• Hugh Dickins's avatar
    kaiser: do not set _PAGE_NX on pgd_none · bd37ead1
    Hugh Dickins authored
    native_pgd_clear() uses native_set_pgd(), so native_set_pgd() must
    avoid setting the _PAGE_NX bit on an otherwise pgd_none() entry:
    usually that just generated a warning on exit, but sometimes
    more mysterious and damaging failures (our production machines
    could not complete booting).
    
    The original fix to this just avoided adding _PAGE_NX to
    an empty entry; but eventually more problems surfaced with kexec,
    and EFI mapping expected to be a problem too.  So now instead
    change native_set_pgd() to update shadow only if _PAGE_USER:
    
    A few places (kernel/machine_kexec_64.c, platform/efi/efi_64.c for sure)
    use set_pgd() to set up a temporary internal virtual address space, with
    physical pages remapped at what Kaiser regards as userspace addresses:
    Kaiser then assumes a shadow pgd follows, which it will try to corrupt.
    
    This appears to be responsible for the recent kexec and kdump failures;
    though it's unclear how those did not manifest as a problem before.
    Ah, the shadow pgd will only be assumed to "follow" if the requested
    pgd is on an even-numbered page: so I suppose it was going wrong 50%
    of the time all along.
    
    What we need is a flag to set_pgd(), to tell it we're dealing with
    userspace.  Er, isn't that what the pgd's _PAGE_USER bit is saying?
    Add a test for that.  But we cannot do the same for pgd_clear()
    (which may be called to clear corrupted entries - set aside the
    question of "corrupt in which pgd?" until later), so there just
    rely on pgd_clear() not being called in the problematic cases -
    with a WARN_ON_ONCE() which should fire half the time if it is.
    
    But this is getting too big for an inline function: move it into
    arch/x86/mm/kaiser.c (which then demands a boot/compressed mod);
    and de-void and de-space native_get_shadow/normal_pgd() while here.
    Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    CVE-2017-5754
    Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    bd37ead1
kaiser.c 9.49 KB