 | } | |
efd1ca52 RM |
225 | |
226 | int do_get_thread_area(struct task_struct *p, int idx, | |
227 | struct user_desc __user *u_info) | |
1da177e4 LT |
228 | { |
229 | struct user_desc info; | |
1da177e4 | 230 | |
efd1ca52 | 231 | if (idx == -1 && get_user(idx, &u_info->entry_number)) |
1da177e4 | 232 | return -EFAULT; |
1bd5718c | 233 | |
1da177e4 LT |
234 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
235 | return -EINVAL; | |
236 | ||
1bd5718c RM |
237 | fill_user_desc(&info, idx, |
238 | &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); | |
1da177e4 LT |
239 | |
240 | if (copy_to_user(u_info, &info, sizeof(info))) | |
241 | return -EFAULT; | |
242 | return 0; | |
243 | } | |
244 | ||
2cf09666 | 245 | SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) |
1da177e4 | 246 | { |
2cf09666 | 247 | return do_get_thread_area(current, -1, u_info); |
1da177e4 | 248 | } |
4c79a2d8 RM |
249 | |
250 | int regset_tls_active(struct task_struct *target, | |
251 | const struct user_regset *regset) | |
252 | { | |
253 | struct thread_struct *t = &target->thread; | |
254 | int n = GDT_ENTRY_TLS_ENTRIES; | |
255 | while (n > 0 && desc_empty(&t->tls_array[n - 1])) | |
256 | --n; | |
257 | return n; | |
258 | } | |
259 | ||
260 | int regset_tls_get(struct task_struct *target, const struct user_regset *regset, | |
261 | unsigned int pos, unsigned int count, | |
262 | void *kbuf, void __user *ubuf) | |
263 | { | |
264 | const struct desc_struct *tls; | |
265 | ||
8f0750f1 | 266 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
267 | (pos % sizeof(struct user_desc)) != 0 || |
268 | (count % sizeof(struct user_desc)) != 0) | |
269 | return -EINVAL; | |
270 | ||
271 | pos /= sizeof(struct user_desc); | |
272 | count /= sizeof(struct user_desc); | |
273 | ||
274 | tls = &target->thread.tls_array[pos]; | |
275 | ||
276 | if (kbuf) { | |
277 | struct user_desc *info = kbuf; | |
278 | while (count-- > 0) | |
279 | fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++, | |
280 | tls++); | |
281 | } else { | |
282 | struct user_desc __user *u_info = ubuf; | |
283 | while (count-- > 0) { | |
284 | struct user_desc info; | |
285 | fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++); | |
286 | if (__copy_to_user(u_info++, &info, sizeof(info))) | |
287 | return -EFAULT; | |
288 | } | |
289 | } | |
290 | ||
291 | return 0; | |
292 | } | |
293 | ||
294 | int regset_tls_set(struct task_struct *target, const struct user_regset *regset, | |
295 | unsigned int pos, unsigned int count, | |
296 | const void *kbuf, const void __user *ubuf) | |
297 | { | |
298 | struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; | |
299 | const struct user_desc *info; | |
41bdc785 | 300 | int i; |
4c79a2d8 | 301 | |
8f0750f1 | 302 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
303 | (pos % sizeof(struct user_desc)) != 0 || |
304 | (count % sizeof(struct user_desc)) != 0) | |
305 | return -EINVAL; | |
306 | ||
307 | if (kbuf) | |
308 | info = kbuf; | |
309 | else if (__copy_from_user(infobuf, ubuf, count)) | |
310 | return -EFAULT; | |
311 | else | |
312 | info = infobuf; | |
313 | ||
41bdc785 AL |
314 | for (i = 0; i < count / sizeof(struct user_desc); i++) |
315 | if (!tls_desc_okay(info + i)) | |
316 | return -EINVAL; | |
317 | ||
4c79a2d8 RM |
318 | set_tls_desc(target, |
319 | GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), | |
320 | info, count / sizeof(struct user_desc)); | |
321 | ||
322 | return 0; | |
323 | } |