From nobody Sun Dec 28 00:44:36 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CEBCC4332F for ; Wed, 13 Dec 2023 16:34:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233147AbjLMQeo (ORCPT ); Wed, 13 Dec 2023 11:34:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232663AbjLMQem (ORCPT ); Wed, 13 Dec 2023 11:34:42 -0500 Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 38C1998 for ; Wed, 13 Dec 2023 08:34:49 -0800 (PST) Received: by mail-oo1-xc2e.google.com with SMTP id 006d021491bc7-59093f6c94aso2375406eaf.0 for ; Wed, 13 Dec 2023 08:34:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702485287; x=1703090087; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zJ6yzzdHCK6etXayum+0eGdCGB2aFZEnSrrZblNix5w=; b=R+YhY2IBlfBgXuGL1bpFveRtSQR9n0PiMGYM4wqdsvdj38EURvCi5SE2KyX7pLol1V Ux74x1K4AUNUKCgGB6WESiM+54J14rLQmvG4l0pqIEHqsSFDrf3IljRU2kfc7SKuIER3 yYIcbJp0DjUKVeFE689yIz32ESMhle7NPXbzOdiBq/oFk2DuOkmbqnk/5LfNPEK7XfAV /GWzoXGYMRD0T6psf3cZFiYarwpKR39/4X3eVd6SLVWsdKmCPB0exQQrjzL7v8zOZiTi 856ydvvV06Dh0PPi5jPsujAhasB1itWXPeIP5PNslI43KOssBndqjG2Ql49PZTExKdY+ kqxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702485287; x=1703090087; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zJ6yzzdHCK6etXayum+0eGdCGB2aFZEnSrrZblNix5w=; b=kcllg9wLL8G7GxQhWPp0tvUUIcgyHr9nctEHDonTbjtElWdnO82p2i057YGJgURvkY k9aQy6ZLv2cg2eQVclX5hL10/6qexyxAGhk/9QgqPSkKwc4PtGUpXkNSFiJr2ty75Bqf 7wcjbZkvvPUZddwv6+WqkXcfnsTIjNzrmhZZ08ED5xT8+5idqp4w+N0ITf+HJXkujWKA 6NjV97YtLfM3hcx35Q6PdIcq1p+TAg8kdfT2JNFnOe7txk0KgURkYIbMT4p0NSUHhmmN uuDCX8zq7WSwjlBblwCqaW6ncCbU3EQH/fJsQqRiVtO1jgCwReNGThuyDXSi6qhFs4z8 M6cA== X-Gm-Message-State: AOJu0Yw5WNEHboq9s01IaLhhinsCSoUOhVg/MfKOfiK8vPB8XvinrYeZ g+abiKtzkXsJOHr0THKlcGYTrDc9rQ== X-Google-Smtp-Source: AGHT+IH9N99VQwIawvjz/NKYBGbiBOggFlFZ3Aq+V/+voSZvc8Rizdq+CDR5fdnvazMceMuNCFSKjQ== X-Received: by 2002:a4a:e825:0:b0:590:e78e:3e37 with SMTP id d5-20020a4ae825000000b00590e78e3e37mr2884222ood.1.1702485287640; Wed, 13 Dec 2023 08:34:47 -0800 (PST) Received: from citadel.lan ([2600:6c4a:4d3f:6d5c::1019]) by smtp.gmail.com with ESMTPSA id j11-20020a4ad2cb000000b005907ad9f302sm3104901oos.37.2023.12.13.08.34.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 08:34:47 -0800 (PST) From: Brian Gerst To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Ingo Molnar , Thomas Gleixner , Borislav Petkov , "H . Peter Anvin" , Peter Zijlstra , Linus Torvalds , Brian Gerst Subject: [PATCH 1/3] x86: Move TSS and LDT to end of the GDT Date: Wed, 13 Dec 2023 11:34:41 -0500 Message-ID: <20231213163443.70490-2-brgerst@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231213163443.70490-1-brgerst@gmail.com> References: <20231213163443.70490-1-brgerst@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This will make testing for system segments easier. Signed-off-by: Brian Gerst --- arch/x86/include/asm/segment.h | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h