Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | #include <linux/kernel.h> |
2 | #include <linux/errno.h> | |
3 | #include <linux/sched.h> | |
4 | #include <linux/user.h> | |
4c79a2d8 | 5 | #include <linux/regset.h> |
2cf09666 | 6 | #include <linux/syscalls.h> |
1da177e4 LT |
7 | |
8 | #include <asm/uaccess.h> | |
9 | #include <asm/desc.h> | |
1da177e4 LT |
10 | #include <asm/ldt.h> |
11 | #include <asm/processor.h> | |
12 | #include <asm/proto.h> | |
13 | ||
4c79a2d8 RM |
14 | #include "tls.h" |
15 | ||
1da177e4 LT |
16 | /* |
17 | * sys_alloc_thread_area: get a yet unused TLS descriptor index. | |
18 | */ | |
19 | static int get_free_idx(void) | |
20 | { | |
21 | struct thread_struct *t = ¤t->thread; | |
22 | int idx; | |
23 | ||
24 | for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) | |
efd1ca52 | 25 | if (desc_empty(&t->tls_array[idx])) |
1da177e4 LT |
26 | return idx + GDT_ENTRY_TLS_MIN; |
27 | return -ESRCH; | |
28 | } | |
29 | ||
41bdc785 AL |
30 | static bool tls_desc_okay(const struct user_desc *info) |
31 | { | |
32 | if (LDT_empty(info)) | |
33 | return true; | |
34 | ||
35 | /* | |
36 | * espfix is required for 16-bit data segments, but espfix | |
37 | * only works for LDT segments. | |
38 | */ | |
39 | if (!info->seg_32bit) | |
40 | return false; | |
41 | ||
0e58af4e AL |
42 | /* Only allow data segments in the TLS array. */ |
43 | if (info->contents > 1) | |
44 | return false; | |
45 | ||
46 | /* | |
47 | * Non-present segments with DPL 3 present an interesting attack | |
48 | * surface. The kernel should handle such segments correctly, | |
49 | * but TLS is very difficult to protect in a sandbox, so prevent | |
50 | * such segments from being created. | |
51 | * | |
52 | * If userspace needs to remove a TLS entry, it can still delete | |
53 | * it outright. | |
54 | */ | |
55 | if (info->seg_not_present) | |
56 | return false; | |
57 | ||
58 | #ifdef CONFIG_X86_64 | |
59 | /* The L bit makes no sense for data. */ | |
60 | if (info->lm) | |
61 | return false; | |
62 | #endif | |
63 | ||
41bdc785 AL |
64 | return true; |
65 | } | |
66 | ||
1bd5718c | 67 | static void set_tls_desc(struct task_struct *p, int idx, |
4c79a2d8 | 68 | const struct user_desc *info, int n) |
1bd5718c RM |
69 | { |
70 | struct thread_struct *t = &p->thread; | |
71 | struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; | |
72 | int cpu; | |
73 | ||
74 | /* | |
75 | * We must not get preempted while modifying the TLS. | |
76 | */ | |
77 | cpu = get_cpu(); | |
78 | ||
4c79a2d8 RM |
79 | while (n-- > 0) { |
80 | if (LDT_empty(info)) | |
81 | desc->a = desc->b = 0; | |
82 | else | |
83 | fill_ldt(desc, info); | |
84 | ++info; | |
85 | ++desc; | |
86 | } | |
1bd5718c RM |
87 | |
88 | if (t == ¤t->thread) | |
89 | load_TLS(t, cpu); | |
90 | ||
91 | put_cpu(); | |
92 | } | |
93 | ||
1da177e4 LT |
94 | /* |
95 | * Set a given TLS descriptor: | |
1da177e4 | 96 | */ |
efd1ca52 RM |
97 | int do_set_thread_area(struct task_struct *p, int idx, |
98 | struct user_desc __user *u_info, | |
99 | int can_allocate) | |
1da177e4 LT |
100 | { |
101 | struct user_desc info; | |
1da177e4 LT |
102 | |
103 | if (copy_from_user(&info, u_info, sizeof(info))) | |
104 | return -EFAULT; | |
105 | ||
41bdc785 AL |
106 | if (!tls_desc_okay(&info)) |
107 | return -EINVAL; | |
108 | ||
efd1ca52 RM |
109 | if (idx == -1) |
110 | idx = info.entry_number; | |
1da177e4 LT |
111 | |
112 | /* | |
113 | * index -1 means the kernel should try to find and | |
114 | * allocate an empty descriptor: | |
115 | */ | |
efd1ca52 | 116 | if (idx == -1 && can_allocate) { |
1da177e4 LT |
117 | idx = get_free_idx(); |
118 | if (idx < 0) | |
119 | return idx; | |
120 | if (put_user(idx, &u_info->entry_number)) | |
121 | return -EFAULT; | |
122 | } | |
123 | ||
124 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) | |
125 | return -EINVAL; | |
126 | ||
4c79a2d8 | 127 | set_tls_desc(p, idx, &info, 1); |
1da177e4 | 128 | |
1da177e4 LT |
129 | return 0; |
130 | } | |
131 | ||
2cf09666 | 132 | SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) |
13abd0e5 | 133 | { |
2cf09666 | 134 | return do_set_thread_area(current, -1, u_info, 1); |
13abd0e5 | 135 | } |
1da177e4 LT |
136 | |
137 | ||
