1 #include <linux/kernel.h> 2 #include <linux/errno.h> 3 #include <linux/sched.h> 4 #include <linux/user.h> 5 #include <linux/regset.h> 6 #include <linux/syscalls.h> 7 8 #include <asm/uaccess.h> 9 #include <asm/desc.h> 10 #include <asm/ldt.h> 11 #include <asm/processor.h> 12 #include <asm/proto.h> 13 14 #include "tls.h" 15 16 /* 17 * sys_alloc_thread_area: get a yet unused TLS descriptor index. 18 */ 19 static int get_free_idx(void) 20 { 21 struct thread_struct *t = ¤t->thread; 22 int idx; 23 24 for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) 25 if (desc_empty(&t->tls_array[idx])) 26 return idx + GDT_ENTRY_TLS_MIN; 27 return -ESRCH; 28 } 29 30 static bool tls_desc_okay(const struct user_desc *info) 31 { 32 if (LDT_empty(info)) 33 return true; 34 35 /* 36 * espfix is required for 16-bit data segments, but espfix 37 * only works for LDT segments. 38 */ 39 if (!info->seg_32bit) 40 return false; 41 42 /* Only allow data segments in the TLS array. */ 43 if (info->contents > 1) 44 return false; 45 46 /* 47 * Non-present segments with DPL 3 present an interesting attack 48 * surface. The kernel should handle such segments correctly, 49 * but TLS is very difficult to protect in a sandbox, so prevent 50 * such segments from being created. 51 * 52 * If userspace needs to remove a TLS entry, it can still delete 53 * it outright. 54 */ 55 if (info->seg_not_present) 56 return false; 57 58 return true; 59 } 60 61 static void set_tls_desc(struct task_struct *p, int idx, 62 const struct user_desc *info, int n) 63 { 64 struct thread_struct *t = &p->thread; 65 struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; 66 int cpu; 67 68 /* 69 * We must not get preempted while modifying the TLS. 70 */ 71 cpu = get_cpu(); 72 73 while (n-- > 0) { 74 if (LDT_empty(info)) 75 desc->a = desc->b = 0; 76 else 77 fill_ldt(desc, info); 78 ++info; 79 ++desc; 80 } 81 82 if (t == ¤t->thread) 83 load_TLS(t, cpu); 84 85 put_cpu(); 86 } 87 88 /* 89 * Set a given TLS descriptor: 90 */ 91 int do_set_thread_area(struct task_struct *p, int idx, 92 struct user_desc __user *u_info, 93 int can_allocate) 94 { 95 struct user_desc info; 96 97 if (copy_from_user(&info, u_info, sizeof(info))) 98 return -EFAULT; 99 100 if (!tls_desc_okay(&info)) 101 return -EINVAL; 102 103 if (idx == -1) 104 idx = info.entry_number; 105 106 /* 107 * index -1 means the kernel should try to find and 108 * allocate an empty descriptor: 109 */ 110 if (idx == -1 && can_allocate) { 111 idx = get_free_idx(); 112 if (idx < 0) 113 return idx; 114 if (put_user(idx, &u_info->entry_number)) 115 return -EFAULT; 116 } 117 118 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 119 return -EINVAL; 120 121 set_tls_desc(p, idx, &info, 1); 122 123 return 0; 124 } 125 126 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) 127 { 128 return do_set_thread_area(current, -1, u_info, 1); 129 } 130 131 132 /* 133 * Get the current Thread-Local Storage area: 134 */ 135 136 static void fill_user_desc(struct user_desc *info, int idx, 137 const struct desc_struct *desc) 138 139 { 140 memset(info, 0, sizeof(*info)); 141 info->entry_number = idx; 142 info->base_addr = get_desc_base(desc); 143 info->limit = get_desc_limit(desc); 144 info->seg_32bit = desc->d; 145 info->contents = desc->type >> 2; 146 info->read_exec_only = !(desc->type & 2); 147 info->limit_in_pages = desc->g; 148 info->seg_not_present = !desc->p; 149 info->useable = desc->avl; 150 #ifdef CONFIG_X86_64 151 info->lm = desc->l; 152 #endif 153 } 154 155 int do_get_thread_area(struct task_struct *p, int idx, 156 struct user_desc __user *u_info) 157 { 158 struct user_desc info; 159 160 if (idx == -1 && get_user(idx, &u_info->entry_number)) 161 return -EFAULT; 162 163 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 164 return -EINVAL; 165 166 fill_user_desc(&info, idx, 167 &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); 168 169 if (copy_to_user(u_info, &info, sizeof(info))) 170 return -EFAULT; 171 return 0; 172 } 173 174 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) 175 { 176 return do_get_thread_area(current, -1, u_info); 177 } 178 179 int regset_tls_active(struct task_struct *target, 180 const struct user_regset *regset) 181 { 182 struct thread_struct *t = &target->thread; 183 int n = GDT_ENTRY_TLS_ENTRIES; 184 while (n > 0 && desc_empty(&t->tls_array[n - 1])) 185 --n; 186 return n; 187 } 188 189 int regset_tls_get(struct task_struct *target, const struct user_regset *regset, 190 unsigned int pos, unsigned int count, 191 void *kbuf, void __user *ubuf) 192 { 193 const struct desc_struct *tls; 194 195 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || 196 (pos % sizeof(struct user_desc)) != 0 || 197 (count % sizeof(struct user_desc)) != 0) 198 return -EINVAL; 199 200 pos /= sizeof(struct user_desc); 201 count /= sizeof(struct user_desc); 202 203 tls = &target->thread.tls_array[pos]; 204 205 if (kbuf) { 206 struct user_desc *info = kbuf; 207 while (count-- > 0) 208 fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++, 209 tls++); 210 } else { 211 struct user_desc __user *u_info = ubuf; 212 while (count-- > 0) { 213 struct user_desc info; 214 fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++); 215 if (__copy_to_user(u_info++, &info, sizeof(info))) 216 return -EFAULT; 217 } 218 } 219 220 return 0; 221 } 222 223 int regset_tls_set(struct task_struct *target, const struct user_regset *regset, 224 unsigned int pos, unsigned int count, 225 const void *kbuf, const void __user *ubuf) 226 { 227 struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; 228 const struct user_desc *info; 229 int i; 230 231 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || 232 (pos % sizeof(struct user_desc)) != 0 || 233 (count % sizeof(struct user_desc)) != 0) 234 return -EINVAL; 235 236 if (kbuf) 237 info = kbuf; 238 else if (__copy_from_user(infobuf, ubuf, count)) 239 return -EFAULT; 240 else 241 info = infobuf; 242 243 for (i = 0; i < count / sizeof(struct user_desc); i++) 244 if (!tls_desc_okay(info + i)) 245 return -EINVAL; 246 247 set_tls_desc(target, 248 GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), 249 info, count / sizeof(struct user_desc)); 250 251 return 0; 252 } 253