[Acked] [Lucid][CVE-2014-8133] x86/tls: Validate TLS entries to protect espfix

Andy Whitcroft apw at canonical.com
Wed Jan 7 18:20:41 UTC 2015 

On Tue, Jan 06, 2015 at 07:24:10PM +0000, Luis Henriques wrote:
> From: Andy Lutomirski <luto at amacapital.net>
> 
> Installing a 16-bit RW data segment into the GDT defeats espfix.
> AFAICT this will not affect glibc, Wine, or dosemu at all.
> 
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> Acked-by: H. Peter Anvin <hpa at zytor.com>
> Cc: stable at vger.kernel.org
> Cc: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
> Cc: Linus Torvalds <torvalds at linux-foundation.org>
> Cc: security at kernel.org <security at kernel.org>
> Cc: Willy Tarreau <w at 1wt.eu>
> Signed-off-by: Ingo Molnar <mingo at kernel.org>
> (cherry picked from commit 41bdc78544b8a93a9c6814b8bbbfef966272abbe)
> CVE-2014-8133
> BugLink: http://bugs.launchpad.net/bugs/1403852
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index bcfec2d23769..7af73380ae4b 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -28,6 +28,21 @@ static int get_free_idx(void)
>  	return -ESRCH;
>  }
>  
> +static bool tls_desc_okay(const struct user_desc *info)
> +{
> +	if (LDT_empty(info))
> +		return true;
> +
> +	/*
> +	 * espfix is required for 16-bit data segments, but espfix
> +	 * only works for LDT segments.
> +	 */
> +	if (!info->seg_32bit)
> +		return false;
> +
> +	return true;
> +}
> +
>  static void set_tls_desc(struct task_struct *p, int idx,
>  			 const struct user_desc *info, int n)
>  {
> @@ -67,6 +82,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
>  	if (copy_from_user(&info, u_info, sizeof(info)))
>  		return -EFAULT;
>  
> +	if (!tls_desc_okay(&info))
> +		return -EINVAL;
> +
>  	if (idx == -1)
>  		idx = info.entry_number;
>  
> @@ -197,6 +215,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
>  {
>  	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
>  	const struct user_desc *info;
> +	int i;
>  
>  	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
>  	    (pos % sizeof(struct user_desc)) != 0 ||
> @@ -210,6 +229,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
>  	else
>  		info = infobuf;
>  
> +	for (i = 0; i < count / sizeof(struct user_desc); i++)
> +		if (!tls_desc_okay(info + i))
> +			return -EINVAL;
> +
>  	set_tls_desc(target,
>  		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
>  		     info, count / sizeof(struct user_desc));

Looks ok to me:

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

More information about the kernel-team mailing list