Skip to content

Commit

Permalink
Preserve the user r/w register TPIDRURW on context switch and fork
Browse files Browse the repository at this point in the history 
Since commit 6a1c531 the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.

There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.

This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.

Signed-off-by: André Hentschel <(address hidden)>
Signed-off-by: Will Deacon <(address hidden)>
Signed-off-by: Jonathan Austin <(address hidden)>
  • Loading branch information
@mdrjr
André Hentschel authored and mdrjr committed Sep 11, 2014
1 parent 036308d commit 1f8be42
Show file tree
Hide file tree
Showing 6 changed files with 37 additions and 20 deletions.
2 changes: 1 addition & 1 deletion arch/arm/include/asm/thread_info.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ struct thread_info {
struct cpu_context_save cpu_context; /* cpu context */
__u32 syscall; /* syscall number */
__u8 used_cp[16]; /* thread used copro */
unsigned long tp_value;
unsigned long tp_value[2]; /* TLS registers */
#ifdef CONFIG_CRUNCH
struct crunch_state crunchstate;
#endif
Expand Down
40 changes: 27 additions & 13 deletions arch/arm/include/asm/tls.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,30 @@
#define __ASMARM_TLS_H

#ifdef __ASSEMBLY__
.macro set_tls_none, tp, tmp1, tmp2
#include <asm/asm-offsets.h>
.macro switch_tls_none, base, tp, tpuser, tmp1, tmp2
.endm

.macro set_tls_v6k, tp, tmp1, tmp2
.macro switch_tls_v6k, base, tp, tpuser, tmp1, tmp2
mrc p15, 0, \tmp2, c13, c0, 2 @ get the user r/w register
mcr p15, 0, \tp, c13, c0, 3 @ set TLS register
mov \tmp1, #0
mcr p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register
mcr p15, 0, \tpuser, c13, c0, 2 @ and the user r/w register
str \tmp2, [\base, #TI_TP_VALUE + 4] @ save it
.endm

.macro set_tls_v6, tp, tmp1, tmp2
.macro switch_tls_v6, base, tp, tpuser, tmp1, tmp2
ldr \tmp1, =elf_hwcap
ldr \tmp1, [\tmp1, #0]
mov \tmp2, #0xffff0fff
tst \tmp1, #HWCAP_TLS @ hardware TLS available?
mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register
movne \tmp1, #0
mcrne p15, 0, \tmp1, c13, c0, 2 @ clear user r/w TLS register
streq \tp, [\tmp2, #-15] @ set TLS value at 0xffff0ff0
mrcne p15, 0, \tmp2, c13, c0, 2 @ get the user r/w register
mcrne p15, 0, \tp, c13, c0, 3 @ yes, set TLS register
mcrne p15, 0, \tpuser, c13, c0, 2 @ set user r/w register
strne \tmp2, [\base, #TI_TP_VALUE + 4] @ save it
.endm

.macro set_tls_software, tp, tmp1, tmp2
.macro switch_tls_software, base, tp, tpuser, tmp1, tmp2
mov \tmp1, #0xffff0fff
str \tp, [\tmp1, #-15] @ set TLS value at 0xffff0ff0
.endm
Expand All @@ -31,19 +34,30 @@
#ifdef CONFIG_TLS_REG_EMUL
#define tls_emu 1
#define has_tls_reg 1
#define set_tls set_tls_none
#define switch_tls switch_tls_none
#elif defined(CONFIG_CPU_V6)
#define tls_emu 0
#define has_tls_reg (elf_hwcap & HWCAP_TLS)
#define set_tls set_tls_v6
#define switch_tls switch_tls_v6
#elif defined(CONFIG_CPU_32v6K)
#define tls_emu 0
#define has_tls_reg 1
#define set_tls set_tls_v6k
#define switch_tls switch_tls_v6k
#else
#define tls_emu 0
#define has_tls_reg 0
#define set_tls set_tls_software
#define switch_tls switch_tls_software
#endif

#ifndef __ASSEMBLY__
static inline unsigned long get_tpuser(void)
{
unsigned long reg = 0;

if (has_tls_reg && !tls_emu)
__asm__("mrc p15, 0, %0, c13, c0, 2" : "=r" (reg));

return reg;
}
#endif
#endif /* __ASMARM_TLS_H */
5 changes: 3 additions & 2 deletions arch/arm/kernel/entry-armv.S
View file
Original file line number Diff line number Diff line change
Expand Up @@ -686,15 +686,16 @@ ENTRY(__switch_to)
UNWIND(.fnstart )
UNWIND(.cantunwind )
add ip, r1, #TI_CPU_SAVE
ldr r3, [r2, #TI_TP_VALUE]
ARM( stmia ip!, {r4 - sl, fp, sp, lr} ) @ Store most regs on stack
THUMB( stmia ip!, {r4 - sl, fp} ) @ Store most regs on stack
THUMB( str sp, [ip], #4 )
THUMB( str lr, [ip], #4 )
ldr r4, [r2, #TI_TP_VALUE]
ldr r5, [r2, #TI_TP_VALUE + 4]
#ifdef CONFIG_CPU_USE_DOMAINS
ldr r6, [r2, #TI_CPU_DOMAIN]
#endif
set_tls r3, r4, r5
switch_tls r1, r4, r5, r3, r7
#if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
ldr r7, [r2, #TI_TASK]
ldr r8, =__stack_chk_guard
Expand Down
4 changes: 3 additions & 1 deletion arch/arm/kernel/process.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
#include <asm/thread_notify.h>
#include <asm/stacktrace.h>
#include <asm/mach/time.h>
#include <asm/tls.h>

#ifdef CONFIG_CC_STACKPROTECTOR
#include <linux/stackprotector.h>
Expand Down Expand Up @@ -400,7 +401,8 @@ copy_thread(unsigned long clone_flags, unsigned long stack_start,
clear_ptrace_hw_breakpoint(p);

if (clone_flags & CLONE_SETTLS)
thread->tp_value = childregs->ARM_r3;
thread->tp_value[0] = childregs->ARM_r3;
thread->tp_value[1] = get_tpuser();

thread_notify(THREAD_NOTIFY_COPY, thread);

Expand Down
2 changes: 1 addition & 1 deletion arch/arm/kernel/ptrace.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -849,7 +849,7 @@ long arch_ptrace(struct task_struct *child, long request,
#endif

case PTRACE_GET_THREAD_AREA:
ret = put_user(task_thread_info(child)->tp_value,
ret = put_user(task_thread_info(child)->tp_value[0],
datap);
break;

Expand Down
4 changes: 2 additions & 2 deletions arch/arm/kernel/traps.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -594,7 +594,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
return regs->ARM_r0;

case NR(set_tls):
thread->tp_value = regs->ARM_r0;
thread->tp_value[0] = regs->ARM_r0;
if (tls_emu)
return 0;
if (has_tls_reg) {
Expand Down Expand Up @@ -712,7 +712,7 @@ static int get_tp_trap(struct pt_regs *regs, unsigned int instr)
int reg = (instr >> 12) & 15;
if (reg == 15)
return 1;
regs->uregs[reg] = current_thread_info()->tp_value;
regs->uregs[reg] = current_thread_info()->tp_value[0];
regs->ARM_pc += 4;
return 0;
}
Expand Down

0 comments on commit 1f8be42

Please sign in to comment.