1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/kernel.h> 3 #include <linux/errno.h> 4 #include <linux/sched.h> 5 #include <linux/user.h> 6 #include <linux/regset.h> 7 #include <linux/syscalls.h> 8 #include <linux/nospec.h> 9 10 #include <linux/uaccess.h> 11 #include <asm/desc.h> 12 #include <asm/ldt.h> 13 #include <asm/processor.h> 14 #include <asm/proto.h> 15 #include <asm/gsseg.h> 16 17 #include "tls.h" 18 19 /* 20 * sys_alloc_thread_area: get a yet unused TLS descriptor index. 21 */ 22 static int get_free_idx(void) 23 { 24 struct thread_struct *t = ¤t->thread; 25 int idx; 26 27 for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) 28 if (desc_empty(&t->tls_array[idx])) 29 return idx + GDT_ENTRY_TLS_MIN; 30 return -ESRCH; 31 } 32 33 static bool tls_desc_okay(const struct user_desc *info) 34 { 35 /* 36 * For historical reasons (i.e. no one ever documented how any 37 * of the segmentation APIs work), user programs can and do 38 * assume that a struct user_desc that's all zeros except for 39 * entry_number means "no segment at all". This never actually 40 * worked. In fact, up to Linux 3.19, a struct user_desc like 41 * this would create a 16-bit read-write segment with base and 42 * limit both equal to zero. 43 * 44 * That was close enough to "no segment at all" until we 45 * hardened this function to disallow 16-bit TLS segments. Fix 46 * it up by interpreting these zeroed segments the way that they 47 * were almost certainly intended to be interpreted. 48 * 49 * The correct way to ask for "no segment at all" is to specify 50 * a user_desc that satisfies LDT_empty. To keep everything 51 * working, we accept both. 52 * 53 * Note that there's a similar kludge in modify_ldt -- look at 54 * the distinction between modes 1 and 0x11. 55 */ 56 if (LDT_empty(info) || LDT_zero(info)) 57 return true; 58 59 /* 60 * espfix is required for 16-bit data segments, but espfix 61 * only works for LDT segments. 62 */ 63 if (!info->seg_32bit) 64 return false; 65 66 /* Only allow data segments in the TLS array. */ 67 if (info->contents > 1) 68 return false; 69 70 /* 71 * Non-present segments with DPL 3 present an interesting attack 72 * surface. The kernel should handle such segments correctly, 73 * but TLS is very difficult to protect in a sandbox, so prevent 74 * such segments from being created. 75 * 76 * If userspace needs to remove a TLS entry, it can still delete 77 * it outright. 78 */ 79 if (info->seg_not_present) 80 return false; 81 82 return true; 83 } 84 85 static void set_tls_desc(struct task_struct *p, int idx, 86 const struct user_desc *info, int n) 87 { 88 struct thread_struct *t = &p->thread; 89 struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; 90 int cpu; 91 92 /* 93 * We must not get preempted while modifying the TLS. 94 */ 95 cpu = get_cpu(); 96 97 while (n-- > 0) { 98 if (LDT_empty(info) || LDT_zero(info)) 99 memset(desc, 0, sizeof(*desc)); 100 else 101 fill_ldt(desc, info); 102 ++info; 103 ++desc; 104 } 105 106 if (t == ¤t->thread) 107 load_TLS(t, cpu); 108 109 put_cpu(); 110 } 111 112 /* 113 * Set a given TLS descriptor: 114 */ 115 int do_set_thread_area(struct task_struct *p, int idx, 116 struct user_desc __user *u_info, 117 int can_allocate) 118 { 119 struct user_desc info; 120 unsigned short modified_sel; 121 122 if (copy_from_user(&info, u_info, sizeof(info))) 123 return -EFAULT; 124 125 if (!tls_desc_okay(&info)) 126 return -EINVAL; 127 128 if (idx == -1) 129 idx = info.entry_number; 130 131 /* 132 * index -1 means the kernel should try to find and 133 * allocate an empty descriptor: 134 */ 135 if (idx == -1 && can_allocate) { 136 idx = get_free_idx(); 137 if (idx < 0) 138 return idx; 139 if (put_user(idx, &u_info->entry_number)) 140 return -EFAULT; 141 } 142 143 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 144 return -EINVAL; 145 146 set_tls_desc(p, idx, &info, 1); 147 148 /* 149 * If