index 9d6411c65920..a155843d0c37 100644 --- a/arch/x86/include/asm/segment.h +++ b/arch/x86/include/asm/segment.h @@ -83,8 +83,8 @@ * 13 - kernel data segment * 14 - default user CS * 15 - default user DS - * 16 - TSS <=3D=3D=3D cacheline #5 - * 17 - LDT + * 16 - unused <=3D=3D=3D cacheline #5 + * 17 - unused * 18 - PNPBIOS support (16->32 gate) * 19 - PNPBIOS support * 20 - PNPBIOS support <=3D=3D=3D cacheline #6 @@ -97,8 +97,11 @@ * 26 - ESPFIX small SS * 27 - per-cpu [ offset to per-cpu data area ] * 28 - VDSO getcpu - * 29 - unused - * 30 - unused + * + * ------- start of system segments: + * + * 29 - TSS + * 30 - LDT * 31 - TSS for double fault handler */ #define GDT_ENTRY_TLS_MIN 6 @@ -108,8 +111,6 @@ #define GDT_ENTRY_KERNEL_DS 13 #define GDT_ENTRY_DEFAULT_USER_CS 14 #define GDT_ENTRY_DEFAULT_USER_DS 15 -#define GDT_ENTRY_TSS 16 -#define GDT_ENTRY_LDT 17 #define GDT_ENTRY_PNPBIOS_CS32 18 #define GDT_ENTRY_PNPBIOS_CS16 19 #define GDT_ENTRY_PNPBIOS_DS 20 @@ -121,6 +122,10 @@ #define GDT_ENTRY_PERCPU 27 #define GDT_ENTRY_CPUNODE 28 =20 +/* Start of system segments */ + +#define GDT_ENTRY_TSS 29 +#define GDT_ENTRY_LDT 30 #define GDT_ENTRY_DOUBLEFAULT_TSS 31 =20 /* @@ -188,20 +193,22 @@ #define GDT_ENTRY_DEFAULT_USER_DS 5 #define GDT_ENTRY_DEFAULT_USER_CS 6 =20 -/* Needs two entries */ -#define GDT_ENTRY_TSS 8 -/* Needs two entries */ -#define GDT_ENTRY_LDT 10 - #define GDT_ENTRY_TLS_MIN 12 #define GDT_ENTRY_TLS_MAX 14 =20 #define GDT_ENTRY_CPUNODE 15 =20 +/* Start of system segments */ + +/* Needs two entries */ +#define GDT_ENTRY_TSS 16 +/* Needs two entries */ +#define GDT_ENTRY_LDT 18 + /* * Number of entries in the GDT table: */ -#define GDT_ENTRIES 16 +#define GDT_ENTRIES 20 =20 /* * Segment selector values corresponding to the above entries: @@ -219,6 +226,8 @@ =20 #endif =20 +#define GDT_SYSTEM_START GDT_ENTRY_TSS + #define IDT_ENTRIES 256 #define NUM_EXCEPTION_VECTORS 32 =20 --=20 2.43.0 From nobody Sun Dec 28 00:44:36 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1645CC4332F for ; Wed, 13 Dec 2023 16:34:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233405AbjLMQet (ORCPT ); Wed, 13 Dec 2023 11:34:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232828AbjLMQen (ORCPT ); Wed, 13 Dec 2023 11:34:43 -0500 Received: from mail-oo1-xc2c.google.com (mail-oo1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4820398 for ; Wed, 13 Dec 2023 08:34:50 -0800 (PST) Received: by mail-oo1-xc2c.google.com with SMTP id 006d021491bc7-591341db3a1so1459106eaf.3 for ; Wed, 13 Dec 2023 08:34:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702485289; x=1703090089; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0jRCUHDjv1DH+xslDSOWHcTAXqFFUhTjlGi5aeTZ7dg=; b=hORLxIhb8zX/0tnmRehbazEAQAwetaHyuGEvYNALpjOZ/sCX1hVKofnjKz79MFFicU rZIJ/5/1O6FIH4dpxN3QJOM9lujdsIvGaj5Mc4GQws5qIkTh3XH3VXJjd6HogVZTnJB7 dWXNT+DBgrtTuclTsv3ZlQdn8to5wsW1PB+6Ze9DcgjMOgSDj3M9mUIFEbYnDvahcvu/ UdXbBGaRMWtPnv9PZWQQgVxTAvrFVZaFmBUg4a6YoSRjTwO8c6t6E2l1KWFarzu/mZ3L rFXzlrmNI3YstNv3fpA//iiz5Rv6cG2jz2HCXfEbSj2qsB/AdlhJGDdUxXYXVePbjeKa byeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702485289; x=1703090089; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0jRCUHDjv1DH+xslDSOWHcTAXqFFUhTjlGi5aeTZ7dg=; b=rH7rXCoAKsqPrsZV7tuu47jBWQJ+PqiPR5saCqVj/YsmpFSvbMXZP5/OVID2XITfsE DMyfuIrLLXHRdSZTtuVdD5M6jGb4cveslbg+Y4COjtUOjFSj04xVqk8aXvrvO/T5vmws /Fq71bTIh5cMmLt77GkRbsCAPUozD7HfsAwTTkUPmQbLuJ0wOco9SI32Fx/Bs/lOYbiG 3i4iwL+3jaT+3vbCEBiSSWTCbQhvqA7pPf2RbSaaKjjaqrOPtJTYb2PqcAjF9tgSPk8Z hTaF7I3QLLPCYQYAMZxhPLszHZrNjHna48PbhEIBTa6l5/TamAlB8diPYN+tRyres5JV 4ghg== X-Gm-Message-State: AOJu0YyV8kNoTWSc/iGvM6jOhNnZB7dUt4lKj0FYcybEsrmuWvV0soS0 fion4f4IvJqXTl4WWGX9cJI4Yy28LQ== X-Google-Smtp-Source: AGHT+IHICJQ+9KUI4TLQoB+iBesdTTFd2pX3rGL/nGAM0Wii3JEKUYatOD7F8rd4WwwKgWjz0oFnvQ== X-Received: by 2002:a05:6820:1c88:b0:590:95e0:bb6c with SMTP id ct8-20020a0568201c8800b0059095e0bb6cmr6124368oob.1.1702485289104; Wed, 13 Dec 2023 08:34:49 -0800 (PST) Received: from citadel.lan ([2600:6c4a:4d3f:6d5c::1019]) by smtp.gmail.com with ESMTPSA id j11-20020a4ad2cb000000b005907ad9f302sm3104901oos.37.2023.12.13.08.34.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 08:34:48 -0800 (PST) From: Brian Gerst To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Ingo Molnar , Thomas Gleixner , Borislav Petkov , "H . Peter Anvin" , Peter Zijlstra , Linus Torvalds , Brian Gerst , Michal Luczaj Subject: [PATCH 2/3] x86/ptrace: Reject system segements Date: Wed, 13 Dec 2023 11:34:42 -0500 Message-ID: <20231213163443.70490-3-brgerst@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231213163443.70490-1-brgerst@gmail.com> References: <20231213163443.70490-1-brgerst@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Do not allow system segments (TSS and LDT) from being poked into segment registers via ptrace. Loading these segments into a segment register normally results in a general protection fault. But in the case of ptrace, setting CS or SS to a system segment will cause IRET to fault. This then results in the instruction decoder attempting to use the invalid segment. This can be avoided by rejecting system segments in PTRACE_SETREGS. Signed-off-by: Brian Gerst Reported-By: Michal Luczaj Link: https://lore.kernel.org/lkml/20231206004654.2986026-1-mhal@rbox.co/ --- arch/x86/include/asm/segment.h | 11 +++++++++++ arch/x86/kernel/ptrace.c | 12 ++---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h index a155843d0c37..ede1fa5aa4cc 100644 --- a/arch/x86/include/asm/segment.h +++ b/arch/x86/include/asm/segment.h @@ -359,6 +359,17 @@ static inline void __loadsegment_fs(unsigned short val= ue) #define savesegment(seg, value) \ asm("mov %%" #seg ",%0":"=3Dr" (value) : : "memory") =20 +/* + * Determines whether a value may be installed in a segment register. + */ +static inline bool valid_user_selector(u16 value) +{ + if (unlikely(!