Received: by 10.223.176.5 with SMTP id f5csp714618wra;
        Fri, 9 Feb 2018 06:07:23 -0800 (PST)
X-Google-Smtp-Source: AH8x226t5uN166XDuHLzS85J+weq51HrI6UYbyex3IBNmGDoHDFPSWt1h0xv+uh5n74RlWovg1ey
X-Received: by 10.99.124.2 with SMTP id x2mr2508314pgc.184.1518185243174;
        Fri, 09 Feb 2018 06:07:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518185243; cv=none;
        d=google.com; s=arc-20160816;
        b=pu009zKrozo0hrLYJQyiWZMHTnKzsWpWp371NMLgeZFJiSHlNEi2MfnL+pBZv8Nd81
         26j1hiVBBEj4V6CCSb3/uuEx2qvRaFNTHMaXlgDUz02GJ0fvJ7qI9/J0pq8w+MM8KseM
         9K230kbe8IGM5R4nwVJ/C2w2DCMqg6TmxlrwFamn5hNRxoy5ZCfIwUNjoy3/EhhroPSW
         tniuL6kwD/3bbFMF7stWxiQOgC9wC4P2NxCL1Rute/zBWZ3t0JZqerYzoFXp2R1kXtMK
         ScoCD/JZvi4Z48YMhSlqOx0heuzG56Y2Y0e8Y2RcZTuF2FBPVD04osYEV2hsv4wi0gUF
         k8ig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=9VdAL43X0iVHRLq8teIaNJP9jPGPolld+EJJzDX0TeU=;
        b=AFZFq8bZNZIVcf+KXf+aVh692DSE7Ug+7IXaKp8xU4UqLHSQ6vGFfwUug2ydwC2ypt
         NqlOO/wA5MoXR5ciLlhog7hxZXpEue9c7L38IjzRXii5qBocMLaNn5jzYPLQvcVde42g
         jFxMP7xZBKoFL6KubO/3rDNRAnltEQECn0G0x40XFqts+nX9/uoSz8VUPrbPcC6UiCo4
         TbI9XVAObYuBtQjbz3M5mi4/YZWAf3/o51NyKo/Ycc39UdMXOmwrxGoQYNPzGR5JJ8iE
         UT0OisoRGVHLHiXTL8Y7Y8yr9lJD1qWVWwS36rGO7zAqAlyD631ZQ0UdtykcgqC5UNLc
         BWgw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 61-v6si1608734plz.417.2018.02.09.06.07.07;
        Fri, 09 Feb 2018 06:07:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753167AbeBINnC (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Fri, 9 Feb 2018 08:43:02 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:50118 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752469AbeBINm7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Feb 2018 08:42:59 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C10F7FF5;
        Fri,  9 Feb 2018 13:42:58 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <ak@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        linux-arch@vger.kernel.org, Tom Lendacky <thomas.lendacky@amd.com>,
        Kees Cook <keescook@chromium.org>,
        kernel-hardening@lists.openwall.com,
        Al Viro <viro@zeniv.linux.org.uk>, alan@linux.intel.com,
        David Woodhouse <dwmw@amazon.co.uk>
Subject: [PATCH 4.9 60/92] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
Date:   Fri,  9 Feb 2018 14:39:29 +0100
Message-Id: <20180209133935.579350557@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180209133931.211869118@linuxfoundation.org>
References: <20180209133931.211869118@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>


(cherry picked from commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd)

For __get_user() paths, do not allow the kernel to speculate on the value
of a user controlled pointer. In addition to the 'stac' instruction for
Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the
access_ok() result to resolve in the pipeline before the CPU might take any
speculative action on the pointer value. Given the cost of 'stac' the
speculation barrier is placed after 'stac' to hopefully overlap the cost of
disabling SMAP with the cost of flushing the instruction pipeline.

Since __get_user is a major kernel interface that deals with user
controlled pointers, the __uaccess_begin_nospec() mechanism will prevent
speculative execution past an access_ok() permission check. While
speculative execution past access_ok() is not enough to lead to a kernel
memory leak, it is a necessary precondition.

To be clear, __uaccess_begin_nospec() is addressing a class of potential
problems near __get_user() usages.

Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used
to protect __get_user(), pointer masking similar to array_index_nospec()
will be used for get_user() since it incorporates a bounds check near the
usage.

uaccess_try_nospec provides the same mechanism for get_user_try.

No functional changes.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Andi Kleen <ak@linux.intel.com>
Suggested-by: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/uaccess.h |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -123,6 +123,11 @@ extern int __get_user_bad(void);
 
 #define __uaccess_begin() stac()
 #define __uaccess_end()   clac()
+#define __uaccess_begin_nospec()	\
+({					\
+	stac();				\
+	barrier_nospec();		\
+})
 
 /*
  * This is a type: either unsigned long, if the argument fits into
@@ -474,6 +479,10 @@ struct __large_struct { unsigned long bu
 	__uaccess_begin();						\
 	barrier();
 
+#define uaccess_try_nospec do {						\
+	current->thread.uaccess_err = 0;				\
+	__uaccess_begin_nospec();					\
+
 #define uaccess_catch(err)						\
 	__uaccess_end();						\
 	(err) |= (current->thread.uaccess_err ? -EFAULT : 0);		\