Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | #include <linux/kernel.h> |
2 | #include <linux/errno.h> | |
3 | #include <linux/sched.h> | |
4 | #include <linux/user.h> | |
4c79a2d8 | 5 | #include <linux/regset.h> |
2cf09666 | 6 | #include <linux/syscalls.h> |
1da177e4 LT |
7 | |
8 | #include <asm/uaccess.h> | |
9 | #include <asm/desc.h> | |
1da177e4 LT |
10 | #include <asm/ldt.h> |
11 | #include <asm/processor.h> | |
12 | #include <asm/proto.h> | |
13 | ||
4c79a2d8 RM |
14 | #include "tls.h" |
15 | ||
1da177e4 LT |
16 | /* |
17 | * sys_alloc_thread_area: get a yet unused TLS descriptor index. | |
18 | */ | |
19 | static int get_free_idx(void) | |
20 | { | |
21 | struct thread_struct *t = ¤t->thread; | |
22 | int idx; | |
23 | ||
24 | for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++) | |
efd1ca52 | 25 | if (desc_empty(&t->tls_array[idx])) |
1da177e4 LT |
26 | return idx + GDT_ENTRY_TLS_MIN; |
27 | return -ESRCH; | |
28 | } | |
29 | ||
41bdc785 AL |
30 | static bool tls_desc_okay(const struct user_desc *info) |
31 | { | |
3669ef9f AL |
32 | /* |
33 | * For historical reasons (i.e. no one ever documented how any | |
34 | * of the segmentation APIs work), user programs can and do | |
35 | * assume that a struct user_desc that's all zeros except for | |
36 | * entry_number means "no segment at all". This never actually | |
37 | * worked. In fact, up to Linux 3.19, a struct user_desc like | |
38 | * this would create a 16-bit read-write segment with base and | |
39 | * limit both equal to zero. | |
40 | * | |
41 | * That was close enough to "no segment at all" until we | |
42 | * hardened this function to disallow 16-bit TLS segments. Fix | |
43 | * it up by interpreting these zeroed segments the way that they | |
44 | * were almost certainly intended to be interpreted. | |
45 | * | |
46 | * The correct way to ask for "no segment at all" is to specify | |
47 | * a user_desc that satisfies LDT_empty. To keep everything | |
48 | * working, we accept both. | |
49 | * | |
50 | * Note that there's a similar kludge in modify_ldt -- look at | |
51 | * the distinction between modes 1 and 0x11. | |
52 | */ | |
53 | if (LDT_empty(info) || LDT_zero(info)) | |
41bdc785 AL |
54 | return true; |
55 | ||
56 | /* | |
57 | * espfix is required for 16-bit data segments, but espfix | |
58 | * only works for LDT segments. | |
59 | */ | |
60 | if (!info->seg_32bit) | |
61 | return false; | |
62 | ||
0e58af4e AL |
63 | /* Only allow data segments in the TLS array. */ |
64 | if (info->contents > 1) | |
65 | return false; | |
66 | ||
67 | /* | |
68 | * Non-present segments with DPL 3 present an interesting attack | |
69 | * surface. The kernel should handle such segments correctly, | |
70 | * but TLS is very difficult to protect in a sandbox, so prevent | |
71 | * such segments from being created. | |
72 | * | |
73 | * If userspace needs to remove a TLS entry, it can still delete | |
74 | * it outright. | |
75 | */ | |
76 | if (info->seg_not_present) | |
77 | return false; | |
78 | ||
41bdc785 AL |
79 | return true; |
80 | } | |
81 | ||
1bd5718c | 82 | static void set_tls_desc(struct task_struct *p, int idx, |
4c79a2d8 | 83 | const struct user_desc *info, int n) |
1bd5718c RM |
84 | { |
85 | struct thread_struct *t = &p->thread; | |
86 | struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN]; | |
87 | int cpu; | |
88 | ||
89 | /* | |
90 | * We must not get preempted while modifying the TLS. | |
91 | */ | |
92 | cpu = get_cpu(); | |
93 | ||
4c79a2d8 | 94 | while (n-- > 0) { |
3669ef9f | 95 | if (LDT_empty(info) || LDT_zero(info)) |
4c79a2d8 RM |
96 | desc->a = desc->b = 0; |
97 | else | |
98 | fill_ldt(desc, info); | |
99 | ++info; | |
100 | ++desc; | |
101 | } | |
1bd5718c RM |
102 | |
103 | if (t == ¤t->thread) | |
104 | load_TLS(t, cpu); | |
105 | ||
106 | put_cpu(); | |
107 | } | |
108 | ||
1da177e4 LT |
109 | /* |
110 | * Set a given TLS descriptor: | |
1da177e4 | 111 | */ |
efd1ca52 RM |
112 | int do_set_thread_area(struct task_struct *p, int idx, |
113 | struct user_desc __user *u_info, | |
114 | int can_allocate) | |
1da177e4 LT |
115 | { |
116 | struct user_desc info; | |
1da177e4 LT |
117 | |
118 | if (copy_from_user(&info, u_info, sizeof(info))) | |
119 | return -EFAULT; | |
120 | ||
41bdc785 AL |
121 | if (!tls_desc_okay(&info)) |
122 | return -EINVAL; | |
123 | ||
efd1ca52 RM |
124 | if (idx == -1) |
125 | idx = info.entry_number; | |
1da177e4 LT |
126 | |
127 | /* | |
128 | * index -1 means the kernel should try to find and | |
129 | * allocate an empty descriptor: | |
130 | */ | |
efd1ca52 | 131 | if (idx == -1 && can_allocate) { |
1da177e4 LT |
132 | idx = get_free_idx(); |
133 | if (idx < 0) | |
134 | return idx; | |
135 | if (put_user(idx, &u_info->entry_number)) | |
