Commit 5fe0225a authored Apr 27, 2022 by James Morse Committed by Zheng Zengkai Apr 27, 2022

arm64: entry: Move the trampoline data page before the text page

stable inclusion
from stable-v5.10.105
commit bda89602814c69e6f027878209b0b9453133ada2
category: bugfix
bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA
CVE: CVE-2022-23960

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bda89602814c



--------------------------------

commit c091fb6a upstream.

The trampoline code has a data page that holds the address of the vectors,
which is unmapped when running in user-space. This ensures that with
CONFIG_RANDOMIZE_BASE, the randomised address of the kernel can't be
discovered until after the kernel has been mapped.

If the trampoline text page is extended to include multiple sets of
vectors, it will be larger than a single page, making it tricky to
find the data page without knowing the size of the trampoline text
pages, which will vary with PAGE_SIZE.

Move the data page to appear before the text page. This allows the
data page to be found without knowing the size of the trampoline text
pages. 'tramp_vectors' is used to refer to the beginning of the
.entry.tramp.text section, do that explicitly.

Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: Liao Chang <liaochang1@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 69e73467

arch/arm64/include/asm/fixmap.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -62,8 +62,8 @@ enum fixed_addresses {
		#endif /* CONFIG_ACPI_APEI_GHES */

		#ifdef CONFIG_UNMAP_KERNEL_AT_EL0
		FIX_ENTRY_TRAMP_DATA,
		FIX_ENTRY_TRAMP_TEXT,
		FIX_ENTRY_TRAMP_DATA,
		#define TRAMP_VALIAS (__fix_to_virt(FIX_ENTRY_TRAMP_TEXT))
		#endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */
		__end_of_permanent_fixed_addresses,

arch/arm64/kernel/entry.S

+7 −2

Original line number	Diff line number	Diff line
		@@ -802,6 +802,11 @@ alternative_else_nop_endif
		*/
		.endm

		.macro tramp_data_page dst
		adr \dst, .entry.tramp.text
		sub \dst, \dst, PAGE_SIZE
		.endm

		.macro tramp_ventry, regsize = 64
		.align 7
		1:
		@@ -818,7 +823,7 @@ alternative_else_nop_endif
		2:
		tramp_map_kernel x30
		#ifdef CONFIG_RANDOMIZE_BASE
		adr x30, tramp_vectors + PAGE_SIZE
		tramp_data_page x30
		alternative_insn isb, nop, ARM64_WORKAROUND_QCOM_FALKOR_E1003
		ldr x30, [x30]
		#else
		@@ -971,7 +976,7 @@ SYM_CODE_START(__sdei_asm_entry_trampoline)
		1: str x4, [x1, #(SDEI_EVENT_INTREGS + S_SDEI_TTBR1)]

		#ifdef CONFIG_RANDOMIZE_BASE
		adr x4, tramp_vectors + PAGE_SIZE
		tramp_data_page x4
		add x4, x4, #:lo12:__sdei_asm_trampoline_next_handler
		ldr x4, [x4]
		#else