Received: by 10.223.176.46 with SMTP id f43csp1024264wra;
        Sat, 20 Jan 2018 09:12:45 -0800 (PST)
X-Google-Smtp-Source: AH8x22544LlIbmH1OjK+Y9Ag4dLMSfNflgv3u2a3ou/Ds5bmvz+UHJNkqFztbres5wOmQnb2F6ey
X-Received: by 10.99.96.142 with SMTP id u136mr2556408pgb.406.1516468365474;
        Sat, 20 Jan 2018 09:12:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516468365; cv=none;
        d=google.com; s=arc-20160816;
        b=Ytu+W6Fd0gjQ3geIoQvWhzrnlzkmzT8VmmteiECn8rmSu7ol772oYBIO/XY+EugObC
         6gVGig8wZQkaq+p3UAeOzaXr+sdKw1c3mj2kjHLrxYBzzmK0U1ZqNGsn7m07tZA0RUNn
         TVxECub8X44B1kT+b6xcqzQpNdIlJH5rlJUCby6JQ1X6riDZ3v3haorTk0RlOm4+gP/0
         jv3QSveLyxsVo3gPU3+nBXe5sWVSdD/W9SWgJQSBNEuS4xcxqcDO0Pmf7SZ2oVTWxRsz
         YzvD6MjMEXqz6gtrWuBcnX+P6LFV+oBPLh76QpoLDolB5h52srFWS49gGIkNLPLDshil
         P7rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=/2WQf29JacuaCKHENSTYdGHxdJzy299jV1u91OIP2OI=;
        b=JDgyhoVWrhlo2Aqd7DnQfFN7ONXZbc1Xnry388v7M37n+ujF3XE2JA/sNG1Zazi7e5
         g35D623/x68vTljLn4Gr5sDyZ/WcQrpnULI9eeTVCK9wVWv/RYh1WaensLl3Wf778Qyk
         03EKhbM/tA0Wb7ho8CQWroTDQq/4uK6e0vN1RPpv+bGJ3kl0zgfNIcKTkomRlcqNv4nK
         FJgl+nucs+9HCgan5EF6x8TKsdiBH1KUIiqkhaR99tFHNmLhZGQ7Lode0LJI69MGcVCg
         GNjddASvaP6iEe6Hk0SOSKRfqKj7XpaHnFNpnXfMSgFNkAV9+OKD2WJ7sUeVlw93/pRv
         ZqXA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ffA7mUlC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p5si10594086pgn.197.2018.01.20.09.12.30;
        Sat, 20 Jan 2018 09:12:45 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ffA7mUlC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756387AbeATRHt (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Sat, 20 Jan 2018 12:07:49 -0500
Received: from mail-wr0-f195.google.com ([209.85.128.195]:40869 "EHLO
        mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754913AbeATRHl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 20 Jan 2018 12:07:41 -0500
Received: by mail-wr0-f195.google.com with SMTP id 100so4291086wrb.7;
        Sat, 20 Jan 2018 09:07:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=/2WQf29JacuaCKHENSTYdGHxdJzy299jV1u91OIP2OI=;
        b=ffA7mUlCfMSpVuq65mea1hLacT/XH7kHrZplF11dqhy+lyw0tBTa/KYlsqAM6Qu3UO
         FsC+lZjjgU/jALWhp00vOVzFRROdcWRN4ZK7Aaeua3p0bbGTOfmQPu4J3dC8DS5V2n2o
         dNHteLE5K32MqPKFaZxpMu4iRKBZ/EUZAft6q2KMQQWSbTGauK1V22QBIrOnvLOqlTdr
         lV50EHcdMPLLMgatmjMQJGemh5tdAR4eIZ7pjGf6wX62GXS5VQd3bvb68Yg3eR1VqxZ1
         cm7Aj4yfnwObYqufDWlqCzWrHJ+goz++p0YR5b6WXyMFlkTiwBDviIK8er8t+Vz+UVtB
         AdUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=/2WQf29JacuaCKHENSTYdGHxdJzy299jV1u91OIP2OI=;
        b=T5HdguPLmbRguF8Ur6omeDy7h+fE8pAh2bWY03BMoifzbjOAPHPefIRUdGWGeiyMtX
         W+xZi2rSn/Y/ckD1IIgif8+4XGih31xIBOacSfz1aHOXVQMYwgmyQxntgQ80UxXm2MHn
         3RMAKcXSLQhJOAAMLfjmSlHh+Gc8brUdbHkLaZF6mKrMfiExjHEf15m9fHIgj+aQ1UpZ
         TP6tN6NXwJgud3HgDwk8Oxk4gJkDCvnINjyKl6xSeLH0B/w/rmuq655QsRxUwfhGm8to
         xWy2TderM7mkj7BDEeRk1JTfEb3v8WzDJrLYwb0Iqrvib/zsoqThtQzhePmTDYsdH1UN
         HlQw==
X-Gm-Message-State: AKwxytfIyk2rOSj0oG9sCf2Xl1qNxtaKxZPjj/BRLq3p7UoqrOv/98WK
        dtLHqu+LfsA/Di5OIf6F6mJCfQR/zglKG9K2Mc8=
X-Received: by 10.223.184.102 with SMTP id u35mr1849826wrf.143.1516468058900;
 Sat, 20 Jan 2018 09:07:38 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.165.2 with HTTP; Sat, 20 Jan 2018 09:07:18 -0800 (PST)
In-Reply-To: <20180120165631.e7c3kipmhb5sckor@ast-mbp>
References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com>
 <CAPcyv4iBHTahi66deUT1iSPpA2W2wjYZSaiUYUjpdK10d5Rt7g@mail.gmail.com> <20180120165631.e7c3kipmhb5sckor@ast-mbp>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Sat, 20 Jan 2018 09:07:18 -0800
Message-ID: <CAADnVQLOYTV5Z8C_sSj+pV9DRBFg9oOZVYcr3EKYsfZvuNS2Rw@mail.gmail.com>
Subject: Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution
To:     Dan Williams <dan.j.williams@intel.com>
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Elena Reshetova <elena.reshetova@intel.com>,
        linux-arch <linux-arch@vger.kernel.org>,
        Andi Kleen <ak@linux.intel.com>,
        Jonathan Corbet <corbet@lwn.net>, X86 ML <x86@kernel.org>,
        Russell King <linux@armlinux.org.uk>,
        Ingo Molnar <mingo@redhat.com>,
        Andrew Honig <ahonig@google.com>,
        Alan Cox <alan@linux.intel.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Kees Cook <keescook@chromium.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andrew Morton <akpm@linux-foundation.org>,
        Jim Mattson <jmattson@google.com>,
        Christian Lamparter <chunkeey@gmail.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        Linux Wireless List <linux-wireless@vger.kernel.org>,
