1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #include <linux/kernel.h> |
3 | #include <linux/errno.h> |
4 | #include <linux/sched.h> |
5 | #include <linux/user.h> |
6 | #include <linux/regset.h> |
7 | #include <linux/syscalls.h> |
8 | #include <linux/nospec.h> |
9 | |
10 | #include <linux/uaccess.h> |
11 | #include <asm/desc.h> |
12 | #include <asm/ldt.h> |
13 | #include <asm/processor.h> |
14 | #include <asm/proto.h> |
15 | #include <asm/gsseg.h> |
16 | |
17 | #include "tls.h" |
18 | |
19 | /* |
20 | * sys_alloc_thread_area: get a yet unused TLS descriptor index. |
21 | */ |
22 | static int get_free_idx(void) |
23 | { |
24 | struct thread_struct *t = ¤t->thread; |
25 | int idx; |
26 | |
27 | for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) |
28 | if (desc_empty(ptr: &t->tls_array[idx])) |
29 | return idx + GDT_ENTRY_TLS_MIN; |
30 | return -ESRCH; |
31 | } |
32 | |
33 | static bool tls_desc_okay(const struct user_desc *info) |
34 | { |
35 | /* |
36 | * For historical reasons (i.e. no one ever documented how any |
37 | * of the segmentation APIs work), user programs can and do |
38 | * assume that a struct user_desc that's all zeros except for |
39 | * entry_number means "no segment at all". This never actually |
40 | * worked. In fact, up to Linux 3.19, a struct user_desc like |
41 | * this would create a 16-bit read-write segment with base and |
42 | * limit both equal to zero. |
43 | * |
44 | * That was close enough to "no segment at all" until we |
45 | * hardened this function to disallow 16-bit TLS segments. Fix |
46 | * it up by interpreting these zeroed segments the way that they |
47 | * were almost certainly intended to be interpreted. |
48 | * |
49 | * The correct way to ask for "no segment at all" is to specify |
50 | * a user_desc that satisfies LDT_empty. To keep everything |
51 | * working, we accept both. |
52 | * |
53 | * Note that there's a similar kludge in modify_ldt -- look at |
54 | * the distinction between modes 1 and 0x11. |
55 | */ |
56 | if (LDT_empty(info) || LDT_zero(info)) |
57 | return true; |
58 | |
59 | /* |
60 | * espfix is required for 16-bit data segments, but espfix |
61 | * only works for LDT segments. |
62 | */ |
63 | if (!info->seg_32bit) |
64 | return false; |
65 | |
66 | /* Only allow data segments in the TLS array. */ |
67 | if (info->contents > 1) |
68 | return false; |
69 | |
70 | /* |
71 | * Non-present segments with DPL 3 present an interesting attack |
72 | * surface. The kernel should handle such segments correctly, |
73 | * but TLS is very difficult to protect in a sandbox, so prevent |
74 | * such segments from being created. |
75 | * |
76 | * If userspace needs to remove a TLS entry, it can still delete |
77 | * it outright. |
78 | */ |
79 | if (info->seg_not_present) |
80 | return false; |
81 | |
82 | return true; |
83 | } |
84 | |
85 | static void set_tls_desc(struct task_struct *p, int idx, |
86 | const struct user_desc *info, int n) |
87 | { |
88 | struct thread_struct *t = &p->thread; |
89 | struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; |
90 | int cpu; |
91 | |
92 | /* |
93 | * We must not get preempted while modifying the TLS. |
94 | */ |
95 | cpu = get_cpu(); |
96 | |
97 | while (n-- > 0) { |
98 | if (LDT_empty(info) || LDT_zero(info)) |
99 | memset(desc, 0, sizeof(*desc)); |
100 | else |
101 | fill_ldt(desc, info); |
102 | ++info; |
103 | ++desc; |
104 | } |
105 | |
106 | if (t == ¤t->thread) |
107 | load_TLS(t, cpu); |
108 | |
109 | put_cpu(); |
110 | } |
111 | |
112 | /* |
113 | * Set a given TLS descriptor: |
114 | */ |
115 | int do_set_thread_area(struct task_struct *p, int idx, |
116 | struct user_desc __user *u_info, |
117 | int can_allocate) |
118 | { |
119 | struct user_desc info; |
120 | unsigned short __maybe_unused sel, modified_sel; |
121 | |
122 | if (copy_from_user(to: &info, from: u_info, n: sizeof(info))) |
123 | return -EFAULT; |
124 | |
125 | if (!tls_desc_okay(info: &info)) |
126 | return -EINVAL; |
127 | |
128 | if (idx == -1) |
129 | idx = info.entry_number; |
130 | |
131 | /* |
132 | * index -1 means the kernel should try to find and |
133 | * allocate an empty descriptor: |
134 | */ |
135 | if (idx == -1 && can_allocate) { |
136 | idx = get_free_idx(); |
137 | if (idx < 0) |
138 | return idx; |
139 | if (put_user(idx, &u_info->entry_number)) |
140 | return -EFAULT; |
141 | } |
142 | |
143 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
144 | return -EINVAL; |
145 | |
146 | set_tls_desc(p, idx, info: &info, n: 1); |
147 | |
148 | /* |
