Received: by 10.223.176.46 with SMTP id f43csp206496wra; Thu, 18 Jan 2018 16:14:27 -0800 (PST) X-Google-Smtp-Source: ACJfBos1glSkyg4MGlRj6aG8aApoaNTcAeMk3GoeHHuCdqKs56fpBcF/vKXCUZHY4W//7IfQAYaJ X-Received: by 10.99.123.8 with SMTP id w8mr27775402pgc.201.1516320867436; Thu, 18 Jan 2018 16:14:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516320867; cv=none; d=google.com; s=arc-20160816; b=ijXJuyMsyTXWq2FchF9Rvjim5FqZrHPRDv2MVtEHzRHl8n09JBEkcdaDtsoIyNRltB R3J2a4P6UnDwcAZ1kQtouK7NEBn6eCdR5R8FBHVf3Ia+g4RAl6l2b2fDOlwp1TXzV5l7 BmHWYjGUJWGKgNQOUlust6jFRD2iSQe9vCvv4N1HdU9hYnrQIcU5yHNiOtrXScJeWu9o U400OOuXHPZjdUdL4mBHil53sWnAiIz6ZJPXAOLmDI/WKtnzb529f8UkD+NI39+f7ZBj 6VvQ2s3T1NRY0S23duzz66JkIdGJOB/wqY1cR8xKMi0g+x6L0R/BpBWkEG1JxlVRotWE y7eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:arc-authentication-results; bh=GA/W8M5p81MH7kcJzfbDnEfPaSnOL9BfuL+E7z4PyFc=; b=VQtzk9rdBIHzCTq5pwXWKA7H90QJIVMgxgwt1CfJ8o1Ix5STUQMmnZHojF3JfuNNe6 TExpnXD8I5fDNnSaJddooYbpnvmhho52+nU5L/aCdD8aEWKqzk9aInOQjuP7nXTlziVk Z4l9JzsnKNNNFchQxXvDxK+SFZSL3KsrzKZcSwHzm1uH4/f6i14k9SmoCHCQXuSZ8L/a Kpa4Is0leBzIhJLZqsx+6HAv1HTpjix7mx7ohKzPUtG9uikfAtLhXqeTBcZUDOrag435 hycCn++Fa27MXa3minZraoWQdHXgvmg959j+MsIJ/usZ7MkD4N3TbpfVR2idpjiXFj6v ggVw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f66si6937455pgc.570.2018.01.18.16.14.13; Thu, 18 Jan 2018 16:14:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932657AbeASAMM (ORCPT + 99 others); Thu, 18 Jan 2018 19:12:12 -0500 Received: from mga07.intel.com ([134.134.136.100]:29441 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755259AbeASAL1 (ORCPT ); Thu, 18 Jan 2018 19:11:27 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2018 16:11:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,379,1511856000"; d="scan'208";a="10885770" Received: from dwillia2-desk3.jf.intel.com (HELO dwillia2-desk3.amr.corp.intel.com) ([10.54.39.16]) by orsmga007.jf.intel.com with ESMTP; 18 Jan 2018 16:11:26 -0800 Subject: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation From: Dan Williams To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com Date: Thu, 18 Jan 2018 16:02:21 -0800 Message-ID: <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The syscall table base is a user controlled function pointer in kernel space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds speculation. While retpoline prevents speculating into the user controlled target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base. Reported-by: Linus Torvalds Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Andy Lutomirski Signed-off-by: Dan Williams --- arch/x86/entry/entry_64.S | 2 ++ arch/x86/include/asm/smap.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 4f8e1d35a97c..2320017077d4 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -264,6 +265,7 @@ entry_SYSCALL_64_fastpath: cmpl $__NR_syscall_max, %eax #endif ja 1f /* return -ENOSYS (already in pt_regs->ax) */ + MASK_NOSPEC %r11 %rax /* sanitize syscall_nr wrt speculation */ movq %r10, %rcx /* diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h index 2b4ad4c6a226..3b5b2cf58dc6 100644 --- a/arch/x86/include/asm/smap.h +++ b/arch/x86/include/asm/smap.h @@ -35,7 +35,14 @@ * this directs the cpu to speculate with a NULL ptr rather than * something targeting kernel memory. * - * assumes CF is set from a previous 'cmp TASK_addr_limit, %ptr' + * In the syscall entry path it is possible to speculate past the + * validation of the system call number. Use MASK_NOSPEC to sanitize the + * syscall array index to zero (sys_read) rather than an arbitrary + * target. + * + * assumes CF is set from a previous 'cmp' i.e.: + * cmp TASK_addr_limit, %ptr + * cmp __NR_syscall_max, %idx */ .macro MASK_NOSPEC mask val sbb \mask, \mask