Received: by 10.223.176.5 with SMTP id f5csp1056063wra;
        Tue, 6 Feb 2018 11:49:59 -0800 (PST)
X-Google-Smtp-Source: AH8x227FsPZ2xwgMbbLSCkEKfUy5Wmo1OqD1sph0rwNwMIyo5SOCRr6ekLdQdGZhV1bZv+RG41Ev
X-Received: by 2002:a17:902:ab85:: with SMTP id f5-v6mr3494087plr.199.1517946599378;
        Tue, 06 Feb 2018 11:49:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517946599; cv=none;
        d=google.com; s=arc-20160816;
        b=sr/nVFbfd5hKm3ZBwkg4rAm1fuAPWoFYbj/1+9ka6ZYqMuRHhdVD2K7epA+XKNd9KB
         9S/S3/MgK340onp4s5XY2vYZhucSWUWc2BlWDcXOJMfGNevd2irVdpIKfv8Fbi6LEE+Q
         JJtDK1n3Rt+KDotr7d7V04JtThfWqQxVZe5BP22/kLz34JQjXQWv+07zufYt4LDA/w7b
         tfGVAvC249PJ4YDx+5/bWtrVdqT7BgJ2q1K4ioSaW8ZmhB2q3C/ozIFJGrbKIA7L9wW1
         vt7ZjHkizqL6hmoURw64IGD8a++bptYVDlUUOtaQWOO9Wftg2RDZOjlXFJus6zODjhjN
         1wng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:references:in-reply-to:mime-version
         :dkim-signature:arc-authentication-results;
        bh=tNZ/f41a2u/mQuhVVZbRzNkGTX4IED5cazf23Og3OaY=;
        b=NP+5G9J0OGCgfWzd6IIDGiE2A7sXc62URxQVkdozW+pfHp34sBnsGdlLy405KQ+lR0
         PsIejsyKtSG5xLhJQJjJCsdvhX1AbcBfM3MSeZX9G+DBx7t//2S9s077BZ4r0+m3crhu
         WahgcYPtlAgY88VHOfuqImq5QKEhUiwftWJHuNGxIZA7zMMa8wkt1ribFR7H7hZilUXI
         Oy4zagl/kboOQ+ISR4bNqa+q0FZ9DowUX3cEJXrwOD7rAwBD8Fb7XuN137bB2Si0kzlm
         vZbiFZphB4NrmemlcruNUlY71dyJtZToJhWSZwapvfPUBL1GE4tPIYLkeb81A3iY51KS
         bsAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=dvtY3D6U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z8si1759579pgs.605.2018.02.06.11.49.45;
        Tue, 06 Feb 2018 11:49:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=dvtY3D6U;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753458AbeBFTsu (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 6 Feb 2018 14:48:50 -0500
Received: from mail-ot0-f196.google.com ([74.125.82.196]:45714 "EHLO
        mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753086AbeBFTsr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Feb 2018 14:48:47 -0500
Received: by mail-ot0-f196.google.com with SMTP id 73so2878363oti.12
        for <linux-kernel@vger.kernel.org>; Tue, 06 Feb 2018 11:48:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=tNZ/f41a2u/mQuhVVZbRzNkGTX4IED5cazf23Og3OaY=;
        b=dvtY3D6UXO1vGBjc4OdgYDRcODPF3r1+BmIGHHLyQD5UJUc3XbLeTg297+t/dVtzJr
         whVpWl15XlIvmYntOwZ70p+6AynlAT127egTvdKrr73ga17z8tuJdcpR5Ba6grrlMgLr
         jM7d5DgxHIBdHXaaeWPc1DDrrQcDEY72d32aJ6FaB+m1LngDrB/udd28zqdOCWFVuc31
         otHFUr2BEAoQzXUFI01XWoold+Rgy8YqqKWmwO+zEHizEsuwh94cSQaYosyjU4uONk4F
         +EuXC0UwlPrHRJWnVYIR6PDtpDjusQX6nkhrttplLSXg43YartyHqyGyoUEy0w85r7TG
         p2Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=tNZ/f41a2u/mQuhVVZbRzNkGTX4IED5cazf23Og3OaY=;
        b=lkHcOt8/8wQM/b/il2H/pt6/SGYaeZ10EDB8UlL9upfgtheyn1i4TgcBCqdpC7dc4D
         ARChYY59kRdT8qw0+GjXwVtxO+M3+hGj3R1NSCQA9mFFNGaMdJ4H73tiijMW8jaRoJpF
         u7+bhowdoALrMBky3S5EfEhC7/5SreCrpJGouKgSz9NMQf/TeXvQT22Qrj7ZA2V55ZEn
         65CwwSYSTmGNHVdTpK1PfrXng2Rf7TZQZsu9bUATUe5QW8rxknHpfDpCqjl9s1ZAcKSX
         +WZiohWCpKahKL2gesZBMCXKVXDyJItkkIAl7Wo5wnG6ULa/RmPwqPhPSw/t75tBfpQO
         JAcg==
X-Gm-Message-State: APf1xPA7Pzd28mh6DUYCymTWoUcrrkY+zVm+/XYwUPeQRBQOPGkygaKO
        GpTFQJtovWlWVmv7/meykyiNH/m1GdlFz4C1LSl4snGj
X-Received: by 10.157.17.171 with SMTP id v40mr2660715otf.287.1517946526258;
 Tue, 06 Feb 2018 11:48:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.62.91 with HTTP; Tue, 6 Feb 2018 11:48:45 -0800 (PST)
In-Reply-To: <20180206192925.qkmghwsbaysr4iv2@hermes.olymp>
References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com>
 <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com>
 <20180206192925.qkmghwsbaysr4iv2@hermes.olymp>
From:   Dan Williams <dan.j.williams@intel.com>
Date:   Tue, 6 Feb 2018 11:48:45 -0800
Message-ID: <CAPcyv4ihN6fy5-vBtfA0PuwXvCAj8-rMhtQmevh5sdYxbH3Yfw@mail.gmail.com>
Subject: Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read
 under speculation
To:     Luis Henriques <lhenriques@suse.com>
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Greg KH <gregkh@linuxfoundation.org>, X86 ML <x86@kernel.org>,
        Ingo Molnar <mingo@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alan Cox <alan@linux.intel.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques <lhenriques@suse.com> wrote=
:
> On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote:
>> The syscall table base is a user controlled function pointer in kernel
>> space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds
>> speculation. While retpoline prevents speculating into the user
>> controlled target it does not stop the pointer de-reference, the concern
>> is leaking memory relative to the syscall table base.
>
> This patch seems to cause a regression.  An easy way to reproduce what
> I'm seeing is to run the samples/statx/test-statx.  Here's what I see
> when I have this patchset applied:
>
> # ./test-statx /tmp
> statx(/tmp) =3D -1
> /tmp: Bad file descriptor
>
> Reverting this single patch seems to fix it.

