2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-31 16:43:51 +08:00
linux-next/arch
Andy Lutomirski 3669ef9fa7 x86, tls: Interpret an all-zero struct user_desc as "no segment"
The Witcher 2 did something like this to allocate a TLS segment index:

        struct user_desc u_info;
        bzero(&u_info, sizeof(u_info));
        u_info.entry_number = (uint32_t)-1;

        syscall(SYS_set_thread_area, &u_info);

Strictly speaking, this code was never correct.  It should have set
read_exec_only and seg_not_present to 1 to indicate that it wanted
to find a free slot without putting anything there, or it should
have put something sensible in the TLS slot if it wanted to allocate
a TLS entry for real.  The actual effect of this code was to
allocate a bogus segment that could be used to exploit espfix.

The set_thread_area hardening patches changed the behavior, causing
set_thread_area to return -EINVAL and crashing the game.

This changes set_thread_area to interpret this as a request to find
a free slot and to leave it empty, which isn't *quite* what the game
expects but should be close enough to keep it working.  In
particular, using the code above to allocate two segments will
allocate the same segment both times.

According to FrostbittenKing on Github, this fixes The Witcher 2.

If this somehow still causes problems, we could instead allocate
a limit==0 32-bit data segment, but that seems rather ugly to me.

Fixes: 41bdc78544 x86/tls: Validate TLS entries to protect espfix
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Cc: stable@vger.kernel.org
Cc: torvalds@linux-foundation.org
Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2015-01-22 21:45:07 +01:00
..
alpha arch: Cleanup read_barrier_depends() and comments 2014-12-11 21:15:05 -05:00
arc Minor updates for ARC for 3.19 2014-12-18 16:26:41 -08:00
arm ARM: SoC fixes 2015-01-18 18:00:40 +12:00
arm64 arm64 fixes: 2015-01-17 08:01:21 +13:00
avr32 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-12-11 14:27:06 -08:00
blackfin arch/blackfin/mach-bf533/boards/stamp.c: add linux/delay.h 2015-01-08 15:10:52 -08:00
c6x net, lib: kill arch_fast_hash library bits 2014-12-10 15:17:46 -05:00
cris CRISv32: Remove last remnants of ETRAX_SPI_MMC_BOARD 2014-12-20 00:06:13 +01:00
frv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-12-11 14:27:06 -08:00
hexagon Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rkuo/linux-hexagon-kernel 2014-12-19 17:57:51 -08:00
ia64 Merge branches 'acpi-pm', 'acpi-processor' and 'acpi-video' 2015-01-06 23:35:43 +01:00
m32r Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-12-11 14:27:06 -08:00
m68k m68k: Wire up execveat 2015-01-11 11:14:14 +01:00
metag arch: Add lightweight memory barriers dma_rmb() and dma_wmb() 2014-12-11 21:15:06 -05:00
microblaze Microblaze patches for 3.19-rc1 2014-12-17 09:54:05 -08:00
mips kernel: Provide READ_ONCE and ASSIGN_ONCE 2014-12-20 16:48:59 -08:00
mn10300 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-12-11 14:27:06 -08:00
nios2 nios2: Use preempt_schedule_irq 2014-12-31 11:04:58 +08:00
openrisc net, lib: kill arch_fast_hash library bits 2014-12-10 15:17:46 -05:00
parisc Merge branch 'parisc-3.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2014-12-26 13:41:05 -08:00
powerpc powerpc: Work around gcc bug in current_thread_info() 2015-01-12 16:40:02 +11:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2015-01-15 10:50:29 +13:00
score net, lib: kill arch_fast_hash library bits 2014-12-10 15:17:46 -05:00
sh PM: Eliminate CONFIG_PM_RUNTIME 2014-12-19 22:55:06 +01:00
sparc sparc32: destroy_context() and switch_mm() needs to disable interrupts. 2014-12-18 12:47:54 -05:00
tile Merge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile 2014-12-16 13:54:16 -08:00
um um: Skip futex_atomic_cmpxchg_inatomic() test 2015-01-04 14:20:26 +01:00
unicore32 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-12-11 14:27:06 -08:00
x86 x86, tls: Interpret an all-zero struct user_desc as "no segment" 2015-01-22 21:45:07 +01:00
xtensa Xtensa fixes for 3.19: 2014-12-16 14:08:53 -08:00
.gitignore
Kconfig