1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/kernel.h>
3 #include <linux/errno.h>
4 #include <linux/sched.h>
5 #include <linux/user.h>
6 #include <linux/regset.h>
7 #include <linux/syscalls.h>
8 #include <linux/nospec.h>
10 #include <linux/uaccess.h>
13 #include <asm/processor.h>
14 #include <asm/proto.h>
19 * sys_alloc_thread_area: get a yet unused TLS descriptor index.
21 static int get_free_idx(void)
23 struct thread_struct
*t
= ¤t
->thread
;
26 for (idx
= 0; idx
< GDT_ENTRY_TLS_ENTRIES
; idx
++)
27 if (desc_empty(&t
->tls_array
[idx
]))
28 return idx
+ GDT_ENTRY_TLS_MIN
;
32 static bool tls_desc_okay(const struct user_desc
*info
)
35 * For historical reasons (i.e. no one ever documented how any
36 * of the segmentation APIs work), user programs can and do
37 * assume that a struct user_desc that's all zeros except for
38 * entry_number means "no segment at all". This never actually
39 * worked. In fact, up to Linux 3.19, a struct user_desc like
40 * this would create a 16-bit read-write segment with base and
41 * limit both equal to zero.
43 * That was close enough to "no segment at all" until we
44 * hardened this function to disallow 16-bit TLS segments. Fix
45 * it up by interpreting these zeroed segments the way that they
46 * were almost certainly intended to be interpreted.
48 * The correct way to ask for "no segment at all" is to specify
49 * a user_desc that satisfies LDT_empty. To keep everything
50 * working, we accept both.
52 * Note that there's a similar kludge in modify_ldt -- look at
53 * the distinction between modes 1 and 0x11.
55 if (LDT_empty(info
) || LDT_zero(info
))
59 * espfix is required for 16-bit data segments, but espfix
60 * only works for LDT segments.
65 /* Only allow data segments in the TLS array. */
66 if (info
->contents
> 1)
70 * Non-present segments with DPL 3 present an interesting attack
71 * surface. The kernel should handle such segments correctly,
72 * but TLS is very difficult to protect in a sandbox, so prevent
73 * such segments from being created.
75 * If userspace needs to remove a TLS entry, it can still delete
78 if (info
->seg_not_present
)
84 static void set_tls_desc(struct task_struct
*p
, int idx
,
85 const struct user_desc
*info
, int n
)
87 struct thread_struct
*t
= &p
->thread
;
88 struct desc_struct
*desc
= &t
->tls_array
[idx
- GDT_ENTRY_TLS_MIN
];
92 * We must not get preempted while modifying the TLS.
97 if (LDT_empty(info
) || LDT_zero(info
))
98 memset(desc
, 0, sizeof(*desc
));
100 fill_ldt(desc
, info
);
105 if (t
== ¤t
->thread
)
112 * Set a given TLS descriptor:
114 int do_set_thread_area(struct task_struct
*p
, int idx
,
115 struct user_desc __user
*u_info
,
118 struct user_desc info
;
119 unsigned short __maybe_unused sel
, modified_sel
;
121 if (copy_from_user(&info
, u_info
, sizeof(info
)))
124 if (!tls_desc_okay(&info
))
128 idx
= info
.entry_number
;
131 * index -1 means the kernel should try to find and
132 * allocate an empty descriptor:
134 if (idx
== -1 && can_allocate
) {
135 idx
= get_free_idx();
138 if (put_user(idx
, &u_info
->entry_number
))
142 if (idx
< GDT_ENTRY_TLS_MIN
|| idx
> GDT_ENTRY_TLS_MAX
)
145 set_tls_desc(p
, idx
, &info
, 1);
148 * If DS, ES, FS, or GS points to the modified segment, forcibly
149 * refresh it. Only needed on x86_64 because x86_32 reloads them
150 * on return to user mode.