Just to clarify, when you say "this patch" you mean:

     2fbd7af5af86 x86/syscall: Sanitize syscall table de-references
under speculation

...not this early MASK_NOSPEC version of the patch, right?

>
> Cheers,
> --
> Lu=C3=ADs
>
>>
>> Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@redhat.com>
>> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> Cc: x86@kernel.org
>> Cc: Andy Lutomirski <luto@kernel.org>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  arch/x86/entry/entry_64.S   |    2 ++
>>  arch/x86/include/asm/smap.h |    9 ++++++++-
>>  2 files changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
>> index 4f8e1d35a97c..2320017077d4 100644
>> --- a/arch/x86/entry/entry_64.S
>> +++ b/arch/x86/entry/entry_64.S
>> @@ -35,6 +35,7 @@
>>  #include <asm/asm.h>
>>  #include <asm/smap.h>
>>  #include <asm/pgtable_types.h>
>> +#include <asm/smap.h>
>>  #include <asm/export.h>
>>  #include <asm/frame.h>
>>  #include <asm/nospec-branch.h>
>> @@ -264,6 +265,7 @@ entry_SYSCALL_64_fastpath:
>>       cmpl    $__NR_syscall_max, %eax
>>  #endif
>>       ja      1f                              /* return -ENOSYS (already=
 in pt_regs->ax) */
>> +     MASK_NOSPEC %r11 %rax                   /* sanitize syscall_nr wrt=
 speculation */
>>       movq    %r10, %rcx
>>
>>       /*
>> diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
>> index 2b4ad4c6a226..3b5b2cf58dc6 100644
>> --- a/arch/x86/include/asm/smap.h
>> +++ b/arch/x86/include/asm/smap.h
>> @@ -35,7 +35,14 @@
>>   * this directs the cpu to speculate with a NULL ptr rather than
>>   * something targeting kernel memory.
>>   *
>> - * assumes CF is set from a previous 'cmp TASK_addr_limit, %ptr'
>> + * In the syscall entry path it is possible to speculate past the
>> + * validation of the system call number. Use MASK_NOSPEC to sanitize th=
e
>> + * syscall array index to zero (sys_read) rather than an arbitrary
>> + * target.
>> + *
>> + * assumes CF is set from a previous 'cmp' i.e.:
>> + *     cmp TASK_addr_limit, %ptr
>> + *     cmp __NR_syscall_max, %idx
>>   */
>>  .macro MASK_NOSPEC mask val
>>       sbb \mask, \mask
>>
>>