DS, ES, FS, or GS points to the modified segment, forcibly 150 * refresh it. Only needed on x86_64 because x86_32 reloads them 151 * on return to user mode. 152 */ 153 modified_sel = (idx << 3) | 3; 154 155 if (p == current) { 156 unsigned short sel; 157 158 #ifdef CONFIG_X86_64 159 savesegment(ds, sel); 160 if (sel == modified_sel) 161 loadsegment(ds, sel); 162 163 savesegment(es, sel); 164 if (sel == modified_sel) 165 loadsegment(es, sel); 166 167 savesegment(fs, sel); 168 if (sel == modified_sel) 169 loadsegment(fs, sel); 170 #endif 171 172 savesegment(gs, sel); 173 if (sel == modified_sel) 174 load_gs_index(sel); 175 } else { 176 #ifdef CONFIG_X86_64 177 if (p->thread.fsindex == modified_sel) 178 p->thread.fsbase = info.base_addr; 179 180 if (p->thread.gsindex == modified_sel) 181 p->thread.gsbase = info.base_addr; 182 #endif 183 } 184 185 return 0; 186 } 187 188 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) 189 { 190 return do_set_thread_area(current, -1, u_info, 1); 191 } 192 193 194 /* 195 * Get the current Thread-Local Storage area: 196 */ 197 198 static void fill_user_desc(struct user_desc *info, int idx, 199 const struct desc_struct *desc) 200 201 { 202 memset(info, 0, sizeof(*info)); 203 info->entry_number = idx; 204 info->base_addr = get_desc_base(desc); 205 info->limit = get_desc_limit(desc); 206 info->seg_32bit = desc->d; 207 info->contents = desc->type >> 2; 208 info->read_exec_only = !(desc->type & 2); 209 info->limit_in_pages = desc->g; 210 info->seg_not_present = !desc->p; 211 info->useable = desc->avl; 212 #ifdef CONFIG_X86_64 213 info->lm = desc->l; 214 #endif 215 } 216 217 int do_get_thread_area(struct task_struct *p, int idx, 218 struct user_desc __user *u_info) 219 { 220 struct user_desc info; 221 int index; 222 223 if (idx == -1 && get_user(idx, &u_info->entry_number)) 224 return -EFAULT; 225 226 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 227 return -EINVAL; 228 229 index = idx - GDT_ENTRY_TLS_MIN; 230 index = array_index_nospec(index, 231 GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); 232 233 fill_user_desc(&info, idx, &p->thread.tls_array[index]); 234 235 if (copy_to_user(u_info, &info, sizeof(info))) 236 return -EFAULT; 237 return 0; 238 } 239 240 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) 241 { 242 return do_get_thread_area(current, -1, u_info); 243 } 244 245 int regset_tls_active(struct task_struct *target, 246 const struct user_regset *regset) 247 { 248 struct thread_struct *t = &target->thread; 249 int n = GDT_ENTRY_TLS_ENTRIES; 250 while (n > 0 && desc_empty(&t->tls_array[n - 1])) 251 --n; 252 return n; 253 } 254 255 int regset_tls_get(struct task_struct *target, const struct user_regset *regset, 256 struct membuf to) 257 { 258 const struct desc_struct *tls; 259 struct user_desc v; 260 int pos; 261 262 for (pos = 0, tls = target->thread.tls_array; to.left; pos++, tls++) { 263 fill_user_desc(&v, GDT_ENTRY_TLS_MIN + pos, tls); 264 membuf_write(&to, &v, sizeof(v)); 265 } 266 return 0; 267 } 268 269 int regset_tls_set(struct task_struct *target, const struct user_regset *regset, 270 unsigned int pos, unsigned int count, 271 const void *kbuf, const void __user *ubuf) 272 { 273 struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; 274 const struct user_desc *info; 275 int i; 276 277 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || 278 (pos % sizeof(struct user_desc)) != 0 || 279 (count % sizeof(struct user_desc)) != 0) 280 return -EINVAL; 281 282 if (kbuf) 283 info = kbuf; 284 else if (__copy_from_user(infobuf, ubuf, count)) 285 return -EFAULT; 286 else 287 info = infobuf; 288 289 for (i = 0; i < count / sizeof(struct user_desc); i++) 290 if (!tls_desc_okay(info + i)) 291 return -EINVAL; 292 293 set_tls_desc(target, 294 GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), 295 info, count / sizeof(struct user_desc)); 296 297 return 0; 298 } 299