1 // SPDX-License-Identifier: GPL-2.0 2 #include <linux/kernel.h> 3 #include <linux/errno.h> 4 #include <linux/sched.h> 5 #include <linux/user.h> 6 #include <linux/regset.h> 7 #include <linux/syscalls.h> 8 #include <linux/nospec.h> 9 10 #include <linux/uaccess.h> 11 #include <asm/desc.h> 12 #include <asm/ldt.h> 13 #include <asm/processor.h> 14 #include <asm/proto.h> 15 #include <asm/gsseg.h> 16 17 #include "tls.h" 18 19 /* 20 * sys_alloc_thread_area: get a yet unused TLS descriptor index. 21 */ 22 static int get_free_idx(void) 23 { 24 struct thread_struct *t = ¤t->thread; 25 int idx; 26 27 for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) 28 if (desc_empty(&t->tls_array[idx])) 29 return idx + GDT_ENTRY_TLS_MIN; 30 return -ESRCH; 31 } 32 33 static bool tls_desc_okay(const struct user_desc *info) 34 { 35 /* 36 * For historical reasons (i.e. no one ever documented how any 37 * of the segmentation APIs work), user programs can and do 38 * assume that a struct user_desc that's all zeros except for 39 * entry_number means "no segment at all". This never actually 40 * worked. In fact, up to Linux 3.19, a struct user_desc like 41 * this would create a 16-bit read-write segment with base and 42 * limit both equal to zero. 43 * 44 * That was close enough to "no segment at all" until we 45 * hardened this function to disallow 16-bit TLS segments. Fix 46 * it up by interpreting these zeroed segments the way that they 47 * were almost certainly intended to be interpreted. 48 * 49 * The correct way to ask for "no segment at all" is to specify 50 * a user_desc that satisfies LDT_empty. To keep everything 51 * working, we accept both. 52 * 53 * Note that there's a similar kludge in modify_ldt -- look at 54 * the distinction between modes 1 and 0x11. 55 */ 56 if (LDT_empty(info) || LDT_zero(info)) 57 return true; 58 59 /* 60 * espfix is required for 16-bit data segments, but espfix 61 * only works for LDT segments. 62 */ 63 if (!info->seg_32bit) 64 return false; 65 66 /* Only allow data segments in the TLS array. */ 67 if (info->contents > 1) 68 return false; 69 70 /* 71 * Non-present segments with DPL 3 present an interesting attack 72 * surface. The kernel should handle such segments correctly, 73 * but TLS is very difficult to protect in a sandbox, so prevent 74 * such segments from being created. 75 * 76 * If userspace needs to remove a TLS entry, it can still delete 77 * it outright. 78 */ 79 if (info->seg_not_present) 80 return false; 81 82 return true; 83 } 84 85 static void set_tls_desc(struct task_struct *p, int idx, 86 const struct user_desc *info, int n) 87 { 88 struct thread_struct *t = &p->thread; 89 struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; 90 int cpu; 91 92 /* 93 * We must not get preempted while modifying the TLS. 94 */ 95 cpu = get_cpu(); 96 97 while (n-- > 0) { 98 if (LDT_empty(info) || LDT_zero(info)) 99 memset(desc, 0, sizeof(*desc)); 100 else 101 fill_ldt(desc, info); 102 ++info; 103 ++desc; 104 } 105 106 if (t == ¤t->thread) 107 load_TLS(t, cpu); 108 109 put_cpu(); 110 } 111 112 /* 113 * Set a given TLS descriptor: 114 */ 115 int do_set_thread_area(struct task_struct *p, int idx, 116 struct user_desc __user *u_info, 117 int can_allocate) 118 { 119 struct user_desc info; 120 unsigned short __maybe_unused sel, modified_sel; 121 122 if (copy_from_user(&info, u_info, sizeof(info))) 123 return -EFAULT; 124 125 if (!tls_desc_okay(&info)) 126 return -EINVAL; 127 128 if (idx == -1) 129 idx = info.entry_number; 130 131 /* 132 * index -1 means the kernel should try to find and 133 * allocate an empty descriptor: 134 */ 135 if (idx == -1 && can_allocate) { 136 idx = get_free_idx(); 137 if (idx < 0) 138 return idx; 139 if (put_user(idx, &u_info->entry_number)) 140 return -EFAULT; 141 } 142 143 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 144 return -EINVAL; 145 146 set_tls_desc(p, idx, &info, 