(value & SEGMENT_TI_MASK) && value >=3D (GDT_SYSTEM_START *= 8))) + return false; + + return likely(value =3D=3D 0 || (value & SEGMENT_RPL_MASK) =3D=3D USER_RP= L); +} + #endif /* !__ASSEMBLY__ */ #endif /* __KERNEL__ */ =20 diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c index 095f04bdabdc..4c3a2278691e 100644 --- a/arch/x86/kernel/ptrace.c +++ b/arch/x86/kernel/ptrace.c @@ -162,14 +162,6 @@ const char *regs_query_register_name(unsigned int offs= et) X86_EFLAGS_DF | X86_EFLAGS_OF | \ X86_EFLAGS_RF | X86_EFLAGS_AC)) =20 -/* - * Determines whether a value may be installed in a segment register. - */ -static inline bool invalid_selector(u16 value) -{ - return unlikely(value !=3D 0 && (value & SEGMENT_RPL_MASK) !=3D USER_RPL); -} - #ifdef CONFIG_X86_32 =20 #define FLAG_MASK FLAG_MASK_32 @@ -206,7 +198,7 @@ static int set_segment_reg(struct task_struct *task, /* * The value argument was already truncated to 16 bits. */ - if (invalid_selector(value)) + if (!valid__user_selector(value)) return -EIO; =20 /* @@ -296,7 +288,7 @@ static int set_segment_reg(struct task_struct *task, /* * The value argument was already truncated to 16 bits. */ - if (invalid_selector(value)) + if (!valid_user_selector(value)) return -EIO; =20 /* --=20 2.43.0 From nobody Sun Dec 28 00:44:36 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F28DC4332F for ; Wed, 13 Dec 2023 16:35:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233322AbjLMQew (ORCPT ); Wed, 13 Dec 2023 11:34:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233153AbjLMQep (ORCPT ); Wed, 13 Dec 2023 11:34:45 -0500 Received: from mail-oo1-xc2d.google.com (mail-oo1-xc2d.google.com [IPv6:2607:f8b0:4864:20::c2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7893C8E for ; Wed, 13 Dec 2023 08:34:51 -0800 (PST) Received: by mail-oo1-xc2d.google.com with SMTP id 006d021491bc7-5913b73b53eso1265510eaf.0 for ; Wed, 13 Dec 2023 08:34:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702485290; x=1703090090; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jyOMuEpj1SBQevcg7f2PgWvrxn60g/AMBaY0W3leFwk=; b=m81KjJJ1PWZsp9wAVgDcEHLyEs9BNpTWYX/Q+7NL3kvYFhxl4LXD9nseLsd0NPQGPD uJew29+9z06vOUhvMa85+SKKRiF3fD9MQKbdJDlEhiCOE9DH/TYDXdIX2Eft7518eUbd 2m6+zFjCopTgKWfOoitYLdGnzY8oFyEx0p3OzDrS1PulwVJ2B5fNzANcWyoK0twOn/Qp sLsULxYAHy/HnSXXg+EOzy1DRKNNeEunfXowqmw547/k1cFDaGwH6byK5/qo1ikueUKv auD/oVRgizQ/Sx8iyxJBonBMCwpJIes5xluw5LysLPnBqy0wy0t12SB9VoJ9KA+mBFLJ 05Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702485290; x=1703090090; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jyOMuEpj1SBQevcg7f2PgWvrxn60g/AMBaY0W3leFwk=; b=YniPh+xF/b8FfsyQBKgm1Q923s82l7e6nIPrnepJHimQ1W7kLVpO4kilFQSU9Hdjlw jkwTvxH8n9ZeHwp5mfKBGjYKMRkDqFxCNk5gc6CetfndDNyQr2rMtaiGoHGfGtLHAGkn RAYu1OTyB2NiY4Pw8LLRXu8EOnqZzpJdRr+LNpD4uhGH1PkKmYRavRNz3I9uGuK+9mCA ybUR8BvJ9EGW2wzoJVAYUzpoWulZPq623uEhBX7p9njY5STgNIZbd8VdPUH7V/Rrud6I 