From: Greg Kroah-Hartman Date: Mon, 5 Jan 2015 20:53:56 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.64~21 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d90a1ebd1a152d8f4e9db10ade027e19f222cbc;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch --- diff --git a/queue-3.14/series b/queue-3.14/series index 35e08d4d4eb..e906d780abf 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -21,3 +21,4 @@ dm-thin-fix-missing-out-of-data-space-to-write-mode-transition-if-blocks-are-rel arm64-add-compat_hwcap_lpae.patch arm-tegra-re-add-removed-soc-id-macro-to-tegra_resume.patch arm-mvebu-fix-ordering-in-armada-370-.dtsi.patch +x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch diff --git a/queue-3.14/x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch b/queue-3.14/x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch new file mode 100644 index 00000000000..a2da15e6168 --- /dev/null +++ b/queue-3.14/x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch @@ -0,0 +1,74 @@ +From 3fb2f4237bb452eb4e98f6a5dbd5a445b4fed9d0 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 17 Dec 2014 14:48:30 -0800 +Subject: x86/tls: Don't validate lm in set_thread_area() after all + +From: Andy Lutomirski + +commit 3fb2f4237bb452eb4e98f6a5dbd5a445b4fed9d0 upstream. + +It turns out that there's a lurking ABI issue. GCC, when +compiling this in a 32-bit program: + +struct user_desc desc = { + .entry_number = idx, + .base_addr = base, + .limit = 0xfffff, + .seg_32bit = 1, + .contents = 0, /* Data, grow-up */ + .read_exec_only = 0, + .limit_in_pages = 1, + .seg_not_present = 0, + .useable = 0, +}; + +will leave .lm uninitialized. This means that anything in the +kernel that reads user_desc.lm for 32-bit tasks is unreliable. + +Revert the .lm check in set_thread_area(). The value never did +anything in the first place. + +Fixes: 0e58af4e1d21 ("x86/tls: Disallow unusual TLS segments") +Signed-off-by: Andy Lutomirski +Acked-by: Thomas Gleixner +Cc: Linus Torvalds +Link: http://lkml.kernel.org/r/d7875b60e28c512f6a6fc0baf5714d58e7eaadbb.1418856405.git.luto@amacapital.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/uapi/asm/ldt.h | 7 +++++++ + arch/x86/kernel/tls.c | 6 ------ + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/arch/x86/include/uapi/asm/ldt.h ++++ b/arch/x86/include/uapi/asm/ldt.h +@@ -28,6 +28,13 @@ struct user_desc { + unsigned int seg_not_present:1; + unsigned int useable:1; + #ifdef __x86_64__ ++ /* ++ * Because this bit is not present in 32-bit user code, user ++ * programs can pass uninitialized values here. Therefore, in ++ * any context in which a user_desc comes from a 32-bit program, ++ * the kernel must act as though lm == 0, regardless of the ++ * actual value. ++ */ + unsigned int lm:1; + #endif + }; +--- a/arch/x86/kernel/tls.c ++++ b/arch/x86/kernel/tls.c +@@ -55,12 +55,6 @@ static bool tls_desc_okay(const struct u + if (info->seg_not_present) + return false; + +-#ifdef CONFIG_X86_64 +- /* The L bit makes no sense for data. */ +- if (info->lm) +- return false; +-#endif +- + return true; + } +