arch/x86/kernel/tls.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 #include <linux/kernel.h>
   3 #include <linux/errno.h>
   4 #include <linux/sched.h>
   5 #include <linux/user.h>
   6 #include <linux/regset.h>
   7 #include <linux/syscalls.h>
   8
   9 #include <linux/uaccess.h>
  10 #include <asm/desc.h>
  11 #include <asm/ldt.h>
  12 #include <asm/processor.h>
  13 #include <asm/proto.h>
  14
  15 #include "tls.h"
  16
  17 /*
  18  * sys_alloc_thread_area: get a yet unused TLS descriptor index.
  19  */
  20 static int get_free_idx(void)
  21 {
  22         struct thread_struct *t = &current->thread;
  23         int idx;
  24
  25         for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++)
  26                 if (desc_empty(&t->tls_array[idx]))
  27                         return idx + GDT_ENTRY_TLS_MIN;
  28         return -ESRCH;
  29 }
  30
  31 static bool tls_desc_okay(const struct user_desc *info)
  32 {
  33         /*
  34          * For historical reasons (i.e. no one ever documented how any
  35          * of the segmentation APIs work), user programs can and do
  36          * assume that a struct user_desc that's all zeros except for
  37          * entry_number means "no segment at all".  This never actually
  38          * worked.  In fact, up to Linux 3.19, a struct user_desc like
  39          * this would create a 16-bit read-write segment with base and
  40          * limit both equal to zero.
  41          *
  42          * That was close enough to "no segment at all" until we
  43          * hardened this function to disallow 16-bit TLS segments.  Fix
  44          * it up by interpreting these zeroed segments the way that they
  45          * were almost certainly intended to be interpreted.
  46          *
  47          * The correct way to ask for "no segment at all" is to specify
  48          * a user_desc that satisfies LDT_empty.  To keep everything
  49          * working, we accept both.
  50          *
  51          * Note that there's a similar kludge in modify_ldt -- look at
  52          * the distinction between modes 1 and 0x11.
  53          */
  54         if (LDT_empty(info) || LDT_zero(info))
  55                 return true;
  56
  57         /*
  58          * espfix is required for 16-bit data segments, but espfix
  59          * only works for LDT segments.
  60          */
  61         if (!info->seg_32bit)
  62                 return false;
  63
  64         /* Only allow data segments in the TLS array. */
  65         if (info->contents > 1)
  66                 return false;
  67
  68         /*
  69          * Non-present segments with DPL 3 present an interesting attack
  70          * surface.  The kernel should handle such segments correctly,
  71          * but TLS is very difficult to protect in a sandbox, so prevent
  72          * such segments from being created.
  73          *
  74          * If userspace needs to remove a TLS entry, it can still delete
  75          * it outright.
  76          */
  77         if (info->seg_not_present)
  78                 return false;
  79
  80         return true;
  81 }
  82
  83 static void set_tls_desc(struct task_struct *p, int idx,
  84                          const struct user_desc *info, int n)
  85 {
  86         struct thread_struct *t = &p->thread;
  87         struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN];
  88         int cpu;
  89
  90         /*
  91          * We must not get preempted while modifying the TLS.
  92          */
  93         cpu = get_cpu();
  94
  95         while (n-- > 0) {
  96                 if (LDT_empty(info) || LDT_zero(info))
  97                         memset(desc, 0, sizeof(*desc));
  98                 else
  99                         fill_ldt(desc, info);
 100                 ++info;
 101                 ++desc;
 102         }
 103
 104         if (t == &current->thread)
 105                 load_TLS(t, cpu);
 106
 107         put_cpu();
 108 }
 109
 110 /*
 111  * Set a given TLS descriptor:
 112  */
 113 int do_set_thread_area(struct task_struct *p, int idx,
 114                        struct user_desc __user *u_info,
 115                        int can_allocate)
 116 {
 117         struct user_desc info;
 118         unsigned short __maybe_unused sel, modified_sel;
 119
 120         if (copy_from_user(&info, u_info, sizeof(info)))
 121                 return -EFAULT;
 122
 123         if (!tls_desc_okay(&info))
 124                 return -EINVAL;
 125
 126         if (idx == -1)
 127                 idx = info.entry_number;
 128
 129         /*
 130          * index -1 means the kernel should try to find and
 131          * allocate an empty descriptor:
 132          */
 133         if (idx == -1 && can_allocate) {
 134                 idx = get_free_idx();
 135                 if (idx < 0)
 136                         return idx;
 137                 if (put_user(idx, &u_info->entry_number))
 138                         return -EFAULT;
 139         }
 140
 141         if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 142                 return -EINVAL;
 143
 144         set_tls_desc(p, idx, &info, 1);
 145
 146         /*
 147          * If DS, ES, FS, or GS points to the modified segment, forcibly
 148          * refresh it.  Only needed on x86_64 because x86_32 reloads them
 149          * on return to user mode.