136 | return -EFAULT; | |
137 | } | |
138 | ||
139 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) | |
140 | return -EINVAL; | |
141 | ||
4c79a2d8 | 142 | set_tls_desc(p, idx, &info, 1); |
1da177e4 | 143 | |
1da177e4 LT |
144 | return 0; |
145 | } | |
146 | ||
2cf09666 | 147 | SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info) |
13abd0e5 | 148 | { |
2cf09666 | 149 | return do_set_thread_area(current, -1, u_info, 1); |
13abd0e5 | 150 | } |
1da177e4 LT |
151 | |
152 | ||
153 | /* | |
154 | * Get the current Thread-Local Storage area: | |
155 | */ | |
156 | ||
1bd5718c RM |
157 | static void fill_user_desc(struct user_desc *info, int idx, |
158 | const struct desc_struct *desc) | |
159 | ||
160 | { | |
161 | memset(info, 0, sizeof(*info)); | |
162 | info->entry_number = idx; | |
163 | info->base_addr = get_desc_base(desc); | |
164 | info->limit = get_desc_limit(desc); | |
165 | info->seg_32bit = desc->d; | |
166 | info->contents = desc->type >> 2; | |
167 | info->read_exec_only = !(desc->type & 2); | |
168 | info->limit_in_pages = desc->g; | |
169 | info->seg_not_present = !desc->p; | |
170 | info->useable = desc->avl; | |
171 | #ifdef CONFIG_X86_64 | |
172 | info->lm = desc->l; | |
173 | #endif | |
174 | } | |
efd1ca52 RM |
175 | |
176 | int do_get_thread_area(struct task_struct *p, int idx, | |
177 | struct user_desc __user *u_info) | |
1da177e4 LT |
178 | { |
179 | struct user_desc info; | |
1da177e4 | 180 | |
efd1ca52 | 181 | if (idx == -1 && get_user(idx, &u_info->entry_number)) |
1da177e4 | 182 | return -EFAULT; |
1bd5718c | 183 | |
1da177e4 LT |
184 | if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) |
185 | return -EINVAL; | |
186 | ||
1bd5718c RM |
187 | fill_user_desc(&info, idx, |
188 | &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); | |
1da177e4 LT |
189 | |
190 | if (copy_to_user(u_info, &info, sizeof(info))) | |
191 | return -EFAULT; | |
192 | return 0; | |
193 | } | |
194 | ||
2cf09666 | 195 | SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info) |
1da177e4 | 196 | { |
2cf09666 | 197 | return do_get_thread_area(current, -1, u_info); |
1da177e4 | 198 | } |
4c79a2d8 RM |
199 | |
200 | int regset_tls_active(struct task_struct *target, | |
201 | const struct user_regset *regset) | |
202 | { | |
203 | struct thread_struct *t = &target->thread; | |
204 | int n = GDT_ENTRY_TLS_ENTRIES; | |
205 | while (n > 0 && desc_empty(&t->tls_array[n - 1])) | |
206 | --n; | |
207 | return n; | |
208 | } | |
209 | ||
210 | int regset_tls_get(struct task_struct *target, const struct user_regset *regset, | |
211 | unsigned int pos, unsigned int count, | |
212 | void *kbuf, void __user *ubuf) | |
213 | { | |
214 | const struct desc_struct *tls; | |
215 | ||
8f0750f1 | 216 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
217 | (pos % sizeof(struct user_desc)) != 0 || |
218 | (count % sizeof(struct user_desc)) != 0) | |
219 | return -EINVAL; | |
220 | ||
221 | pos /= sizeof(struct user_desc); | |
222 | count /= sizeof(struct user_desc); | |
223 | ||
224 | tls = &target->thread.tls_array[pos]; | |
225 | ||
226 | if (kbuf) { | |
227 | struct user_desc *info = kbuf; | |
228 | while (count-- > 0) | |
229 | fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++, | |
230 | tls++); | |
231 | } else { | |
232 | struct user_desc __user *u_info = ubuf; | |
233 | while (count-- > 0) { | |
234 | struct user_desc info; | |
235 | fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++); | |
236 | if (__copy_to_user(u_info++, &info, sizeof(info))) | |
237 | return -EFAULT; | |
238 | } | |
239 | } | |
240 | ||
241 | return 0; | |
242 | } | |
243 | ||
244 | int regset_tls_set(struct task_struct *target, const struct user_regset *regset, | |
245 | unsigned int pos, unsigned int count, | |
246 | const void *kbuf, const void __user *ubuf) | |
247 | { | |
248 | struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES]; | |
249 | const struct user_desc *info; | |
41bdc785 | 250 | int i; |
4c79a2d8 | 251 | |
8f0750f1 | 252 | if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) || |
4c79a2d8 RM |
253 | (pos % sizeof(struct user_desc)) != 0 || |
254 | (count % sizeof(struct user_desc)) != 0) | |
255 | return -EINVAL; | |
256 | ||
257 | if (kbuf) | |
258 | info = kbuf; | |
259 | else if (__copy_from_user(infobuf, ubuf, count)) | |
260 | return -EFAULT; | |
261 | else | |
262 | info = infobuf; | |
263 | ||
41bdc785 AL |
264 | for (i = 0; i < count / sizeof(struct user_desc); i++) |
265 | if (!tls_desc_okay(info + i)) | |
266 | return -EINVAL; | |
267 | ||
4c79a2d8 RM |
268 | set_tls_desc(target, |
269 | GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)), | |
270 | info, count / sizeof(struct user_desc)); | |
271 | ||
272 | return 0; | |
273 | } |