-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cve 2017 5754 #2048
Cve 2017 5754 #2048
Commits on Jan 10, 2018
-
core: make core_mmu.h asm friendly
Makes core_mmu.h assembly friendly by excluding C code with #ifndef ASM Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d3a558d - Browse repository at this point
Copy the full SHA d3a558dView commit details -
core: refactor ASID management
Refactors Address Space Identifier management. The field in struct user_ta_ctx is moved into struct tee_mmu_info and renamed to asid. Allocation refactored internally with asid_alloc() and asid_free() functions, based on bitstring.h macros. ASIDs starts at 2, and is always an even number. ASIDs with the lowest bit set is reserved for as the second ASID when using ASIDs in pairs. Reviewed-by: Etienne Carriere <[email protected]> Acked-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 572ca16 - Browse repository at this point
Copy the full SHA 572ca16View commit details -
core: tlbi_asid() handle kernel mode ASID too
When invalidating an ASID (lowest bit 0), clear the paired ASID (lowest bit 1)too. Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 48c0fa2 - Browse repository at this point
Copy the full SHA 48c0fa2View commit details -
Adds mobj_tee_ram to describe TEE RAM mapping inside a user mapping. Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3b25bf7 - Browse repository at this point
Copy the full SHA 3b25bf7View commit details -
core: thread: add thread_get_user_kcode()
Adds thread_get_user_kcode() to report required kernel mapping (exception vector and some associated code in the same section as the vector) inside a user mapping. Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4361f46 - Browse repository at this point
Copy the full SHA 4361f46View commit details -
core: mm: add kernel mapping to user map
Adds a minimal kernel mapping needed when user mapping is active. Reviewed-by: Etienne Carriere <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1715dcd - Browse repository at this point
Copy the full SHA 1715dcdView commit details -
core: user mode translation table
Adds a second translation table to be used while in user mode containing user mode mapping and a minimal kernel mapping. Reviewed-by: Etienne Carriere <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cc5d25d - Browse repository at this point
Copy the full SHA cc5d25dView commit details -
core: arm32: exception handlers in one section
Moves all exception handlers into the section of the vector, .text.thread_vect_table. This makes it possible to later map just the exception vector and the closest associated code while in user mode. Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c660cd8 - Browse repository at this point
Copy the full SHA c660cd8View commit details -
core: thread_a32.S: move intr handler macros
Moves the interrupt handler macros closer to the vector. Reviewed-by: Etienne Carriere <[email protected]> Reviewed-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bae9f82 - Browse repository at this point
Copy the full SHA bae9f82View commit details -
core: use minimal kernel map in user space
Adds a trampoline in the exception vector to switch to a minimal kernel map when in user mode. When returning to kernel mode the full kernel mode map is restored. Arm32 tries to mimic the arm64 exception model somewhat by letting each exception handler run with disabled asynchronous aborts, irq and fiq. Form arm32 accesses to the cpus thread_core_local is only done via the stack pointer in abort mode. Entry of user mode is only done via abort mode, that means that the abort mode spsr register carries the new cpsr. Care is taken to have all exceptions disabled while using abort mode. ASIDs are paired with a user mode ASID with lowest bit sset and a kernel mode ASID with the lowest bit cleared. ASID 0 is reserved for kernel mode use when there's no user mode mapping active. With this change an active used mode mapping while in kernel mode uses (asid | 0), and while in user mode (asid | 1). The switch is done via the trampoline in the vector. Acked-by: Etienne Carriere <[email protected]> Acked-by: Jerome Forissier <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f0d6133 - Browse repository at this point
Copy the full SHA f0d6133View commit details -
core: make all mapping non-global
Makes all mapping non-global to avoid the otherwise required tlb invalidation when switching to user mode. This change makes the fix for CVE-2017-5754 complete. Reviewed-by: Etienne Carriere <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4ae953b - Browse repository at this point
Copy the full SHA 4ae953bView commit details -
core: rename mattr_uflags_to_str()
Renames mattr_uflags_to_str() to mattr_perm_to_str() and report all permission bits using a 7 bytes long string instead. This allows observing the permissions of the minimal kernel mapping added to the user space context. Reviewed-by: Etienne Carriere <[email protected]> Acked-by: Andrew Davis <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for eb3d85c - Browse repository at this point
Copy the full SHA eb3d85cView commit details -
documentation: mmu and switch to/from user space
This only describes the already documented legacy ARMv7 (short) table format. Acked-by: Jerome Forissier <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c4503a5 - Browse repository at this point
Copy the full SHA c4503a5View commit details