 150          */
 151         modified_sel = (idx << 3) | 3;
 152
 153         if (p == current) {
 154 #ifdef CONFIG_X86_64
 155                 savesegment(ds, sel);
 156                 if (sel == modified_sel)
 157                         loadsegment(ds, sel);
 158
 159                 savesegment(es, sel);
 160                 if (sel == modified_sel)
 161                         loadsegment(es, sel);
 162
 163                 savesegment(fs, sel);
 164                 if (sel == modified_sel)
 165                         loadsegment(fs, sel);
 166
 167                 savesegment(gs, sel);
 168                 if (sel == modified_sel)
 169                         load_gs_index(sel);
 170 #endif
 171
 172 #ifdef CONFIG_X86_32_LAZY_GS
 173                 savesegment(gs, sel);
 174                 if (sel == modified_sel)
 175                         loadsegment(gs, sel);
 176 #endif
 177         } else {
 178 #ifdef CONFIG_X86_64
 179                 if (p->thread.fsindex == modified_sel)
 180                         p->thread.fsbase = info.base_addr;
 181
 182                 if (p->thread.gsindex == modified_sel)
 183                         p->thread.gsbase = info.base_addr;
 184 #endif
 185         }
 186
 187         return 0;
 188 }
 189
 190 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info)
 191 {
 192         return do_set_thread_area(current, -1, u_info, 1);
 193 }
 194
 195
 196 /*
 197  * Get the current Thread-Local Storage area:
 198  */
 199
 200 static void fill_user_desc(struct user_desc *info, int idx,
 201                            const struct desc_struct *desc)
 202
 203 {
 204         memset(info, 0, sizeof(*info));
 205         info->entry_number = idx;
 206         info->base_addr = get_desc_base(desc);
 207         info->limit = get_desc_limit(desc);
 208         info->seg_32bit = desc->d;
 209         info->contents = desc->type >> 2;
 210         info->read_exec_only = !(desc->type & 2);
 211         info->limit_in_pages = desc->g;
 212         info->seg_not_present = !desc->p;
 213         info->useable = desc->avl;
 214 #ifdef CONFIG_X86_64
 215         info->lm = desc->l;
 216 #endif
 217 }
 218
 219 int do_get_thread_area(struct task_struct *p, int idx,
 220                        struct user_desc __user *u_info)
 221 {
 222         struct user_desc info;
 223
 224         if (idx == -1 && get_user(idx, &u_info->entry_number))
 225                 return -EFAULT;
 226
 227         if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 228                 return -EINVAL;
 229
 230         fill_user_desc(&info, idx,
 231                        &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
 232
 233         if (copy_to_user(u_info, &info, sizeof(info)))
 234                 return -EFAULT;
 235         return 0;
 236 }
 237
 238 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info)
 239 {
 240         return do_get_thread_area(current, -1, u_info);
 241 }
 242
 243 int regset_tls_active(struct task_struct *target,
 244                       const struct user_regset *regset)
 245 {
 246         struct thread_struct *t = &target->thread;
 247         int n = GDT_ENTRY_TLS_ENTRIES;
 248         while (n > 0 && desc_empty(&t->tls_array[n - 1]))
 249                 --n;
 250         return n;
 251 }
 252
 253 int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
 254                    unsigned int pos, unsigned int count,
 255                    void *kbuf, void __user *ubuf)
 256 {
 257         const struct desc_struct *tls;
 258
 259         if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
 260             (pos % sizeof(struct user_desc)) != 0 ||
 261             (count % sizeof(struct user_desc)) != 0)
 262                 return -EINVAL;
 263
 264         pos /= sizeof(struct user_desc);
 265         count /= sizeof(struct user_desc);
 266
 267         tls = &target->thread.tls_array[pos];
 268
 269         if (kbuf) {
 270                 struct user_desc *info = kbuf;
 271                 while (count-- > 0)
 272                         fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++,
 273                                        tls++);
 274         } else {
 275                 struct user_desc __user *u_info = ubuf;
 276                 while (count-- > 0) {
 277                         struct user_desc info;
 278                         fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++);
 279                         if (__copy_to_user(u_info++, &info, sizeof(info)))
 280                                 return -EFAULT;
 281                 }
 282         }
 283
 284         return 0;
 285 }
 286
 287 int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
 288                    unsigned int pos, unsigned int count,
 289                    const void *kbuf, const void __user *ubuf)
 290 {
 291         struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
 292         const struct user_desc *info;
 293         int i;
 294
 295         if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
 296             (pos % sizeof(struct user_desc)) != 0 ||
 297             (count % sizeof(struct user_desc)) != 0)
 298                 return -EINVAL;
 299
 300         if (kbuf)
 301                 info = kbuf;
 302         else if (__copy_from_user(infobuf, ubuf, count))
 303                 return -EFAULT;
 304         else
 305                 info = infobuf;
 306
 307         for (i = 0; i < count / sizeof(struct user_desc); i++)
 308                 if (!tls_desc_okay(info + i))
 309                         return -EINVAL;
 310
 311         set_tls_desc(target,
 312                      GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
 313                      info, count / sizeof(struct user_desc));
 314
 315         return 0;
 316 }