[SRU][Bionic][PULL] Fix for CVE-2017-5754 (i386)
Juerg Haefliger
juerg.haefliger at canonical.com
Mon Mar 11 10:39:22 UTC 2019
This pull request contains fix(es) for the following CVE(s):
CVE-2017-5754 (i386)
This is a pull request to add support for page table isolation for i386.
The following patches are the orignal patchset that introduced PTI for i386:
* x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32
* x86/ldt: Enable LDT user-mapping for PAE
* x86/ldt: Split out sanity check in map_ldt_struct()
* x86/ldt: Define LDT_END_ADDR
* x86/ldt: Reserve address-space range on 32 bit for the LDT
* x86/pgtable/pae: Use separate kernel PMDs for user page-table
* x86/mm/dump_pagetables: Define INIT_PGD
* x86/mm/pti: Clone entry-text again in pti_finalize()
* x86/mm/pti: Introduce pti_finalize()
* x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
* x86/mm/pti: Make pti_clone_kernel_text() compile on 32 bit
* x86/mm/pti: Clone CPU_ENTRY_AREA on PMD level on x86_32
* x86/mm/pti: Define X86_CR3_PTI_PCID_USER_BIT on x86_32
* x86/mm/pti: Add an overflow check to pti_clone_pmds()
* x86/mm/legacy: Populate the user page-table with user pgd's
* x86/mm/pae: Populate the user page-table with user pgd's
* x86/mm/pae: Populate valid user PGD entries
* x86/pgtable: Move two more functions from pgtable_64.h to pgtable.h
* x86/pgtable: Move pti_set_user_pgtbl() to pgtable.h
* x86/pgtable: Move pgdp kernel/user conversion functions to pgtable.h
* x86/pgtable/32: Allocate 8k page-tables when PTI is enabled
* x86/pgtable/pae: Unshare kernel PMDs when PTI is enabled
* x86/pgtable: Rename pti_set_user_pgd() to pti_set_user_pgtbl()
* x86/entry: Rename update_sp0 to update_task_stack
* x86/entry/32: Add PTI CR3 switches to NMI handler code
* x86/entry/32: Add PTI cr3 switch to non-NMI entry/exit points
* x86/entry/32: Simplify debug entry point
* x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack
* x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI
* x86/entry/32: Leave the kernel via trampoline stack
* x86/entry/32: Enter the kernel via trampoline stack
* x86/entry/32: Split off return-to-kernel path
* x86/entry/32: Unshare NMI return path
* x86/entry/32: Put ESPFIX code into a macro
* x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler
* x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack
* x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c
The following are prerequisites for the above:
* x86/entry/32: Add explicit 'l' instruction suffix
* x86/pti: Leave kernel text global for !PCID
* x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
* x86/pti: Enable global pages for shared areas
The following are follow-up enhancements and cleanups of 32-bit PTI:
* x86/mm/doc: Enhance the x86-64 virtual memory layout descriptions
* x86/mm/doc: Clean up the x86-64 virtual memory layout descriptions
* x86/mm/pti: Move user W+X check into pti_finalize()
* x86/mm/pti: Clone kernel-image on PTE level for 32 bit
* x86/mm/pti: Don't clear permissions in pti_clone_pmd()
* x86/mm/init: Add helper for freeing kernel image pages
* x86/mm/init: Pass unconverted symbol addresses to free_init_pages()
* mm: Allow non-direct-map arguments to free_reserved_area()
* x86/kexec: Allocate 8k PGDs for PTI
* x86/mm: Remove in_nmi() warning from vmalloc_fault()
* x86/entry/32: Check for VM86 mode in slow-path check
* x86/pti: Check the return value of pti_user_pagetable_walk_pmd()
* x86/pti: Check the return value of pti_user_pagetable_walk_p4d()
* x86/entry/32: Add debug code to check entry/exit CR3
* x86/mm/pti: Add Warning when booting on a PCID capable CPU
Lastly, the following are follow-up fixes for some of the above:
* x86/dump_pagetables: Fix LDT remap address marker
* x86/mm: Fix guard hole handling
* x86/ldt: Remove unused variable in map_ldt_struct()
* x86/ldt: Unmap PTEs for the slot before freeing LDT pages
* x86/mm: Move LDT remap out of KASLR region on 5-level paging
* x86/entry/32: Clear the CS high bits
* x86/efi: Load fixmap GDT in efi_call_phys_epilog() before setting %cr3
* x86/efi: Load fixmap GDT in efi_call_phys_epilog()
* x86/relocs: Add __end_rodata_aligned to S_REL
* x86/mm/pti: Fix 32 bit PCID check
* x86/mm/init: Remove freed kernel image areas from alias mapping
* x86/mm/pti: Clear Global bit more aggressively
* perf/core: Make sure the ring-buffer is mapped in all page-tables
* x86/pti: Disallow global kernel text with RANDSTRUCT
* x86/pti: Reduce amount of kernel text allowed to be Global
* x86/pti: Fix boot warning from Global-bit setting
* x86/pti: Fix boot problems from Global-bit setting
* x86/mm: Fix documentation of module mapping range with 4-level paging
Compile-tested all architectures. Ran the PTI test (x86 selftests in
combination with perf NMI tests) for 24 hours, no issues found. Ran the
release regression tests, no issues found.