149 | * If DS, ES, FS, or GS points to the modified segment, forcibly |
150 | * refresh it. Only needed on x86_64 because x86_32 reloads them |
151 | * on return to user mode. |
152 | */ |
153 | modified_sel = (idx << 3) | 3; |
154 | |
155 | if (p == current) { |
156 | #ifdef CONFIG_X86_64 |
157 | savesegment(ds, sel); |
158 | if (sel == modified_sel) |
159 | loadsegment(ds, sel); |
160 | |
161 | savesegment(es, sel); |
162 | if (sel == modified_sel) |
163 | loadsegment(es, sel); |
164 | |
165 | savesegment(fs, sel); |
166 | if (sel == modified_sel) |
167 | loadsegment(fs, sel); |
168 | #endif |
169 | |
170 | savesegment(gs, sel); |
171 | if (sel == modified_sel) |
172 | load_gs_index(gs: sel); |
173 | } else { |
174 | #ifdef CONFIG_X86_64 |
175 | if (p->thread.fsindex == modified_sel) |
176 | p->thread.fsbase = info.base_addr; |
177 | |
178 | if (p->thread.gsindex == modified_sel) |
179 | p->thread.gsbase = info.base_addr; |
180 | #endif |
181 | } |
182 | |
183 | return 0; |
184 | } |
185 | |
186 | SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) |
187 | { |
188 | return do_set_thread_area(current, idx: -1, u_info, can_allocate: 1); |
189 | } |
190 | |
191 | |
192 | /* |
193 | * Get the current Thread-Local Storage area: |
194 | */ |
195 | |
196 | static void fill_user_desc(struct user_desc *info, int idx, |
197 | const struct desc_struct *desc) |
198 | |
199 | { |
200 | memset(info, 0, sizeof(*info)); |
201 | info->entry_number = idx; |
202 | info->base_addr = get_desc_base(desc); |
203 | info->limit = get_desc_limit(desc); |
204 | info->seg_32bit = desc->d; |
205 | info->contents = desc->type >> 2; |
206 | info->read_exec_only = !(desc->type & 2); |
207 | info->limit_in_pages = desc->g; |
208 | info->seg_not_present = !desc->p; |
209 | info->useable = desc->avl; |
210 | #ifdef CONFIG_X86_64 |
211 | info->lm = desc->l; |
212 | #endif |
213 | } |
214 | |
215 | int do_get_thread_area(struct task_struct *p, int idx, |
216 | struct user_desc __user *u_info) |
217 | { |
218 | struct user_desc info; |
219 | int index; |
220 | |
221 | if (idx == -1 && get_user(idx, &u_info->entry_number)) |
222 | return -EFAULT; |
223 | |
224 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
225 | return -EINVAL; |
226 | |
227 | index = idx - GDT_ENTRY_TLS_MIN; |
228 | index = array_index_nospec(index, |
229 | GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); |
230 | |
231 | fill_user_desc(info: &info, idx, desc: &p->thread.tls_array[index]); |
232 | |
233 | if (copy_to_user(to: u_info, from: &info, n: sizeof(info))) |
234 | return -EFAULT; |
235 | return 0; |
236 | } |
237 | |
238 | SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) |
239 | { |
240 | return do_get_thread_area(current, idx: -1, u_info); |
241 | } |
242 | |
243 | int regset_tls_active(struct task_struct *target, |
244 | const struct user_regset *regset) |
245 | { |
246 | struct thread_struct *t = &target->thread; |
247 | int n = GDT_ENTRY_TLS_ENTRIES; |
248 | while (n > 0 && desc_empty(ptr: &t->tls_array[n - 1])) |
249 | --n; |
250 | return n; |
251 | } |
252 | |
253 | int regset_tls_get(struct task_struct *target, const struct user_regset *regset, |
254 | struct membuf to) |
255 | { |
256 | const struct desc_struct *tls; |
257 | struct user_desc v; |
258 | int pos; |
259 | |
260 | for (pos = 0, tls = target->thread.tls_array; to.left; pos++, tls++) { |
261 | fill_user_desc(info: &v, GDT_ENTRY_TLS_MIN + pos, desc: tls); |
262 | membuf_write(s: &to, v: &v, size: sizeof(v)); |
263 | } |
264 | return 0; |
265 | } |
266 | |
267 | int regset_tls_set(struct task_struct *target, const struct user_regset *regset, |
268 | unsigned int pos, unsigned int count, |
269 | const void *kbuf, const void __user *ubuf) |
270 | { |
271 | struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; |
272 | const struct user_desc *info; |
273 | int i; |
274 | |
275 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
276 | (pos % sizeof(struct user_desc)) != 0 || |
277 | (count % sizeof(struct user_desc)) != 0) |
278 | return -EINVAL; |
279 | |
280 | if (kbuf) |
281 | info = kbuf; |
282 | else if (__copy_from_user(to: infobuf, from: ubuf, n: count)) |
283 | return -EFAULT; |
284 | else |
285 | info = infobuf; |
286 | |
287 | for (i = 0; i < count / sizeof(struct user_desc); i++) |
288 | if (!tls_desc_okay(info: info + i)) |
289 | return -EINVAL; |
290 | |
291 | set_tls_desc(p: target, |
292 | GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), |
293 | info, n: count / sizeof(struct user_desc)); |
294 | |
295 | return 0; |
296 | } |
297 | |