Received: by 10.223.176.5 with SMTP id f5csp690489wra; Fri, 9 Feb 2018 05:46:01 -0800 (PST) X-Google-Smtp-Source: AH8x225Jv9USo88rsGa+VGeitEPl4Qip9GOrTDISDOUdnxazy4D+mZ2bql35bwrKkIf1t0sMf3eD X-Received: by 10.99.175.3 with SMTP id w3mr2442609pge.328.1518183961450; Fri, 09 Feb 2018 05:46:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518183961; cv=none; d=google.com; s=arc-20160816; b=uWtYC8SYqc6XNW3HPxZaL1O52a5insQPPqlbjMIfcgGL3OLllJQ7169sru09pEA1tK ObXkqjmokhxGuznyi5Je2QK9NJbGu41CxA9FUzm3ezefTfj/yHCyPz0+pu8BplUunIQy 8QZhXYt5CQ+Y6iImHHYfFfP4eCArQS0aeLYXTbRKB3nGCw8PBflD0MQYkPv6sHxFhzQg 4bRvY2gMeRNfZDEsX/TYXrwTOpQZ6yADJV9FzVLbSiPKpWdQNDGUULenigwGS0tNafYo HmtSIiVhDRIq4SzML+X9ucmczrChi4Nkc8ugyajAm1JyC+J3O5TDjLq+OtFdKqsPROun H/RA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=0D53RnkAorhdU55IK3m3MB/u3wR35sTpGzI+Gmxa6y4=; b=STsf5KZo1BVGLiyN+iN+Nrq3hRRSVMnPF+0rg0j3jz+0T5YfO2zGpgRg4zZsDUr2E2 0uGeHfTbpAYfYPKIprAQBDfKU8skRhpmrtKj4Al1hvkdui51xLVS21cQlf23OT9K6AbP 87/7ULvk5pJrFHqF4w2FS/HXomoOtvRUdlM0BZmpcRLmXwqKOxJ1oTVV/UkO2L6CYWOK 3RKQWTALIw+avW7PAJ8LGN3WG3lpIQSrkdWoshZWKKIVL7XSqxxi5bycxt5Eq42EuK8T RxyMoGyIjoz5RlS8mMJXfsgZ9htem9sf9/d39lTeTkDKkZ5CSIS2JluH3BYE+UPCitPh 6LYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1-v6si1558421pls.244.2018.02.09.05.45.47; Fri, 09 Feb 2018 05:46:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753201AbeBINnU (ORCPT + 99 others); Fri, 9 Feb 2018 08:43:20 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:50514 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751077AbeBINnS (ORCPT ); Fri, 9 Feb 2018 08:43:18 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 120641023; Fri, 9 Feb 2018 13:43:07 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, Kees Cook , kernel-hardening@lists.openwall.com, Al Viro , Andy Lutomirski , torvalds@linux-foundation.org, alan@linux.intel.com, David Woodhouse Subject: [PATCH 4.9 63/92] x86/get_user: Use pointer masking to limit speculation Date: Fri, 9 Feb 2018 14:39:32 +0100 Message-Id: <20180209133935.811950747@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180209133931.211869118@linuxfoundation.org> References: <20180209133931.211869118@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Williams (cherry picked from commit c7f631cb07e7da06ac1d231ca178452339e32a94) Quoting Linus: I do think that it would be a good idea to very expressly document the fact that it's not that the user access itself is unsafe. I do agree that things like "get_user()" want to be protected, but not because of any direct bugs or problems with get_user() and friends, but simply because get_user() is an excellent source of a pointer that is obviously controlled from a potentially attacking user space. So it's a prime candidate for then finding _subsequent_ accesses that can then be used to perturb the cache. Unlike the __get_user() case get_user() includes the address limit check near the pointer de-reference. With that locality the speculation can be mitigated with pointer narrowing rather than a barrier, i.e. array_index_nospec(). Where the narrowing is performed by: cmp %limit, %ptr sbb %mask, %mask and %mask, %ptr With respect to speculation the value of %ptr is either less than %limit or NULL. Co-developed-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: Kees Cook Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro Cc: Andy Lutomirski Cc: torvalds@linux-foundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman --- arch/x86/lib/getuser.S | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -39,6 +39,8 @@ ENTRY(__get_user_1) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 1: movzbl (%_ASM_AX),%edx xor %eax,%eax @@ -53,6 +55,8 @@ ENTRY(__get_user_2) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 2: movzwl -1(%_ASM_AX),%edx xor %eax,%eax @@ -67,6 +71,8 @@ ENTRY(__get_user_4) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 3: movl -3(%_ASM_AX),%edx xor %eax,%eax @@ -82,6 +88,8 @@ ENTRY(__get_user_8) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movq -7(%_ASM_AX),%rdx xor %eax,%eax @@ -93,6 +101,8 @@ ENTRY(__get_user_8) mov PER_CPU_VAR(current_task), %_ASM_DX cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user_8 + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movl -7(%_ASM_AX),%edx 5: movl -3(%_ASM_AX),%ecx