        stable <stable@vger.kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Johannes Berg <johannes@sipsolutions.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        "David S. Miller" <davem@davemloft.net>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Jan 20, 2018 at 8:56 AM, Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> On Fri, Jan 19, 2018 at 10:58:44PM -0800, Dan Williams wrote:
>> On Thu, Jan 18, 2018 at 4:01 PM, Dan Williams <dan.j.williams@intel.com> wrote:
>> > Changes since v3 [1]
>> > * Drop 'ifence_array_ptr' and associated compile-time + run-time
>> >   switching and just use the masking approach all the time.
>> >
>> > * Convert 'get_user' to use pointer sanitization via masking rather than
>> >   lfence. '__get_user' and associated paths still rely on
>> >   lfence. (Linus)
>> >
>> >       "Basically, the rule is trivial: find all 'stac' users, and use
>> >        address masking if those users already integrate the limit
>> >        check, and lfence they don't."
>> >
>> > * At syscall entry sanitize the syscall number under speculation
>> >   to remove a user controlled pointer de-reference in kernel
>> >   space.  (Linus)
>> >
>> > * Fix a raw lfence in the kvm code (added for v4.15-rc8) to use
>> >   'array_ptr'.
>> >
>> > * Propose 'array_idx' as a way to sanitize user input that is
>> >   later used as an array index, but where the validation is
>> >   happening in a different code block than the array reference.
>> >   (Christian).
>> >
>> > * Fix grammar in speculation.txt (Kees)
>> >
>> > ---
>> >
>> > Quoting Mark's original RFC:
>> >
>> > "Recently, Google Project Zero discovered several classes of attack
>> > against speculative execution. One of these, known as variant-1, allows
>> > explicit bounds checks to be bypassed under speculation, providing an
>> > arbitrary read gadget. Further details can be found on the GPZ blog [2]
>> > and the Documentation patch in this series."
>> >
>> > A precondition of using this attack on the kernel is to get a user
>> > controlled pointer de-referenced (under speculation) in privileged code.
>> > The primary source of user controlled pointers in the kernel is the
>> > arguments passed to 'get_user' and '__get_user'. An example of other
>> > user controlled pointers are user-controlled array / pointer offsets.
>> >
>> > Better tooling is needed to find more arrays / pointers with user
>> > controlled indices / offsets that can be converted to use 'array_ptr' or
>> > 'array_idx'. A few are included in this set, and these are not expected
>> > to be complete. That said, the 'get_user' protections raise the bar on
>> > finding a vulnerable gadget in the kernel.
>> >
>> > These patches are also available via the 'nospec-v4' git branch here:
>> >
>> >     git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4
>>
>> I've pushed out a nospec-v4.1 with the below minor cleanup, a fixup of
>> the changelog for "kvm, x86: fix spectre-v1 mitigation", and added
>> Paolo's ack.
>>
>>      git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4.1
>>
>> diff --git a/include/linux/nospec.h b/include/linux/nospec.h
>> index 8af35be1869e..b8a9222e34d1 100644
>> --- a/include/linux/nospec.h
>> +++ b/include/linux/nospec.h
>> @@ -37,7 +37,7 @@ static inline unsigned long array_ptr_mask(unsigned
>> long idx, unsigned long sz)
>>         unsigned long _i = (idx);                                       \
>>         unsigned long _mask = array_ptr_mask(_i, (sz));                 \
>>                                                                         \
>> -       __u._ptr = _arr + (_i & _mask);                                 \
>> +       __u._ptr = _arr + _i;                                           \
>>         __u._bit &= _mask;                                              \
>>         __u._ptr;                                                       \
>
> hmm. I'm not sure it's the right thing to do, since the macro
> is forcing cpu to speculate subsequent load from null instead
> of valid pointer.
> As Linus said: "
>  So that __u._bit masking wasn't masking
>  the pointer, it was masking the value that was *read* from the
>  pointer, so that you could know that an invalid access returned
>  0/NULL, not just the first value in the array.
> "
> imo just
>   return _arr + (_i & _mask);
> is enough. No need for union games.
> The cpu will speculate the load from _arr[0] if _i is out of bounds
> which is the same as if user passed _i == 0 which would have passed
> bounds check anyway, so I don't see any data leak from populating
> cache with _arr[0] data. In-bounds access can do that just as well
> without any speculation.

scratch that. It's array_ptr, not array_access.
The code will do if (!ptr) later, so yeah this api is fine.