1#include <linux/kernel.h>
2#include <linux/errno.h>
3#include <linux/sched.h>
4#include <linux/user.h>
5#include <linux/regset.h>
6#include <linux/syscalls.h>
7
8#include <asm/uaccess.h>
9#include <asm/desc.h>
10#include <asm/ldt.h>
11#include <asm/processor.h>
12#include <asm/proto.h>
13
14#include "tls.h"
15
16/*
17 * sys_alloc_thread_area: get a yet unused TLS descriptor index.
18 */
19static int get_free_idx(void)
20{
21	struct thread_struct *t = &current->thread;
22	int idx;
23
24	for (idx = 0; idx < GDT_ENTRY_TLS_ENTRIES; idx++)
25		if (desc_empty(&t->tls_array[idx]))
26			return idx + GDT_ENTRY_TLS_MIN;
27	return -ESRCH;
28}
29
30static bool tls_desc_okay(const struct user_desc *info)
31{
32	/*
33	 * For historical reasons (i.e. no one ever documented how any
34	 * of the segmentation APIs work), user programs can and do
35	 * assume that a struct user_desc that's all zeros except for
36	 * entry_number means "no segment at all".  This never actually
37	 * worked.  In fact, up to Linux 3.19, a struct user_desc like
38	 * this would create a 16-bit read-write segment with base and
39	 * limit both equal to zero.
40	 *
41	 * That was close enough to "no segment at all" until we
42	 * hardened this function to disallow 16-bit TLS segments.  Fix
43	 * it up by interpreting these zeroed segments the way that they
44	 * were almost certainly intended to be interpreted.
45	 *
46	 * The correct way to ask for "no segment at all" is to specify
47	 * a user_desc that satisfies LDT_empty.  To keep everything
48	 * working, we accept both.
49	 *
50	 * Note that there's a similar kludge in modify_ldt -- look at
51	 * the distinction between modes 1 and 0x11.
52	 */
53	if (LDT_empty(info) || LDT_zero(info))
54		return true;
55
56	/*
57	 * espfix is required for 16-bit data segments, but espfix
58	 * only works for LDT segments.
59	 */
60	if (!info->seg_32bit)
61		return false;
62
63	/* Only allow data segments in the TLS array. */
64	if (info->contents > 1)
65		return false;
66
67	/*
68	 * Non-present segments with DPL 3 present an interesting attack
69	 * surface.  The kernel should handle such segments correctly,
70	 * but TLS is very difficult to protect in a sandbox, so prevent
71	 * such segments from being created.
72	 *
73	 * If userspace needs to remove a TLS entry, it can still delete
74	 * it outright.
75	 */
76	if (info->seg_not_present)
77		return false;
78
79	return true;
80}
81
82static void set_tls_desc(struct task_struct *p, int idx,
83			 const struct user_desc *info, int n)
84{
85	struct thread_struct *t = &p->thread;
86	struct desc_struct *desc = &t->tls_array[idx - GDT_ENTRY_TLS_MIN];
87	int cpu;
88
89	/*
90	 * We must not get preempted while modifying the TLS.