152 modified_sel
= (idx
<< 3) | 3;
156 savesegment(ds
, sel
);
157 if (sel
== modified_sel
)
158 loadsegment(ds
, sel
);
160 savesegment(es
, sel
);
161 if (sel
== modified_sel
)
162 loadsegment(es
, sel
);
164 savesegment(fs
, sel
);
165 if (sel
== modified_sel
)
166 loadsegment(fs
, sel
);
168 savesegment(gs
, sel
);
169 if (sel
== modified_sel
)
173 #ifdef CONFIG_X86_32_LAZY_GS
174 savesegment(gs
, sel
);
175 if (sel
== modified_sel
)
176 loadsegment(gs
, sel
);
180 if (p
->thread
.fsindex
== modified_sel
)
181 p
->thread
.fsbase
= info
.base_addr
;
183 if (p
->thread
.gsindex
== modified_sel
)
184 p
->thread
.gsbase
= info
.base_addr
;
191 SYSCALL_DEFINE1(set_thread_area
, struct user_desc __user
*, u_info
)
193 return do_set_thread_area(current
, -1, u_info
, 1);
198 * Get the current Thread-Local Storage area:
201 static void fill_user_desc(struct user_desc
*info
, int idx
,
202 const struct desc_struct
*desc
)
205 memset(info
, 0, sizeof(*info
));
206 info
->entry_number
= idx
;
207 info
->base_addr
= get_desc_base(desc
);
208 info
->limit
= get_desc_limit(desc
);
209 info
->seg_32bit
= desc
->d
;
210 info
->contents
= desc
->type
>> 2;
211 info
->read_exec_only
= !(desc
->type
& 2);
212 info
->limit_in_pages
= desc
->g
;
213 info
->seg_not_present
= !desc
->p
;
214 info
->useable
= desc
->avl
;
220 int do_get_thread_area(struct task_struct
*p
, int idx
,
221 struct user_desc __user
*u_info
)
223 struct user_desc info
;
226 if (idx
== -1 && get_user(idx
, &u_info
->entry_number
))
229 if (idx
< GDT_ENTRY_TLS_MIN
|| idx
> GDT_ENTRY_TLS_MAX
)
232 index
= idx
- GDT_ENTRY_TLS_MIN
;
233 index
= array_index_nospec(index
,
234 GDT_ENTRY_TLS_MAX
- GDT_ENTRY_TLS_MIN
+ 1);
236 fill_user_desc(&info
, idx
, &p
->thread
.tls_array
[index
]);
238 if (copy_to_user(u_info
, &info
, sizeof(info
)))
243 SYSCALL_DEFINE1(get_thread_area
, struct user_desc __user
*, u_info
)
245 return do_get_thread_area(current
, -1, u_info
);
248 int regset_tls_active(struct task_struct
*target
,
249 const struct user_regset
*regset
)
251 struct thread_struct
*t
= &target
->thread
;
252 int n
= GDT_ENTRY_TLS_ENTRIES
;
253 while (n
> 0 && desc_empty(&t
->tls_array
[n
- 1]))
258 int regset_tls_get(struct task_struct
*target
, const struct user_regset
*regset
,
259 unsigned int pos
, unsigned int count
,
260 void *kbuf
, void __user
*ubuf
)
262 const struct desc_struct
*tls
;
264 if (pos
>= GDT_ENTRY_TLS_ENTRIES
* sizeof(struct user_desc
) ||
265 (pos
% sizeof(struct user_desc
)) != 0 ||
266 (count
% sizeof(struct user_desc
)) != 0)
269 pos
/= sizeof(struct user_desc
);
270 count
/= sizeof(struct user_desc
);
272 tls
= &target
->thread
.tls_array
[pos
];
275 struct user_desc
*info
= kbuf
;
277 fill_user_desc(info
++, GDT_ENTRY_TLS_MIN
+ pos
++,
280 struct user_desc __user
*u_info
= ubuf
;
281 while (count
-- > 0) {
282 struct user_desc info
;
283 fill_user_desc(&info
, GDT_ENTRY_TLS_MIN
+ pos
++, tls
++);
284 if (__copy_to_user(u_info
++, &info
, sizeof(info
)))
292 int regset_tls_set(struct task_struct
*target
, const struct user_regset
*regset
,
293 unsigned int pos
, unsigned int count
,
294 const void *kbuf
, const void __user
*ubuf
)
296 struct user_desc infobuf
[GDT_ENTRY_TLS_ENTRIES
];
297 const struct user_desc
*info
;
300 if (pos
>= GDT_ENTRY_TLS_ENTRIES
* sizeof(struct user_desc
) ||
301 (pos
% sizeof(struct user_desc
)) != 0 ||
302 (count
% sizeof(struct user_desc
)) != 0)
307 else if (__copy_from_user(infobuf
, ubuf
, count
))
312 for (i
= 0; i
< count
/ sizeof(struct user_desc
); i
++)
313 if (!tls_desc_okay(info
+ i
))
317 GDT_ENTRY_TLS_MIN
+ (pos
/ sizeof(struct user_desc
)),
318 info
, count
/ sizeof(struct user_desc
));