60lX3Q+8lrUOmCaIymuWrNxNtV925qpTYIWeM+Ax7bLUCYR/cGSPy36ZViuiCf6C7bkB /Xnw== X-Gm-Message-State: AOJu0YzelOIwHadvlbwbIApgDOdCUTzgClbrXWSMH71rwfcyZ2iudoIN e2unK9HKBm+9W9QKlfMgXNjpiWPIZQ== X-Google-Smtp-Source: AGHT+IENdXzRhSAkQMg67rXQcVH/NQuzBUzo/HxGzFnuFmGLQo8CYRySkbZKpCH3LMi1Hml6AdPj+g== X-Received: by 2002:a4a:ab09:0:b0:590:7382:8b92 with SMTP id i9-20020a4aab09000000b0059073828b92mr4978248oon.11.1702485290439; Wed, 13 Dec 2023 08:34:50 -0800 (PST) Received: from citadel.lan ([2600:6c4a:4d3f:6d5c::1019]) by smtp.gmail.com with ESMTPSA id j11-20020a4ad2cb000000b005907ad9f302sm3104901oos.37.2023.12.13.08.34.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 08:34:49 -0800 (PST) From: Brian Gerst To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Ingo Molnar , Thomas Gleixner , Borislav Petkov , "H . Peter Anvin" , Peter Zijlstra , Linus Torvalds , Brian Gerst , Michal Luczaj Subject: [PATCH 3/3] x86/sigreturn: Reject system segements Date: Wed, 13 Dec 2023 11:34:43 -0500 Message-ID: <20231213163443.70490-4-brgerst@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20231213163443.70490-1-brgerst@gmail.com> References: <20231213163443.70490-1-brgerst@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Do not allow system segments (TSS and LDT) from being loaded into segment registers via sigreturn. Loading these segments into a segment register normally results in a general protection fault. In the case of sigreturn, setting CS or SS to a system segment will cause IRET to fault. This then results in the instruction decoder attempting to use the invalid segment. This can be avoided by rejecting system segments in the sigreturn() syscall. Signed-off-by: Brian Gerst Reported-By: Michal Luczaj Link: https://lore.kernel.org/lkml/20231206004654.2986026-1-mhal@rbox.co/ --- arch/x86/kernel/signal_32.c | 4 ++++ arch/x86/kernel/signal_64.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index c12624bc82a3..0e1926b676b0 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -98,7 +98,11 @@ static bool ia32_restore_sigcontext(struct pt_regs *regs, =20 /* Get CS/SS and force CPL3 */ regs->cs =3D sc.cs | 0x03; + if (!valid_user_selector(regs->cs)) + return false; regs->ss =3D sc.ss | 0x03; + if (!valid_user_selector(regs->ss)) + return false; =20 regs->flags =3D (regs->flags & ~FIX_EFLAGS) | (sc.flags & FIX_EFLAGS); /* disable syscall checks */ diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index 23d8aaf8d9fd..666b147bf43a 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -79,7 +79,11 @@ static bool restore_sigcontext(struct pt_regs *regs, =20 /* Get CS/SS and force CPL3 */ regs->cs =3D sc.cs | 0x03; + if (!valid_user_selector(regs->cs)) + return false; regs->ss =3D sc.ss | 0x03; + if (!valid_user_selector(regs->ss)) + return false; =20 regs->flags =3D (regs->flags & ~FIX_EFLAGS) | (sc.flags & FIX_EFLAGS); /* disable syscall checks */ --=20 2.43.0