91	 */
92	cpu = get_cpu();
93
94	while (n-- > 0) {
95		if (LDT_empty(info) || LDT_zero(info))
96			desc->a = desc->b = 0;
97		else
98			fill_ldt(desc, info);
99		++info;
100		++desc;
101	}
102
103	if (t == &current->thread)
104		load_TLS(t, cpu);
105
106	put_cpu();
107}
108
109/*
110 * Set a given TLS descriptor:
111 */
112int do_set_thread_area(struct task_struct *p, int idx,
113		       struct user_desc __user *u_info,
114		       int can_allocate)
115{
116	struct user_desc info;
117
118	if (copy_from_user(&info, u_info, sizeof(info)))
119		return -EFAULT;
120
121	if (!tls_desc_okay(&info))
122		return -EINVAL;
123
124	if (idx == -1)
125		idx = info.entry_number;
126
127	/*
128	 * index -1 means the kernel should try to find and
129	 * allocate an empty descriptor:
130	 */
131	if (idx == -1 && can_allocate) {
132		idx = get_free_idx();
133		if (idx < 0)
134			return idx;
135		if (put_user(idx, &u_info->entry_number))
136			return -EFAULT;
137	}
138
139	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
140		return -EINVAL;
141
142	set_tls_desc(p, idx, &info, 1);
143
144	return 0;
145}
146
147SYSCALL_DEFINE1(set_thread_area, struct user_desc __user *, u_info)
148{
149	return do_set_thread_area(current, -1, u_info, 1);
150}
151
152
153/*
154 * Get the current Thread-Local Storage area:
155 */
156
157static void fill_user_desc(struct user_desc *info, int idx,
158			   const struct desc_struct *desc)
159
160{
161	memset(info, 0, sizeof(*info));
162	info->entry_number = idx;
163	info->base_addr = get_desc_base(desc);
164	info->limit = get_desc_limit(desc);
165	info->seg_32bit = desc->d;
166	info->contents = desc->type >> 2;
167	info->read_exec_only = !(desc->type & 2);
168	info->limit_in_pages = desc->g;
169	info->seg_not_present = !desc->p;
170	info->useable = desc->avl;
171#ifdef CONFIG_X86_64
172	info->lm = desc->l;
173#endif
174}
175
176int do_get_thread_area(struct task_struct *p, int idx,
177		       struct user_desc __user *u_info)
178{
179	struct user_desc info;
180
181	if (idx == -1 && get_user(idx, &u_info->entry_number))
182		return -EFAULT;
183
184	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
185		return -EINVAL;
186
187	fill_user_desc(&info, idx,
188		       &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
189
190	if (copy_to_user(u_info, &info, sizeof(info)))
191		return -EFAULT;
192	return 0;
193}
194
195SYSCALL_DEFINE1(get_thread_area, struct user_desc __user *, u_info)
196{
197	return do_get_thread_area(current, -1, u_info);
198}
199
200int regset_tls_active(struct task_struct *target,
201		      const struct user_regset *regset)
202{
203	struct thread_struct *t = &target->thread;
204	int n = GDT_ENTRY_TLS_ENTRIES;
205	while (n > 0 && desc_empty(&t->tls_array[n - 1]))
206		--n;
207	return n;
208}
209
210int regset_tls_get(struct task_struct *target, const struct user_regset *regset,
211		   unsigned int pos, unsigned int count,
212		   void *kbuf, void __user *ubuf)
213{
214	const struct desc_struct *tls;
215
216	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
217	    (pos % sizeof(struct user_desc)) != 0 ||
218	    (count % sizeof(struct user_desc)) != 0)
219		return -EINVAL;
220
221	pos /= sizeof(struct user_desc);
222	count /= sizeof(struct user_desc);
223
224	tls = &target->thread.tls_array[pos];
225
226	if (kbuf) {
227		struct user_desc *info = kbuf;
228		while (count-- > 0)
229			fill_user_desc(info++, GDT_ENTRY_TLS_MIN + pos++,
230				       tls++);
231	} else {
232		struct user_desc __user *u_info = ubuf;
233		while (count-- > 0) {
234			struct user_desc info;
235			fill_user_desc(&info, GDT_ENTRY_TLS_MIN + pos++, tls++);
236			if (__copy_to_user(u_info++, &info, sizeof(info)))
237				return -EFAULT;
238		}
239	}
240
241	return 0;
242}
243
244int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
245		   unsigned int pos, unsigned int count,
246		   const void *kbuf, const void __user *ubuf)
247{
248	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
249	const struct user_desc *info;
250	int i;
251
252	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
253	    (pos % sizeof(struct user_desc)) != 0 ||
254	    (count % sizeof(struct user_desc)) != 0)
255		return -EINVAL;
256
257	if (kbuf)
258		info = kbuf;
259	else if (__copy_from_user(infobuf, ubuf, count))
260		return -EFAULT;
261	else
262		info = infobuf;
263
264	for (i = 0; i < count / sizeof(struct user_desc); i++)
265		if (!tls_desc_okay(info + i))
266			return -EINVAL;
267
268	set_tls_desc(target,
269		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
270		     info, count / sizeof(struct user_desc));
271
272	return 0;
273}
274