arm64: entry: Allow tramp_alias to access symbols after the 4K boundary

stable inclusion from stable-v5.10.105 commit 5275fb5ea5f573ce1ecd2bf0bcd928abb916b43d category: bugfix bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5275fb5ea5f5 -------------------------------- commit 6c5bf79b upstream. Systems using kpti enter and exit the kernel through a trampoline mapping that is always mapped, even when the kernel is not. tramp_valias is a macro to find the address of a symbol in the trampoline mapping. Adding extra sets of vectors will expand the size of the entry.tramp.text section to beyond 4K. tramp_valias will be unable to generate addresses for symbols beyond 4K as it uses the 12 bit immediate of the add instruction. As there are now two registers available when tramp_alias is called, use the extra register to avoid the 4K limit of the 12 bit immediate. Reviewed-by: N Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by: N Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: N James Morse <james.morse@arm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

arm64: entry: Allow tramp_alias to access symbols after the 4K boundary
stable inclusion from stable-v5.10.105 commit 5275fb5ea5f573ce1ecd2bf0bcd928abb916b43d category: bugfix bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5275fb5ea5f5 -------------------------------- commit 6c5bf79b upstream. Systems using kpti enter and exit the kernel through a trampoline mapping that is always mapped, even when the kernel is not. tramp_valias is a macro to find the address of a symbol in the trampoline mapping. Adding extra sets of vectors will expand the size of the entry.tramp.text section to beyond 4K. tramp_valias will be unable to generate addresses for symbols beyond 4K as it uses the 12 bit immediate of the add instruction. As there are now two registers available when tramp_alias is called, use the extra register to avoid the 4K limit of the 12 bit immediate. Reviewed-by: N Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by: N Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: N James Morse <james.morse@arm.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by: N Liao Chang <liaochang1@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
4f48a4ca · James Morse · Zheng Zengkai · ddc7070b · 4f48a4ca
隐藏空白更改
内联并排

Showing with 8 addition and 5 deletion

arch/arm64/kernel/entry.S arch/arm64/kernel/entry.S +8 -5

未找到文件。
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -128,9 +128,12 @@
 .org .Lventry_start\@ + 128	// Did we overflow the ventry slot?
 	.endm
-	.macro tramp_alias, dst, sym
+	.macro tramp_alias, dst, sym, tmp
 	mov_q	\dst, TRAMP_VALIAS
-	add	\dst, \dst, #(\sym - .entry.tramp.text)
+	adr_l	\tmp, \sym
+	add	\dst, \dst, \tmp
+	adr_l	\tmp, .entry.tramp.text
+	sub	\dst, \dst, \tmp
 	.endm
 	/*
@@ -355,10 +358,10 @@ alternative_else_nop_endif
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
 	bne	4f
 	msr	far_el1, x29
-	tramp_alias	x30, tramp_exit_native
+	tramp_alias	x30, tramp_exit_native, x29
 	br	x30
 4:
-	tramp_alias	x30, tramp_exit_compat
+	tramp_alias	x30, tramp_exit_compat, x29
 	br	x30
 #endif
 	.else
@@ -1118,7 +1121,7 @@ alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
 alternative_else_nop_endif
 #ifdef CONFIG_UNMAP_KERNEL_AT_EL0
-	tramp_alias	dst=x5, sym=__sdei_asm_exit_trampoline
+	tramp_alias	dst=x5, sym=__sdei_asm_exit_trampoline, tmp=x3
 	br	x5
 #endif
 SYM_CODE_END(__sdei_asm_handler)