mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-01 02:36:02 +00:00
d60624f72d
Currently gcs_set() doesn't initialize the temporary 'user_gcs'
variable, and a SETREGSET call with a length of 0, 8, or 16 will leave
some portion of this uninitialized. Consequently some arbitrary
uninitialized values may be written back to the relevant fields in task
struct, potentially leaking up to 192 bits of memory from the kernel
stack. The read is limited to a specific slot on the stack, and the
issue does not provide a write mechanism.
As gcs_set() rejects cases where user_gcs::features_enabled has bits set
other than PR_SHADOW_STACK_SUPPORTED_STATUS_MASK, a SETREGSET call with
a length of zero will randomly succeed or fail depending on the value of
the uninitialized value, it isn't possible to leak the full 192 bits.
With a length of 8 or 16, user_gcs::features_enabled can be initialized
to an accepted value, making it practical to leak 128 or 64 bits.
Fix this by initializing the temporary value before copying the regset
from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,
NT_ARM_SYSTEM_CALL). In the case of a zero-length or partial write, the
existing contents of the fields which are not written to will be
retained.
To ensure that the extraction and insertion of fields is consistent
across the GETREGSET and SETREGSET calls, new task_gcs_to_user() and
task_gcs_from_user() helpers are added, matching the style of
pac_address_keys_to_user() and pac_address_keys_from_user().
Before this patch:
| # ./gcs-test
| Attempting to write NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x0000000000000000,
| .gcspr_el0 = 0x900d900d900d900d,
| }
| SETREGSET(nt=0x410, len=24) wrote 24 bytes
|
| Attempting to read NT_ARM_GCS::user_gcs
| GETREGSET(nt=0x410, len=24) read 24 bytes
| Read NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x0000000000000000,
| .gcspr_el0 = 0x900d900d900d900d,
| }
|
| Attempting partial write NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x1de7ec7edbadc0de,
| .gcspr_el0 = 0x1de7ec7edbadc0de,
| }
| SETREGSET(nt=0x410, len=8) wrote 8 bytes
|
| Attempting to read NT_ARM_GCS::user_gcs
| GETREGSET(nt=0x410, len=24) read 24 bytes
| Read NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x000000000093e780,
| .gcspr_el0 = 0xffff800083a63d50,
| }
After this patch:
| # ./gcs-test
| Attempting to write NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x0000000000000000,
| .gcspr_el0 = 0x900d900d900d900d,
| }
| SETREGSET(nt=0x410, len=24) wrote 24 bytes
|
| Attempting to read NT_ARM_GCS::user_gcs
| GETREGSET(nt=0x410, len=24) read 24 bytes
| Read NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x0000000000000000,
| .gcspr_el0 = 0x900d900d900d900d,
| }
|
| Attempting partial write NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x1de7ec7edbadc0de,
| .gcspr_el0 = 0x1de7ec7edbadc0de,
| }
| SETREGSET(nt=0x410, len=8) wrote 8 bytes
|
| Attempting to read NT_ARM_GCS::user_gcs
| GETREGSET(nt=0x410, len=24) read 24 bytes
| Read NT_ARM_GCS::user_gcs = {
| .features_enabled = 0x0000000000000000,
| .features_locked = 0x0000000000000000,
| .gcspr_el0 = 0x900d900d900d900d,
| }
Fixes:
|
||
|---|---|---|
| .. | ||
| pi | ||
| probes | ||
| vdso | ||
| vdso32 | ||
| .gitignore | ||
| acpi_numa.c | ||
| acpi_parking_protocol.c | ||
| acpi.c | ||
| alternative.c | ||
| armv8_deprecated.c | ||
| asm-offsets.c | ||
| cacheinfo.c | ||
| compat_alignment.c | ||
| cpu_errata.c | ||
| cpu_ops.c | ||
| cpu-reset.S | ||
| cpufeature.c | ||
| cpuinfo.c | ||
| crash_dump.c | ||
| debug-monitors.c | ||
| efi-header.S | ||
| efi-rt-wrapper.S | ||
| efi.c | ||
| elfcore.c | ||
| entry-common.c | ||
| entry-fpsimd.S | ||
| entry-ftrace.S | ||
| entry.S | ||
| fpsimd.c | ||
| ftrace.c | ||
| head.S | ||
| hibernate-asm.S | ||
| hibernate.c | ||
| hw_breakpoint.c | ||
| hyp-stub.S | ||
| idle.c | ||
| image-vars.h | ||
| image.h | ||
| io.c | ||
| irq.c | ||
| jump_label.c | ||
| kaslr.c | ||
| kexec_image.c | ||
| kgdb.c | ||
| kuser32.S | ||
| machine_kexec_file.c | ||
| machine_kexec.c | ||
| Makefile | ||
| Makefile.syscalls | ||
| module-plts.c | ||
| module.c | ||
| mte.c | ||
| paravirt.c | ||
| patching.c | ||
| pci.c | ||
| perf_callchain.c | ||
| perf_regs.c | ||
| pointer_auth.c | ||
| process.c | ||
| proton-pack.c | ||
| psci.c | ||
| ptrace.c | ||
| reloc_test_core.c | ||
| reloc_test_syms.S | ||
| relocate_kernel.S | ||
| return_address.c | ||
| rsi.c | ||
| sdei.c | ||
| setup.c | ||
| signal32.c | ||
| signal.c | ||
| sigreturn32.S | ||
| sleep.S | ||
| smccc-call.S | ||
| smp_spin_table.c | ||
| smp.c | ||
| stacktrace.c | ||
| suspend.c | ||
| sys32.c | ||
| sys_compat.c | ||
| sys.c | ||
| syscall.c | ||
| time.c | ||
| topology.c | ||
| trace-events-emulation.h | ||
| traps.c | ||
| vdso32-wrap.S | ||
| vdso-wrap.S | ||
| vdso.c | ||
| vmcore_info.c | ||
| vmlinux.lds.S | ||
| watchdog_hld.c | ||