1 #include <linux/kernel.h>
2 #include <linux/errno.h>
3 #include <linux/sched.h>
4 #include <linux/user.h>
5 #include <linux/regset.h>
6 #include <linux/syscalls.h>
7 #include <linux/nospec.h>
9 #include <asm/uaccess.h>
12 #include <asm/processor.h>
13 #include <asm/proto.h>
18 * sys_alloc_thread_area: get a yet unused TLS descriptor index.
20 static int get_free_idx(void)
22 struct thread_struct *t = ¤t->thread;
25 for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++)
26 if (desc_empty(&t->tls_array[idx]))
27 return idx + GDT_ENTRY_TLS_MIN;
31 static bool tls_desc_okay(const struct user_desc *info)
34 * For historical reasons (i.e. no one ever documented how any
35 * of the segmentation APIs work), user programs can and do
36 * assume that a struct user_desc that's all zeros except for
37 * entry_number means "no segment at all". This never actually
38 * worked. In fact, up to Linux 3.19, a struct user_desc like
39 * this would create a 16-bit read-write segment with base and
40 * limit both equal to zero.
42 * That was close enough to "no segment at all" until we
43 * hardened this function to disallow 16-bit TLS segments. Fix
44 * it up by interpreting these zeroed segments the way that they
45 * were almost certainly intended to be interpreted.
47 * The correct way to ask for "no segment at all" is to specify
48 * a user_desc that satisfies LDT_empty. To keep everything
49 * working, we accept both.
51 * Note that there's a similar kludge in modify_ldt -- look at
52 * the distinction between modes 1 and 0x11.
54 if (LDT_empty(info) || LDT_zero(info))
58 * espfix is required for 16-bit data segments, but espfix
59 * only works for LDT segments.
64 /* Only allow data segments in the TLS array. */
65 if (info->contents > 1)
69 * Non-present segments with DPL 3 present an interesting attack
70 * surface. The kernel should handle such segments correctly,
71 * but TLS is very difficult to protect in a sandbox, so prevent
72 * such segments from being created.
74 * If userspace needs to remove a TLS entry, it can still delete
77 if (info->seg_not_present)
83 static void set_tls_desc(struct task_struct *p, int idx,
84 const struct user_desc *info, int n)
86 struct thread_struct *t = &p->thread;
87 struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN];
91 * We must not get preempted while modifying the TLS.
96 if (LDT_empty(info) || LDT_zero(info))
97 desc->a = desc->b = 0;
104 if (t == ¤t->thread)
111 * Set a given TLS descriptor:
113 int do_set_thread_area(struct task_struct *p, int idx,
114 struct user_desc __user *u_info,
117 struct user_desc info;
119 if (copy_from_user(&info, u_info, sizeof(info)))
122 if (!tls_desc_okay(&info))
126 idx = info.entry_number;
129 * index -1 means the kernel should try to find and
130 * allocate an empty descriptor:
132 if (idx == -1 && can_allocate) {
133 idx = get_free_idx();
136 if (put_user(idx, &u_info->entry_number))
140 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
143 set_tls_desc(p, idx, &info, 1);
148 SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info)
150 return do_set_thread_area(current, -1, u_info, 1);
155 * Get the current Thread-Local Storage area:
158 static void fill_user_desc(struct user_desc *info, int idx,
159 const struct desc_struct *desc)
162 memset(info, 0, sizeof(*info));
163 info->entry_number = idx;
164 info->base_addr = get_desc_base(desc);
165 info->limit = get_desc_limit(desc);
166 info->seg_32bit = desc->d;
167 info->contents = desc->type >> 2;
168 info->read_exec_only = !(desc->type & 2);
169 info->limit_in_pages = desc->g;
170 info->seg_not_present = !desc->p;
171 info->useable = desc->avl;
177 int do_get_thread_area(struct task_struct *p, int idx,
178 struct user_desc __user *u_info)
180 struct user_desc info;
183 if (idx == -1 && get_user(idx, &u_info->entry_number))
186 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
189 index = idx - GDT_ENTRY_TLS_MIN;
190 index = array_index_nospec(index,
191 GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1);
193 fill_user_desc(&info, idx, &p->thread.tls_array[index]);
195 if (copy_to_user(u_info, &info, sizeof(info)))
200 SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info)
202 return do_get_thread_area(current, -1, u_info);
205 int regset_tls_active(struct task_struct *target,
206 const struct user_regset *regset)
208 struct thread_struct *t = &target->thread;
209 int n = GDT_ENTRY_TLS_ENTRIES;
210 while (n > 0 && desc_empty(&t->tls_array[n - 1]))
215 int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
216 unsigned int pos, unsigned int count,
217 void *kbuf, void __user *ubuf)
219 const struct desc_struct *tls;
221 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
222 (pos % sizeof(struct user_desc)) != 0 ||
223 (count % sizeof(struct user_desc)) != 0)
226 pos /= sizeof(struct user_desc);
227 count /= sizeof(struct user_desc);
229 tls = &target->thread.tls_array[pos];
232 struct user_desc *info = kbuf;
234 fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++,
237 struct user_desc __user *u_info = ubuf;
238 while (count-- > 0) {
239 struct user_desc info;
240 fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++);
241 if (__copy_to_user(u_info++, &info, sizeof(info)))
249 int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
250 unsigned int pos, unsigned int count,
251 const void *kbuf, const void __user *ubuf)
253 struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
254 const struct user_desc *info;
257 if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
258 (pos % sizeof(struct user_desc)) != 0 ||
259 (count % sizeof(struct user_desc)) != 0)
264 else if (__copy_from_user(infobuf, ubuf, count))
269 for (i = 0; i < count / sizeof(struct user_desc); i++)
270 if (!tls_desc_okay(info + i))
274 GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
275 info, count / sizeof(struct user_desc));