Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965217AbeALS6b (ORCPT + 1 other); Fri, 12 Jan 2018 13:58:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:39686 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965017AbeALS6a (ORCPT ); Fri, 12 Jan 2018 13:58:30 -0500 Date: Fri, 12 Jan 2018 12:58:15 -0600 From: Josh Poimboeuf To: Dan Williams Cc: Linux Kernel Mailing List , linux-arch@vger.kernel.org, Andi Kleen , Kees Cook , kernel-hardening@lists.openwall.com, X86 ML , Ingo Molnar , Al Viro , "H. Peter Anvin" , Thomas Gleixner , Linus Torvalds , Andrew Morton , Alan Cox Subject: Re: [PATCH v2 07/19] x86: introduce __uaccess_begin_nospec and ASM_IFENCE Message-ID: <20180112185815.meiwnnb5vmnrbsdt@treble> References: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> <151571802258.27429.932636277047687877.stgit@dwillia2-desk3.amr.corp.intel.com> <20180112175109.yoz4jaaipztdj34k@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 12 Jan 2018 18:58:30 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, Jan 12, 2018 at 10:21:43AM -0800, Dan Williams wrote: > > That just sounds wrong. What if the speculation starts *after* the > > access_ok() check? Then the barrier has no purpose. > > > > Most access_ok/get_user/copy_from_user calls are like this: > > > > if (copy_from_user(...uptr..)) /* or access_ok() or get_user() */ > > return -EFAULT; > > > > So in other words, the usercopy function is called *before* the branch. > > > > But to halt speculation, the lfence needs to come *after* the branch. > > So putting lfences *before* the branch doesn't solve anything. > > > > So what am I missing? > > We're trying to prevent a pointer under user control from being > de-referenced inside the kernel, before we know it has been limited to > something safe. In the following sequence the branch we are worried > about speculating is the privilege check: > > if (access_ok(uptr)) /* <--- Privelege Check */ > if (copy_from_user_(uptr)) > > The cpu can speculatively skip that access_ok() check and cause a read > of kernel memory. Converting your example code to assembly: call access_ok # no speculation which started before this point is allowed to continue past this point test %rax, %rax jne error_path dereference_uptr: (do nefarious things with the user pointer) error_path: mov -EINVAL, %rax ret So the CPU is still free to speculately execute the dereference_uptr block because the lfence was before the 'jne error_path' branch. -- Josh