git.itanic.dy.fi Git - linux-stable/commit

author	Sven Schnelle <svens@linux.ibm.com>
	Wed, 22 Jan 2020 12:38:22 +0000 (13:38 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 13 Apr 2020 08:48:06 +0000 (10:48 +0200)
commit	5e331978200e379c525394aa0863cece328c3dee
tree	8ba4f0752f02d9d05e4b35244c7a229a665b9039	tree \| snapshot
parent	74107d56d1e8e6ac5a061059941b7e2d03522df6	commit \| diff

s390: prevent leaking kernel address in BEAR

commit 0b38b5e1d0e2f361e418e05c179db05bb688bbd6 upstream.

When userspace executes a syscall or gets interrupted,
BEAR contains a kernel address when returning to userspace.
This make it pretty easy to figure out where the kernel is
mapped even with KASLR enabled. To fix this, add lpswe to
lowcore and always execute it there, so userspace sees only
the lowcore address of lpswe. For this we have to extend
both critical_cleanup and the SWITCH_ASYNC macro to also check
for lpswe addresses in lowcore.

Fixes: b2d24b97b2a9 ("s390/kernel: add support for kernel address space layout randomization (KASLR)")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

arch/s390/include/asm/lowcore.h		diff \| blob \| history
arch/s390/include/asm/processor.h		diff \| blob \| history
arch/s390/include/asm/setup.h		diff \| blob \| history
arch/s390/kernel/asm-offsets.c		diff \| blob \| history
arch/s390/kernel/entry.S		diff \| blob \| history
arch/s390/kernel/process.c		diff \| blob \| history
arch/s390/kernel/setup.c		diff \| blob \| history
arch/s390/kernel/smp.c		diff \| blob \| history
arch/s390/mm/vmem.c		diff \| blob \| history