All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Borislav Petkov <bp@alien8.de>
Cc: X86 ML <x86@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment"
Date: Thu, 22 Jan 2015 12:12:11 -0800	[thread overview]
Message-ID: <CALCETrU55UUe_cJf3Vx-ybYQsH-du0PyH234Q4PzbUTjXHrRjw@mail.gmail.com> (raw)
In-Reply-To: <20150122194746.GB4634@pd.tnic>

[resend -- thanks, gmail]

On Thu, Jan 22, 2015 at 11:47 AM, Borislav Petkov <bp@alien8.de> wrote:
> On Thu, Jan 22, 2015 at 11:27:59AM -0800, Andy Lutomirski wrote:
>> The Witcher 2 did something like this to allocate a TLS segment index:
>>
>>         struct user_desc u_info;
>>         bzero(&u_info, sizeof(u_info));
>>         u_info.entry_number = (uint32_t)-1;
>>
>>         syscall(SYS_set_thread_area, &u_info);
>>
>> Strictly speaking, this code was never correct.  It should have set
>> read_exec_only and seg_not_present to 1 to indicate that it wanted
>> to find a free slot without putting anything there, or it should
>> have put something sensible in the TLS slot if it wanted to allocate
>> a TLS entry for real.  The actual effect of this code was to
>> allocate a bogus segment that could be used to exploit espfix.
>>
>> The set_thread_area hardening patches changed the behavior, causing
>> set_thread_area to return -EINVAL and crashing the game.
>>
>> This changes set_thread_area to interpret this as a request to find
>> a free slot and to leave it empty, which isn't *quite* what the game
>> expects but should be close enough to keep it working.  In
>> particular, using the code above to allocate two segments will
>> allocate the same segment both times.
>>
>> According to FrostbittenKing on Github, this fixes The Witcher 2.
>>
>> If this somehow still causes problems, we could instead allocate
>> a limit==0 32-bit data segment, but that seems rather ugly to me.
>>
>> Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
>> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
>
> Shouldn't this also be CC:stable?
>

Yes.

Ingo, Thomas, or Linus, if you apply this version, can you add that?

--Andy

  reply	other threads:[~2015-01-22 20:12 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-22 19:27 [PATCH 0/2] x86: TLS regression fixes Andy Lutomirski
2015-01-22 19:27 ` [PATCH 1/2] x86, tls, ldt: Stop checking lm in LDT_empty Andy Lutomirski
2015-01-22 20:13   ` [tip:x86/urgent] " tip-bot for Andy Lutomirski
2015-01-22 19:27 ` [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment" Andy Lutomirski
2015-01-22 19:47   ` Borislav Petkov
2015-01-22 20:12     ` Andy Lutomirski [this message]
2015-01-22 20:14   ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as %22no segment%22 tip-bot for Andy Lutomirski
2015-01-22 20:54   ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as "no segment" tip-bot for Andy Lutomirski
2015-01-22 19:56 ` [PATCH 0/2] x86: TLS regression fixes Linus Torvalds

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CALCETrU55UUe_cJf3Vx-ybYQsH-du0PyH234Q4PzbUTjXHrRjw@mail.gmail.com \
    --to=luto@amacapital.net \
    --cc=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=x86@kernel.org \
    --subject='Re: [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment"' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.