Signed-off-by: Juerg Haefliger <juergh at canonical.com>
---
The following changes since commit 76db66f794c4389354ddb35f1f551e54eb67d9ab:
tun: implement carrier change (2019-03-08 09:23:12 +0100)
are available in the Git repository at:
git://git.launchpad.net/~juergh/+git/bionic-linux pti-32bit
for you to fetch changes up to 4cb324be3f1cef481bf04f51ac16ccff3ba677a6:
x86/dump_pagetables: Fix LDT remap address marker (2019-03-08 17:39:20 +0100)
----------------------------------------------------------------
Baoquan He (1):
x86/mm/doc: Clean up the x86-64 virtual memory layout descriptions
Dave Hansen (12):
x86/pti: Enable global pages for shared areas
x86/pti: Never implicitly clear _PAGE_GLOBAL for kernel image
x86/pti: Leave kernel text global for !PCID
x86/pti: Fix boot problems from Global-bit setting
x86/pti: Fix boot warning from Global-bit setting
x86/pti: Reduce amount of kernel text allowed to be Global
x86/pti: Disallow global kernel text with RANDSTRUCT
x86/mm/pti: Clear Global bit more aggressively
mm: Allow non-direct-map arguments to free_reserved_area()
x86/mm/init: Pass unconverted symbol addresses to free_init_pages()
x86/mm/init: Add helper for freeing kernel image pages
x86/mm/init: Remove freed kernel image areas from alias mapping
Guenter Roeck (1):
x86/efi: Load fixmap GDT in efi_call_phys_epilog() before setting %cr3
Ingo Molnar (1):
x86/mm/doc: Enhance the x86-64 virtual memory layout descriptions
Jan Beulich (1):
x86/entry/32: Add explicit 'l' instruction suffix
Jan Kiszka (1):
x86/entry/32: Clear the CS high bits
Jiang Biao (2):
x86/pti: Check the return value of pti_user_pagetable_walk_p4d()
x86/pti: Check the return value of pti_user_pagetable_walk_pmd()
Joerg Roedel (48):
x86/asm-offsets: Move TSS_sp0 and TSS_sp1 to asm-offsets.c
x86/entry/32: Rename TSS_sysenter_sp0 to TSS_entry2task_stack
x86/entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler
x86/entry/32: Put ESPFIX code into a macro
x86/entry/32: Unshare NMI return path
x86/entry/32: Split off return-to-kernel path
x86/entry/32: Enter the kernel via trampoline stack
x86/entry/32: Leave the kernel via trampoline stack
x86/entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI
x86/entry/32: Handle Entry from Kernel-Mode on Entry-Stack
x86/entry/32: Simplify debug entry point
x86/entry/32: Add PTI cr3 switch to non-NMI entry/exit points
x86/entry/32: Add PTI CR3 switches to NMI handler code
x86/entry: Rename update_sp0 to update_task_stack
x86/pgtable: Rename pti_set_user_pgd() to pti_set_user_pgtbl()
x86/pgtable/pae: Unshare kernel PMDs when PTI is enabled
x86/pgtable/32: Allocate 8k page-tables when PTI is enabled
x86/pgtable: Move pgdp kernel/user conversion functions to pgtable.h
x86/pgtable: Move pti_set_user_pgtbl() to pgtable.h
x86/pgtable: Move two more functions from pgtable_64.h to pgtable.h
x86/mm/pae: Populate valid user PGD entries
x86/mm/pae: Populate the user page-table with user pgd's
x86/mm/pti: Add an overflow check to pti_clone_pmds()
x86/mm/pti: Define X86_CR3_PTI_PCID_USER_BIT on x86_32
x86/mm/pti: Clone CPU_ENTRY_AREA on PMD level on x86_32
x86/mm/pti: Make pti_clone_kernel_text() compile on 32 bit
x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
x86/mm/pti: Introduce pti_finalize()