1); 147 148 /* 149 * If DS, ES, FS, or GS points to the modified segment, forcibly 150 * refresh it. Only needed on x86_64 because x86_32 reloads them 151 * on return to user mode. 152 */ 153 modified_sel = (idx << 3) | 3; 154 155 if (p == current) { 156 #ifdef CONFIG_X86_64 157 savesegment(ds, sel); 158 if (sel == modified_sel) 159 loadsegment(ds, sel); 160 161 savesegment(es, sel); 162 if (sel == modified_sel) 163 loadsegment(es, sel); 164 165 savesegment(fs, sel); 166 if (sel == modified_sel) 167 loadsegment(fs, sel); 168 #endif 169 170 savesegment(gs, sel); 171 if (sel == modified_sel) 172 load_gs_index(sel); 173 } else { 174 #ifdef CONFIG_X86_64 175 if (p->thread.fsindex == modified_sel) 176 p->thread.fsbase = info.base_addr; 177 178 if (p->thread.gsindex == modified_sel) 179 p->thread.gsbase = info.base_addr; 180 #endif 181 } 182 183 return 0; 184 } 185 186 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) 187 { 188 return do_set_thread_area(current, -1, u_info, 1); 189 } 190 191 192 /* 193 * Get the current Thread-Local Storage area: 194 */ 195 196 static void fill_user_desc(struct user_desc *info, int idx, 197 const struct desc_struct *desc) 198 199 { 200 memset(info, 0, sizeof(*info)); 201 info->entry_number = idx; 202 info->base_addr = get_desc_base(desc); 203 info->limit = get_desc_limit(desc); 204 info->seg_32bit = desc->d; 205 info->contents = desc->type >> 2; 206 info->read_exec_only = !(desc->type & 2); 207 info->limit_in_pages = desc->g; 208 info->seg_not_present = !desc->p; 209 info->useable = desc->avl; 210 #ifdef CONFIG_X86_64 211 info->lm = desc->l; 212 #endif 213 } 214 215 int do_get_thread_area(struct task_struct *p, int idx, 216 struct user_desc __user *u_info) 217 { 218 struct user_desc info; 219 int index; 220 221 if (idx == -1 && get_user(idx, &u_info->entry_number)) 222 return -EFAULT; 223 224 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 225 return -EINVAL; 226 227 index = idx - GDT_ENTRY_TLS_MIN; 228 index = array_index_nospec(index, 229 GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); 230 231 fill_user_desc(&info, idx, &p->thread.tls_array[index]); 232 233 if (copy_to_user(u_info, &info, sizeof(info))) 234 return -EFAULT; 235 return 0; 236 } 237 238 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) 239 { 240 return do_get_thread_area(current, -1, u_info); 241 } 242 243 int regset_tls_active(struct task_struct *target, 244 const struct user_regset *regset) 245 { 246 struct thread_struct *t = &target->thread; 247 int n = GDT_ENTRY_TLS_ENTRIES; 248 while (n > 0 && desc_empty(&t->tls_array[n - 1])) 249 --n; 250 return n; 251 } 252 253 int regset_tls_get(struct task_struct *target, const struct user_regset *regset, 254 struct membuf to) 255 { 256 const struct desc_struct *tls; 257 struct user_desc v; 258 int pos; 259 260 for (pos = 0, tls = target->thread.tls_array; to.left; pos++, tls++) { 261 fill_user_desc(&v, GDT_ENTRY_TLS_MIN + pos, tls); 262 membuf_write(&to, &v, sizeof(v)); 263 } 264 return 0; 265 } 266 267 int regset_tls_set(struct task_struct *target, const struct user_regset *regset, 268 unsigned int pos, unsigned int count, 269 const void *kbuf, const void __user *ubuf) 270 { 271 struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; 272 const struct user_desc *info; 273 int i; 274 275 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || 276 (pos % sizeof(struct user_desc)) != 0 || 277 (count % sizeof(struct user_desc)) != 0) 278 return -EINVAL; 279 280 if (kbuf) 281 info = kbuf; 282 else if (__copy_from_user(infobuf, ubuf, count)) 283 return -EFAULT; 284 else 285 info = infobuf; 286 287 for (i = 0; i < count / sizeof(struct user_desc); i++) 288 if (!tls_desc_okay(info + i)) 289 return -EINVAL; 290 291 set_tls_desc(target, 292 GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), 293 info, count / sizeof(struct user_desc)); 294 295 return 0; 296 } 297