From: Andy Lutomirski <luto@amacapital.net>
To: x86@kernel.org, torvalds@linux-foundation.org,
linux-kernel@vger.kernel.org
Cc: Andy Lutomirski <luto@amacapital.net>, stable@vger.kernel.org
Subject: [PATCH 1/2] x86, tls, ldt: Stop checking lm in LDT_empty
Date: Thu, 22 Jan 2015 11:27:58 -0800 [thread overview]
Message-ID: <72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net> (raw)
In-Reply-To: <cover.1421954363.git.luto@amacapital.net>
In-Reply-To: <cover.1421954363.git.luto@amacapital.net>
32-bit programs don't have an lm bit in their ABI, so they can't
reliably cause LDT_empty to return true without resorting to memset.
They shouldn't need to do this.
This should fix a longstanding, if minor, issue in all 64-bit kernels
as well as a potential regression in the TLS hardening code.
Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
arch/x86/include/asm/desc.h | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
index 50d033a8947d..fc237fd0259a 100644
--- a/arch/x86/include/asm/desc.h
+++ b/arch/x86/include/asm/desc.h
@@ -251,7 +251,8 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
}
-#define _LDT_empty(info) \
+/* This intentionally ignores lm, since 32-bit apps don't have that field. */
+#define LDT_empty(info) \
((info)->base_addr == 0 && \
(info)->limit == 0 && \
(info)->contents == 0 && \
@@ -261,12 +262,6 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
(info)->seg_not_present == 1 && \
(info)->useable == 0)
-#ifdef CONFIG_X86_64
-#define LDT_empty(info) (_LDT_empty(info) && ((info)->lm == 0))
-#else
-#define LDT_empty(info) (_LDT_empty(info))
-#endif
-
static inline void clear_LDT(void)
{
set_ldt(NULL, 0);
--
2.1.0
next prev parent reply other threads:[~2015-01-22 19:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-22 19:27 [PATCH 0/2] x86: TLS regression fixes Andy Lutomirski
2015-01-22 19:27 ` Andy Lutomirski [this message]
2015-01-22 20:13 ` [tip:x86/urgent] x86, tls, ldt: Stop checking lm in LDT_empty tip-bot for Andy Lutomirski
2015-01-22 19:27 ` [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment" Andy Lutomirski
2015-01-22 19:47 ` Borislav Petkov
2015-01-22 20:12 ` Andy Lutomirski
2015-01-22 20:14 ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as %22no segment%22 tip-bot for Andy Lutomirski
2015-01-22 20:54 ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as "no segment" tip-bot for Andy Lutomirski
2015-01-22 19:56 ` [PATCH 0/2] x86: TLS regression fixes Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.luto@amacapital.net \
--to=luto@amacapital.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
--subject='Re: [PATCH 1/2] x86, tls, ldt: Stop checking lm in LDT_empty' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.