• Thomas Garnier's avatar
    arm/syscalls: Check address limit on user-mode return · 73ac5d6a
    Thomas Garnier authored
    Ensure the address limit is a user-mode segment before returning to
    user-mode. Otherwise a process can corrupt kernel-mode memory and
    elevate privileges [1].
    
    The set_fs function sets the TIF_SETFS flag to force a slow path on
    return. In the slow path, the address limit is checked to be USER_DS if
    needed.
    
    The TIF_SETFS flag is added to _TIF_WORK_MASK shifting _TIF_SYSCALL_WORK
    for arm instruction immediate support. The global work mask is too big
    to used on a single instruction so adapt ret_fast_syscall.
    
    [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=990
    
    Signed-off-by: default avatarThomas Garnier <thgarnie@google.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: kernel-hardening@lists.openwall.com
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: David Howells <dhowells@redhat.com>
    Cc: Dave Hansen <dave.hansen@intel.com>
    Cc: Miroslav Benes <mbenes@suse.cz>
    Cc: Chris Metcalf <cmetcalf@mellanox.com>
    Cc: Pratyush Anand <panand@redhat.com>
    Cc: Russell King <linux@armlinux.org.uk>
    Cc: Petr Mladek <pmladek@suse.com>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: Will Drewry <wad@chromium.org>
    Cc: linux-api@vger.kernel.org
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Link: http://lkml.kernel.org/r/20170615011203.144108-2-thgarnie@google.com
    73ac5d6a
entry-common.S 10.6 KB