mirror of https://gitee.com/openkylin/linux.git
x86: Use a read-only IDT alias on all CPUs
Make a copy of the IDT (as seen via the "sidt" instruction) read-only. This primarily removes the IDT from being a target for arbitrary memory write attacks, and has the added benefit of also not leaking the kernel base offset, if it has been relocated. We already did this on vendor == Intel and family == 5 because of the F0 0F bug -- regardless of if a particular CPU had the F0 0F bug or not. Since the workaround was so cheap, there simply was no reason to be very specific. This patch extends the readonly alias to all CPUs, but does not activate the #PF to #UD conversion code needed to deliver the proper exception in the F0 0F case except on Intel family 5 processors. Signed-off-by: Kees Cook <keescook@chromium.org> Link: http://lkml.kernel.org/r/20130410192422.GA17344@www.outflux.net Cc: Eric Northup <digitaleric@google.com> Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
This commit is contained in:
parent
31880c37c1
commit
4eefbe792b
|
@ -104,9 +104,7 @@ enum fixed_addresses {
|
||||||
FIX_LI_PCIA, /* Lithium PCI Bridge A */
|
FIX_LI_PCIA, /* Lithium PCI Bridge A */
|
||||||
FIX_LI_PCIB, /* Lithium PCI Bridge B */
|
FIX_LI_PCIB, /* Lithium PCI Bridge B */
|
||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_X86_F00F_BUG
|
FIX_RO_IDT, /* Virtual mapping for read-only IDT */
|
||||||
FIX_F00F_IDT, /* Virtual mapping for IDT */
|
|
||||||
#endif
|
|
||||||
#ifdef CONFIG_X86_CYCLONE_TIMER
|
#ifdef CONFIG_X86_CYCLONE_TIMER
|
||||||
FIX_CYCLONE_TIMER, /*cyclone timer register*/
|
FIX_CYCLONE_TIMER, /*cyclone timer register*/
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -164,20 +164,6 @@ int __cpuinit ppro_with_ram_bug(void)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_X86_F00F_BUG
|
|
||||||
static void __cpuinit trap_init_f00f_bug(void)
|
|
||||||
{
|
|
||||||
__set_fixmap(FIX_F00F_IDT, __pa_symbol(idt_table), PAGE_KERNEL_RO);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Update the IDT descriptor and reload the IDT so that
|
|
||||||
* it uses the read-only mapped virtual address.
|
|
||||||
*/
|
|
||||||
idt_descr.address = fix_to_virt(FIX_F00F_IDT);
|
|
||||||
load_idt(&idt_descr);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static void __cpuinit intel_smp_check(struct cpuinfo_x86 *c)
|
static void __cpuinit intel_smp_check(struct cpuinfo_x86 *c)
|
||||||
{
|
{
|
||||||
/* calling is from identify_secondary_cpu() ? */
|
/* calling is from identify_secondary_cpu() ? */
|
||||||
|
@ -206,8 +192,7 @@ static void __cpuinit intel_workarounds(struct cpuinfo_x86 *c)
|
||||||
/*
|
/*
|
||||||
* All current models of Pentium and Pentium with MMX technology CPUs
|
* All current models of Pentium and Pentium with MMX technology CPUs
|
||||||
* have the F0 0F bug, which lets nonprivileged users lock up the
|
* have the F0 0F bug, which lets nonprivileged users lock up the
|
||||||
* system.
|
* system. Announce that the fault handler will be checking for it.
|
||||||
* Note that the workaround only should be initialized once...
|
|
||||||
*/
|
*/
|
||||||
c->f00f_bug = 0;
|
c->f00f_bug = 0;
|
||||||
if (!paravirt_enabled() && c->x86 == 5) {
|
if (!paravirt_enabled() && c->x86 == 5) {
|
||||||
|
@ -215,7 +200,6 @@ static void __cpuinit intel_workarounds(struct cpuinfo_x86 *c)
|
||||||
|
|
||||||
c->f00f_bug = 1;
|
c->f00f_bug = 1;
|
||||||
if (!f00f_workaround_enabled) {
|
if (!f00f_workaround_enabled) {
|
||||||
trap_init_f00f_bug();
|
|
||||||
printk(KERN_NOTICE "Intel Pentium with F0 0F bug - workaround enabled.\n");
|
printk(KERN_NOTICE "Intel Pentium with F0 0F bug - workaround enabled.\n");
|
||||||
f00f_workaround_enabled = 1;
|
f00f_workaround_enabled = 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -56,6 +56,7 @@
|
||||||
#include <asm/fpu-internal.h>
|
#include <asm/fpu-internal.h>
|
||||||
#include <asm/mce.h>
|
#include <asm/mce.h>
|
||||||
#include <asm/context_tracking.h>
|
#include <asm/context_tracking.h>
|
||||||
|
#include <asm/fixmap.h>
|
||||||
|
|
||||||
#include <asm/mach_traps.h>
|
#include <asm/mach_traps.h>
|
||||||
|
|
||||||
|
@ -752,6 +753,14 @@ void __init trap_init(void)
|
||||||
set_bit(SYSCALL_VECTOR, used_vectors);
|
set_bit(SYSCALL_VECTOR, used_vectors);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Set the IDT descriptor to a fixed read-only location, so that the
|
||||||
|
* "sidt" instruction will not leak the location of the kernel, and
|
||||||
|
* to defend the IDT against arbitrary memory write vulnerabilities.
|
||||||
|
* It will be reloaded in cpu_init() */
|
||||||
|
__set_fixmap(FIX_RO_IDT, __pa_symbol(idt_table), PAGE_KERNEL_RO);
|
||||||
|
idt_descr.address = fix_to_virt(FIX_RO_IDT);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Should be a barrier for any external CPU state:
|
* Should be a barrier for any external CPU state:
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -2039,9 +2039,7 @@ static void xen_set_fixmap(unsigned idx, phys_addr_t phys, pgprot_t prot)
|
||||||
|
|
||||||
switch (idx) {
|
switch (idx) {
|
||||||
case FIX_BTMAP_END ... FIX_BTMAP_BEGIN:
|
case FIX_BTMAP_END ... FIX_BTMAP_BEGIN:
|
||||||
#ifdef CONFIG_X86_F00F_BUG
|
case FIX_RO_IDT:
|
||||||
case FIX_F00F_IDT:
|
|
||||||
#endif
|
|
||||||
#ifdef CONFIG_X86_32
|
#ifdef CONFIG_X86_32
|
||||||
case FIX_WP_TEST:
|
case FIX_WP_TEST:
|
||||||
case FIX_VDSO:
|
case FIX_VDSO:
|
||||||
|
|
Loading…
Reference in New Issue