x86/fsgsbase/64: Fully initialize FS and GS state in start_thread_common

execve used to leak FSBASE and GSBASE on AMD CPUs.  Fix it.

The security impact of this bug is small but not quite zero -- it
could weaken ASLR when a privileged task execs a less privileged
program, but only if program changed bitness across the exec, or the
child binary was highly unusual or actively malicious.  A child
program that was compromised after the exec would not have access to
the leaked base.

Signed-off-by: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Chang Seok <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index e04941fb67fba42a87883673dcd310add2b057b9..d8305ab3d61e70da63e2ac37f9e0486635752e33 100644 (file)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -228,10 +228,19 @@ start_thread_common(struct pt_regs *regs, unsigned long new_ip,
                    unsigned long new_sp,
                    unsigned int _cs, unsigned int _ss, unsigned int _ds)
 {
+       WARN_ON_ONCE(regs != current_pt_regs());
+
+       if (static_cpu_has(X86_BUG_NULL_SEG)) {
+               /* Loading zero below won't clear the base. */
+               loadsegment(fs, __USER_DS);
+               load_gs_index(__USER_DS);
+       }
+
        loadsegment(fs, 0);
        loadsegment(es, _ds);
        loadsegment(ds, _ds);
        load_gs_index(0);
+
        regs->ip                = new_ip;
        regs->sp                = new_sp;
        regs->cs                = _cs;