138 | /* | |
139 | * Get the current Thread-Local Storage area: | |
140 | */ | |
141 | ||
1bd5718c RM |
142 | static void fill_user_desc(struct user_desc *info, int idx, |
143 | const struct desc_struct *desc) | |
144 | ||
145 | { | |
146 | memset(info, 0, sizeof(*info)); | |
147 | info->entry_number = idx; | |
148 | info->base_addr = get_desc_base(desc); | |
149 | info->limit = get_desc_limit(desc); | |
150 | info->seg_32bit = desc->d; | |
151 | info->contents = desc->type >> 2; | |
152 | info->read_exec_only = !(desc->type & 2); | |
153 | info->limit_in_pages = desc->g; | |
154 | info->seg_not_present = !desc->p; | |
155 | info->useable = desc->avl; | |
156 | #ifdef CONFIG_X86_64 | |
157 | info->lm = desc->l; | |
158 | #endif | |
159 | } | |
efd1ca52 RM |
160 | |
161 | int do_get_thread_area(struct task_struct *p, int idx, | |
162 | struct user_desc __user *u_info) | |
1da177e4 LT |
163 | { |
164 | struct user_desc info; | |
1da177e4 | 165 | |
efd1ca52 | 166 | if (idx == -1 && get_user(idx, &u_info->entry_number)) |
1da177e4 | 167 | return -EFAULT; |
1bd5718c | 168 | |
1da177e4 LT |
169 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
170 | return -EINVAL; | |
171 | ||
1bd5718c RM |
172 | fill_user_desc(&info, idx, |
173 | &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); | |
1da177e4 LT |
174 | |
175 | if (copy_to_user(u_info, &info, sizeof(info))) | |
176 | return -EFAULT; | |
177 | return 0; | |
178 | } | |
179 | ||
2cf09666 | 180 | SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) |
1da177e4 | 181 | { |
2cf09666 | 182 | return do_get_thread_area(current, -1, u_info); |
1da177e4 | 183 | } |
4c79a2d8 RM |
184 | |
185 | int regset_tls_active(struct task_struct *target, | |
186 | const struct user_regset *regset) | |
187 | { | |
188 | struct thread_struct *t = &target->thread; | |
189 | int n = GDT_ENTRY_TLS_ENTRIES; | |
190 | while (n > 0 && desc_empty(&t->tls_array[n - 1])) | |
191 | --n; | |
192 | return n; | |
193 | } | |
194 | ||
195 | int regset_tls_get(struct task_struct *target, const struct user_regset *regset, | |
196 | unsigned int pos, unsigned int count, | |
197 | void *kbuf, void __user *ubuf) | |
198 | { | |
199 | const struct desc_struct *tls; | |
200 | ||
8f0750f1 | 201 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
202 | (pos % sizeof(struct user_desc)) != 0 || |
203 | (count % sizeof(struct user_desc)) != 0) | |
204 | return -EINVAL; | |
205 | ||
206 | pos /= sizeof(struct user_desc); | |
207 | count /= sizeof(struct user_desc); | |
208 | ||
209 | tls = &target->thread.tls_array[pos]; | |
210 | ||
211 | if (kbuf) { | |
212 | struct user_desc *info = kbuf; | |
213 | while (count-- > 0) | |
214 | fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++, | |
215 | tls++); | |
216 | } else { | |
217 | struct user_desc __user *u_info = ubuf; | |
218 | while (count-- > 0) { | |
219 | struct user_desc info; | |
220 | fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++); | |
221 | if (__copy_to_user(u_info++, &info, sizeof(info))) | |
222 | return -EFAULT; | |
223 | } | |
224 | } | |
225 | ||
226 | return 0; | |
227 | } | |
228 | ||
229 | int regset_tls_set(struct task_struct *target, const struct user_regset *regset, | |
230 | unsigned int pos, unsigned int count, | |
231 | const void *kbuf, const void __user *ubuf) | |
232 | { | |
233 | struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; | |
234 | const struct user_desc *info; | |
41bdc785 | 235 | int i; |
4c79a2d8 | 236 | |
8f0750f1 | 237 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
238 | (pos % sizeof(struct user_desc)) != 0 || |
239 | (count % sizeof(struct user_desc)) != 0) | |
240 | return -EINVAL; | |
241 | ||
242 | if (kbuf) | |
243 | info = kbuf; | |
244 | else if (__copy_from_user(infobuf, ubuf, count)) | |
245 | return -EFAULT; | |
246 | else | |
247 | info = infobuf; | |
248 | ||
41bdc785 AL |
249 | for (i = 0; i < count / sizeof(struct user_desc); i++) |
250 | if (!tls_desc_okay(info + i)) | |
251 | return -EINVAL; | |
252 | ||
4c79a2d8 RM |
253 | set_tls_desc(target, |
254 | GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), | |
255 | info, count / sizeof(struct user_desc)); | |
256 | ||
257 | return 0; | |
258 | } |