x86/mm/pti: Clone entry-text again in pti_finalize()
x86/mm/dump_pagetables: Define INIT_PGD
x86/pgtable/pae: Use separate kernel PMDs for user page-table
x86/ldt: Reserve address-space range on 32 bit for the LDT
x86/ldt: Define LDT_END_ADDR
x86/ldt: Split out sanity check in map_ldt_struct()
x86/ldt: Enable LDT user-mapping for PAE
x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32
x86/mm/pti: Add Warning when booting on a PCID capable CPU
x86/entry/32: Add debug code to check entry/exit CR3
perf/core: Make sure the ring-buffer is mapped in all page-tables
x86/entry/32: Check for VM86 mode in slow-path check
x86/mm: Remove in_nmi() warning from vmalloc_fault()
x86/kexec: Allocate 8k PGDs for PTI
x86/mm/pti: Fix 32 bit PCID check
x86/mm/pti: Don't clear permissions in pti_clone_pmd()
x86/mm/pti: Clone kernel-image on PTE level for 32 bit
x86/relocs: Add __end_rodata_aligned to S_REL
x86/mm/pti: Move user W+X check into pti_finalize()
x86/efi: Load fixmap GDT in efi_call_phys_epilog()
Juerg Haefliger (1):
UBUNTU: [Config] Update PAGE_TABLE_ISOLATION annotations
Kirill A. Shutemov (6):
x86/mm: Fix documentation of module mapping range with 4-level paging
x86/mm: Move LDT remap out of KASLR region on 5-level paging
x86/ldt: Unmap PTEs for the slot before freeing LDT pages
x86/ldt: Remove unused variable in map_ldt_struct()
x86/mm: Fix guard hole handling
x86/dump_pagetables: Fix LDT remap address marker
Documentation/x86/x86_64/mm.txt | 173 +++++---
arch/x86/entry/entry_32.S | 635 +++++++++++++++++++++++-----
arch/x86/include/asm/mmu_context.h | 5 -
arch/x86/include/asm/page_64_types.h | 12 +-
arch/x86/include/asm/pgtable-2level_types.h | 3 +
arch/x86/include/asm/pgtable-3level.h | 7 +
arch/x86/include/asm/pgtable-3level_types.h | 6 +-
arch/x86/include/asm/pgtable.h | 95 ++++-
arch/x86/include/asm/pgtable_32_types.h | 9 +-
arch/x86/include/asm/pgtable_64.h | 89 +---
arch/x86/include/asm/pgtable_64_types.h | 13 +-
arch/x86/include/asm/pgtable_types.h | 28 +-
arch/x86/include/asm/processor-flags.h | 8 +-
arch/x86/include/asm/processor.h | 1 +
arch/x86/include/asm/pti.h | 1 +
arch/x86/include/asm/sections.h | 1 +
arch/x86/include/asm/set_memory.h | 1 +
arch/x86/include/asm/switch_to.h | 16 +-
arch/x86/kernel/asm-offsets.c | 5 +
arch/x86/kernel/asm-offsets_32.c | 10 +-
arch/x86/kernel/asm-offsets_64.c | 2 -
arch/x86/kernel/cpu/common.c | 5 +-
arch/x86/kernel/head_32.S | 20 +-
arch/x86/kernel/ldt.c | 192 +++++++--
arch/x86/kernel/machine_kexec_32.c | 5 +-
arch/x86/kernel/process.c | 2 -
arch/x86/kernel/process_32.c | 2 +-
arch/x86/kernel/process_64.c | 2 +-
arch/x86/kernel/vm86_32.c | 4 +-
arch/x86/kernel/vmlinux.lds.S | 17 +-
arch/x86/mm/cpu_entry_area.c | 14 +-
arch/x86/mm/dump_pagetables.c | 42 +-
arch/x86/mm/fault.c | 2 -
arch/x86/mm/init.c | 45 +-
arch/x86/mm/init_64.c | 8 +-
arch/x86/mm/pageattr.c | 75 +++-
arch/x86/mm/pgtable.c | 105 ++++-
arch/x86/mm/pti.c | 341 +++++++++++++--
arch/x86/platform/efi/efi_32.c | 7 +-
arch/x86/tools/relocs.c | 1 +
arch/x86/xen/mmu_pv.c | 17 +-
debian.master/config/annotations | 2 +-
include/linux/pti.h | 1 +
init/main.c | 7 +
kernel/events/ring_buffer.c | 16 +
mm/page_alloc.c | 16 +-
security/Kconfig | 2 +-
47 files changed, 1604 insertions(+), 466 deletions(-)
More information about the kernel-team
mailing list