mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-27 09:15:11 +07:00
c482feefe1
The TSS is a fairly juicy target for exploits, and, now that the TSS is in the cpu_entry_area, it's no longer protected by kASLR. Make it read-only on x86_64. On x86_32, it can't be RO because it's written by the CPU during task switches, and we use a task gate for double faults. I'd also be nervous about errata if we tried to make it RO even on configurations without double fault handling. [ tglx: AMD confirmed that there is no problem on 64-bit with TSS RO. So it's probably safe to assume that it's a non issue, though Intel might have been creative in that area. Still waiting for confirmation. ] Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bpetkov@suse.de> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: David Laight <David.Laight@aculab.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Eduardo Valentin <eduval@amazon.com> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Juergen Gross <jgross@suse.com> Cc: Kees Cook <keescook@chromium.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Rik van Riel <riel@redhat.com> Cc: Will Deacon <will.deacon@arm.com> Cc: aliguori@amazon.com Cc: daniel.gruss@iaik.tugraz.at Cc: hughd@google.com Cc: keescook@google.com Link: https://lkml.kernel.org/r/20171204150606.733700132@linutronix.de Signed-off-by: Ingo Molnar <mingo@kernel.org>
134 lines
3.4 KiB
C
134 lines
3.4 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* This contains the io-permission bitmap code - written by obz, with changes
|
|
* by Linus. 32/64 bits code unification by Miguel Botón.
|
|
*/
|
|
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/task_stack.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/types.h>
|
|
#include <linux/ioport.h>
|
|
#include <linux/smp.h>
|
|
#include <linux/stddef.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/thread_info.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/bitmap.h>
|
|
#include <asm/syscalls.h>
|
|
#include <asm/desc.h>
|
|
|
|
/*
|
|
* this changes the io permissions bitmap in the current task.
|
|
*/
|
|
asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
|
|
{
|
|
struct thread_struct *t = ¤t->thread;
|
|
struct tss_struct *tss;
|
|
unsigned int i, max_long, bytes, bytes_updated;
|
|
|
|
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
|
|
return -EINVAL;
|
|
if (turn_on && !capable(CAP_SYS_RAWIO))
|
|
return -EPERM;
|
|
|
|
/*
|
|
* If it's the first ioperm() call in this thread's lifetime, set the
|
|
* IO bitmap up. ioperm() is much less timing critical than clone(),
|
|
* this is why we delay this operation until now:
|
|
*/
|
|
if (!t->io_bitmap_ptr) {
|
|
unsigned long *bitmap = kmalloc(IO_BITMAP_BYTES, GFP_KERNEL);
|
|
|
|
if (!bitmap)
|
|
return -ENOMEM;
|
|
|
|
memset(bitmap, 0xff, IO_BITMAP_BYTES);
|
|
t->io_bitmap_ptr = bitmap;
|
|
set_thread_flag(TIF_IO_BITMAP);
|
|
|
|
/*
|
|
* Now that we have an IO bitmap, we need our TSS limit to be
|
|
* correct. It's fine if we are preempted after doing this:
|
|
* with TIF_IO_BITMAP set, context switches will keep our TSS
|
|
* limit correct.
|
|
*/
|
|
preempt_disable();
|
|
refresh_tss_limit();
|
|
preempt_enable();
|
|
}
|
|
|
|
/*
|
|
* do it in the per-thread copy and in the TSS ...
|
|
*
|
|
* Disable preemption via get_cpu() - we must not switch away
|
|
* because the ->io_bitmap_max value must match the bitmap
|
|
* contents:
|
|
*/
|
|
tss = &per_cpu(cpu_tss_rw, get_cpu());
|
|
|
|
if (turn_on)
|
|
bitmap_clear(t->io_bitmap_ptr, from, num);
|
|
else
|
|
bitmap_set(t->io_bitmap_ptr, from, num);
|
|
|
|
/*
|
|
* Search for a (possibly new) maximum. This is simple and stupid,
|
|
* to keep it obviously correct:
|
|
*/
|
|
max_long = 0;
|
|
for (i = 0; i < IO_BITMAP_LONGS; i++)
|
|
if (t->io_bitmap_ptr[i] != ~0UL)
|
|
max_long = i;
|
|
|
|
bytes = (max_long + 1) * sizeof(unsigned long);
|
|
bytes_updated = max(bytes, t->io_bitmap_max);
|
|
|
|
t->io_bitmap_max = bytes;
|
|
|
|
/* Update the TSS: */
|
|
memcpy(tss->io_bitmap, t->io_bitmap_ptr, bytes_updated);
|
|
|
|
put_cpu();
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* sys_iopl has to be used when you want to access the IO ports
|
|
* beyond the 0x3ff range: to get the full 65536 ports bitmapped
|
|
* you'd need 8kB of bitmaps/process, which is a bit excessive.
|
|
*
|
|
* Here we just change the flags value on the stack: we allow
|
|
* only the super-user to do it. This depends on the stack-layout
|
|
* on system-call entry - see also fork() and the signal handling
|
|
* code.
|
|
*/
|
|
SYSCALL_DEFINE1(iopl, unsigned int, level)
|
|
{
|
|
struct pt_regs *regs = current_pt_regs();
|
|
struct thread_struct *t = ¤t->thread;
|
|
|
|
/*
|
|
* Careful: the IOPL bits in regs->flags are undefined under Xen PV
|
|
* and changing them has no effect.
|
|
*/
|
|
unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT;
|
|
|
|
if (level > 3)
|
|
return -EINVAL;
|
|
/* Trying to gain more privileges? */
|
|
if (level > old) {
|
|
if (!capable(CAP_SYS_RAWIO))
|
|
return -EPERM;
|
|
}
|
|
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
|
|
(level << X86_EFLAGS_IOPL_BIT);
|
|
t->iopl = level << X86_EFLAGS_IOPL_BIT;
|
|
set_iopl_mask(t->iopl);
|
|
|
|
return 0;
|
|
}
|