• Andy Lutomirski's avatar
    x86, tls: Interpret an all-zero struct user_desc as "no segment" · a495b2cb
    Andy Lutomirski authored
    commit 3669ef9f upstream.
    
    The Witcher 2 did something like this to allocate a TLS segment index:
    
            struct user_desc u_info;
            bzero(&u_info, sizeof(u_info));
            u_info.entry_number = (uint32_t)-1;
    
            syscall(SYS_set_thread_area, &u_info);
    
    Strictly speaking, this code was never correct.  It should have set
    read_exec_only and seg_not_present to 1 to indicate that it wanted
    to find a free slot without putting anything there, or it should
    have put something sensible in the TLS slot if it wanted to allocate
    a TLS entry for real.  The actual effect of this code was to
    allocate a bogus segment that could be used to exploit espfix.
    
    The set_thread_area hardening patches changed the behavior, causing
    set_thread_area to return -EINVAL and crashing the game.
    
    This changes set_thread_area to interpret this as a request to find
    a free slot and to leave it empty, which isn't *quite* what the game
    expects but should be close enough to keep it working.  In
    particular, using the code above to allocate two segments will
    allocate the same segment both times.
    
    According to FrostbittenKing on Github, this fixes The Witcher 2.
    
    If this somehow still causes problems, we could instead allocate
    a limit==0 32-bit data segment, but that seems rather ugly to me.
    
    Fixes: 41bdc785 x86/tls: Validate TLS entries to protect espfix
    Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Cc: torvalds@linux-foundation.org
    Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.luto@amacapital.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    a495b2cb
desc.h 12.6 KB