The idx in do_get_thread_area() is controlled by userspace
via syscall: ptrace(defined in kernel/ptrace.c), hence
leading to a potential exploitation of the Spectre variant 1 vulnerability.
The idx can be controlled from:
ptrace -> arch_ptrace -> do_get_thread_area.
Fix this by sanitizing idx before using it to index p->thread.tls_array.
Signed-off-by: Dianzhang Chen <[email protected]>
---
arch/x86/kernel/tls.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
index a5b802a..4cd338c 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -5,6 +5,7 @@
#include <linux/user.h>
#include <linux/regset.h>
#include <linux/syscalls.h>
+#include <linux/nospec.h>
#include <linux/uaccess.h>
#include <asm/desc.h>
@@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
struct user_desc __user *u_info)
{
struct user_desc info;
+ int index = idx - GDT_ENTRY_TLS_MIN;
if (idx == -1 && get_user(idx, &u_info->entry_number))
return -EFAULT;
@@ -227,8 +229,10 @@ int do_get_thread_area(struct task_struct *p, int idx,
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL;
+ index = array_index_nospec(index,
+ GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1);
fill_user_desc(&info, idx,
- &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
+ &p->thread.tls_array[index]);
if (copy_to_user(u_info, &info, sizeof(info)))
return -EFAULT;
--
2.7.4
On Tue, 11 Jun 2019, Dianzhang Chen wrote:
Subject prefix is 'x86/tls:' please.
> The idx in do_get_thread_area() is controlled by userspace
The idx? Please to not variable names in the change log. The variable name
is an implementation detail.
The index to access the threads tls array is controlled ....
Hmm?
> via syscall: ptrace(defined in kernel/ptrace.c), hence
sys_ptrace() again.
> leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from:
> ptrace -> arch_ptrace -> do_get_thread_area.
>
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
>
> Signed-off-by: Dianzhang Chen <[email protected]>
> ---
> arch/x86/kernel/tls.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..4cd338c 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
> #include <linux/user.h>
> #include <linux/regset.h>
> #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>
> #include <linux/uaccess.h>
> #include <asm/desc.h>
> @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
> struct user_desc __user *u_info)
> {
> struct user_desc info;
> + int index = idx - GDT_ENTRY_TLS_MIN;
>
> if (idx == -1 && get_user(idx, &u_info->entry_number))
> return -EFAULT;
Broken in the same way as the other one.
Thanks,
tglx