From: Borislav Petkov <bp@alien8.de>
To: Andy Lutomirski <luto@amacapital.net>
Cc: x86@kernel.org, torvalds@linux-foundation.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment"
Date: Thu, 22 Jan 2015 20:47:46 +0100 [thread overview]
Message-ID: <20150122194746.GB4634@pd.tnic> (raw)
In-Reply-To: <0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.net>
On Thu, Jan 22, 2015 at 11:27:59AM -0800, Andy Lutomirski wrote:
> The Witcher 2 did something like this to allocate a TLS segment index:
>
> struct user_desc u_info;
> bzero(&u_info, sizeof(u_info));
> u_info.entry_number = (uint32_t)-1;
>
> syscall(SYS_set_thread_area, &u_info);
>
> Strictly speaking, this code was never correct. It should have set
> read_exec_only and seg_not_present to 1 to indicate that it wanted
> to find a free slot without putting anything there, or it should
> have put something sensible in the TLS slot if it wanted to allocate
> a TLS entry for real. The actual effect of this code was to
> allocate a bogus segment that could be used to exploit espfix.
>
> The set_thread_area hardening patches changed the behavior, causing
> set_thread_area to return -EINVAL and crashing the game.
>
> This changes set_thread_area to interpret this as a request to find
> a free slot and to leave it empty, which isn't *quite* what the game
> expects but should be close enough to keep it working. In
> particular, using the code above to allocate two segments will
> allocate the same segment both times.
>
> According to FrostbittenKing on Github, this fixes The Witcher 2.
>
> If this somehow still causes problems, we could instead allocate
> a limit==0 32-bit data segment, but that seems rather ugly to me.
>
> Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix
> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Shouldn't this also be CC:stable?
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
--
next prev parent reply other threads:[~2015-01-22 19:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-22 19:27 [PATCH 0/2] x86: TLS regression fixes Andy Lutomirski
2015-01-22 19:27 ` [PATCH 1/2] x86, tls, ldt: Stop checking lm in LDT_empty Andy Lutomirski
2015-01-22 20:13 ` [tip:x86/urgent] " tip-bot for Andy Lutomirski
2015-01-22 19:27 ` [PATCH 2/2] x86, tls: Interpret an all-zero struct user_desc as "no segment" Andy Lutomirski
2015-01-22 19:47 ` Borislav Petkov [this message]
2015-01-22 20:12 ` Andy Lutomirski
2015-01-22 20:14 ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as %22no segment%22 tip-bot for Andy Lutomirski
2015-01-22 20:54 ` [tip:x86/urgent] x86, tls: Interpret an all-zero struct user_desc as "no segment" tip-bot for Andy Lutomirski
2015-01-22 19:56 ` [PATCH 0/2] x86: TLS regression fixes Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150122194746.GB4634@pd.tnic \
--to=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.