633c5ed17f
this causes kernel OOPS and upstream is unresponsive about it. see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1726519
94 lines
3.3 KiB
Diff
94 lines
3.3 KiB
Diff
From a0b37d5a5f250199b6df4e9404d2071802591de6 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Gleixner <tglx@linutronix.de>
|
|
Date: Mon, 28 Aug 2017 08:47:40 +0200
|
|
Subject: [PATCH 028/242] x86/asm: Replace access to desc_struct:a/b fields
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2017-5754
|
|
|
|
The union inside of desc_struct which allows access to the raw u32 parts of
|
|
the descriptors. This raw access part is about to go away.
|
|
|
|
Replace the few code parts which access those fields.
|
|
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
|
|
Cc: Andy Lutomirski <luto@kernel.org>
|
|
Cc: Borislav Petkov <bp@alien8.de>
|
|
Cc: Brian Gerst <brgerst@gmail.com>
|
|
Cc: Denys Vlasenko <dvlasenk@redhat.com>
|
|
Cc: H. Peter Anvin <hpa@zytor.com>
|
|
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
|
|
Cc: Juergen Gross <jgross@suse.com>
|
|
Cc: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Cc: Peter Zijlstra <peterz@infradead.org>
|
|
Cc: Steven Rostedt <rostedt@goodmis.org>
|
|
Link: http://lkml.kernel.org/r/20170828064958.120214366@linutronix.de
|
|
Signed-off-by: Ingo Molnar <mingo@kernel.org>
|
|
(cherry picked from commit 9a98e7780022aa7cd201eb8a88a4f1d607b73cde)
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
(cherry picked from commit 8469c76c61ea9c3b86b596352d1148bace5ea706)
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
arch/x86/include/asm/xen/hypercall.h | 6 ++++--
|
|
arch/x86/kernel/tls.c | 2 +-
|
|
arch/x86/xen/enlighten_pv.c | 2 +-
|
|
3 files changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
|
|
index 11071fcd630e..9606688caa4b 100644
|
|
--- a/arch/x86/include/asm/xen/hypercall.h
|
|
+++ b/arch/x86/include/asm/xen/hypercall.h
|
|
@@ -552,6 +552,8 @@ static inline void
|
|
MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
|
|
struct desc_struct desc)
|
|
{
|
|
+ u32 *p = (u32 *) &desc;
|
|
+
|
|
mcl->op = __HYPERVISOR_update_descriptor;
|
|
if (sizeof(maddr) == sizeof(long)) {
|
|
mcl->args[0] = maddr;
|
|
@@ -559,8 +561,8 @@ MULTI_update_descriptor(struct multicall_entry *mcl, u64 maddr,
|
|
} else {
|
|
mcl->args[0] = maddr;
|
|
mcl->args[1] = maddr >> 32;
|
|
- mcl->args[2] = desc.a;
|
|
- mcl->args[3] = desc.b;
|
|
+ mcl->args[2] = *p++;
|
|
+ mcl->args[3] = *p;
|
|
}
|
|
|
|
trace_xen_mc_entry(mcl, sizeof(maddr) == sizeof(long) ? 2 : 4);
|
|
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
|
|
index dcd699baea1b..a106b9719c58 100644
|
|
--- a/arch/x86/kernel/tls.c
|
|
+++ b/arch/x86/kernel/tls.c
|
|
@@ -93,7 +93,7 @@ static void set_tls_desc(struct task_struct *p, int idx,
|
|
|
|
while (n-- > 0) {
|
|
if (LDT_empty(info) || LDT_zero(info)) {
|
|
- desc->a = desc->b = 0;
|
|
+ memset(desc, 0, sizeof(*desc));
|
|
} else {
|
|
fill_ldt(desc, info);
|
|
|
|
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
|
|
index 49ee3315b9f7..c76f5ff4d0d7 100644
|
|
--- a/arch/x86/xen/enlighten_pv.c
|
|
+++ b/arch/x86/xen/enlighten_pv.c
|
|
@@ -501,7 +501,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
|
|
static inline bool desc_equal(const struct desc_struct *d1,
|
|
const struct desc_struct *d2)
|
|
{
|
|
- return d1->a == d2->a && d1->b == d2->b;
|
|
+ return !memcmp(d1, d2, sizeof(*d1));
|
|
}
|
|
|
|
static void load_TLS_descriptor(struct thread_struct *t,
|
|
--
|
|
2.14.2
|
|
|