Received: by 10.223.185.116 with SMTP id b49csp3868430wrg; Tue, 6 Mar 2018 06:23:09 -0800 (PST) X-Google-Smtp-Source: AG47ELs+oJ39Vw6jRMIhJvMA76NVk3z60LwKnOap4lKfYVDlpHP+BUPqFVjw3lALSmcp9qC/d2kO X-Received: by 10.98.138.217 with SMTP id o86mr19181398pfk.128.1520346189471; Tue, 06 Mar 2018 06:23:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520346189; cv=none; d=google.com; s=arc-20160816; b=FLl7ADSzDWC2f0qWKwm98+1XFriO2fbTGFHvfFRjIDxr0I+UYVFw15oWHLmq7dRUE9 mmuaaFSaycDDUfzwqF/UojAOrBI9Ta3AKQxkl0QQg3ldSdIWHoU/PkmVUKr6La9yz3kf W6tKcX9JQY1qakBKghx664KlY4IeF9ZpqRUNxqacfg5oIv2H87L2EiRl5K+DeI1PF5+Y KtLyJUr6fHNVTAEan1NeygQwTMTjx9sZa6k2ASKZKLpT4ZCeLqqGdv8R2DP1Vmgc5mJH JtfdTlfrccjqH74Y+sepw37osvB6Tr+bSdcK5Ee7m8CSLRQKUqfNU5m+TtD2d7t/l2Ak ThGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=Z6mHdugjL3o5ZnotABJ/XlCJLsRarLuAYXfJJcq16g0=; b=HQl/O4SnPVsjOAp2kOncgcXJ1EQDGHJR5luBuRjnU3X8sKNHJRQs+g8+Iz2mi7aqVV GFdFBlG1qk4Mnx0qjYJ42XK7PDMUPGRgygCdGJMxuQrLYocjtWygpiYKKUfEmXeGEqr+ FLqVWFlHWerJSOs+0kW72rCk5Zu1F96wgtHk2LggxKnXySLw6NdtK9dhMfY65oKp9zWo kO6fHy971pU7P8YKjK4mXCtU0pjG/1wixxcSYtlv0YQzIc9TAFHgXmcrlqALkyB4gNeL RBFVrnVqvy3Z2u0UopDhF1Ln55hjDj5Gx+LVZ+gnU69e9bJsw1U73yv1C/LMS0j2vr2W ab6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q126si12118295pfc.43.2018.03.06.06.22.55; Tue, 06 Mar 2018 06:23:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753790AbeCFOVe (ORCPT + 99 others); Tue, 6 Mar 2018 09:21:34 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:40050 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753466AbeCFOVb (ORCPT ); Tue, 6 Mar 2018 09:21:31 -0500 Received: by mail-wm0-f66.google.com with SMTP id t6so22616323wmt.5; Tue, 06 Mar 2018 06:21:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Z6mHdugjL3o5ZnotABJ/XlCJLsRarLuAYXfJJcq16g0=; b=RU85NxwCZylAhT2sdK09G0ta55FgwXAt+9ZONhL3Ua+fcEH80xKM3BUsy9RXMdXLDV Vmk1jy2P0x4svPQ/R872s9zSMjqfefeV1a8lW3FUt0X8D02lgPBxIHHCe2C7Vy0qupEq E/n+EVSLT7hWM6QhaJRr3GhCTPULONHyD5mZW9QoYcB/iEUNEnaoUblZ/PjC9L7NxlvD 0LiKJzz7ErJDqNkVX+1bHMC2nELrKROrheryIyW05qjQyjFiwa+2pTzyZIJI6lkvbSTF +lXgSl8h1H5alkBabZMUreWzvJNF1JE0HADmg/f6838ueTGW//xZrKvr25hDNuMqw8Vh Yp2w== X-Gm-Message-State: AElRT7Gq5FFgVwznIS0IKD5xN3h9Y1bWXev3QTlyvZBflufHV3QFVjhA /Yize61DRl7XrC+ZJy6u4R8= X-Received: by 10.28.126.198 with SMTP id z189mr10522620wmc.135.1520346090312; Tue, 06 Mar 2018 06:21:30 -0800 (PST) Received: from ?IPv6:2a01:4240:2e27:ad85:aaaa::19f? (f.9.1.0.0.0.0.0.0.0.0.0.a.a.a.a.5.8.d.a.7.2.e.2.0.4.2.4.1.0.a.2.v6.cust.nbox.cz. [2a01:4240:2e27:ad85:aaaa::19f]) by smtp.gmail.com with ESMTPSA id k2sm8181167wmf.10.2018.03.06.06.21.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Mar 2018 06:21:29 -0800 (PST) Subject: Re: [PATCH 4.4 178/193] x86/syscall: Sanitize syscall table de-references under speculation To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Linus Torvalds , Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Andy Lutomirski , alan@linux.intel.com, David Woodhouse , Jack Wang , Jan Beulich References: <20180223170325.997716448@linuxfoundation.org> <20180223170354.028619665@linuxfoundation.org> From: Jiri Slaby Message-ID: <0a95efad-1a3d-4aab-6d94-58dd583d275a@suse.cz> Date: Tue, 6 Mar 2018 15:21:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180223170354.028619665@linuxfoundation.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/23/2018, 07:26 PM, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Dan Williams > > (cherry picked from commit 2fbd7af5af8665d18bcefae3e9700be07e22b681) > > The syscall table base is a user controlled function pointer in kernel > space. Use array_index_nospec() to prevent any out of bounds speculation. > > While retpoline prevents speculating into a userspace directed target it > does not stop the pointer de-reference, the concern is leaking memory > relative to the syscall table base, by observing instruction cache > behavior. > > Reported-by: Linus Torvalds > Signed-off-by: Dan Williams > Signed-off-by: Thomas Gleixner > Cc: linux-arch@vger.kernel.org > Cc: kernel-hardening@lists.openwall.com > Cc: gregkh@linuxfoundation.org > Cc: Andy Lutomirski > Cc: alan@linux.intel.com > Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com > Signed-off-by: David Woodhouse > [jwang: port to 4.4, no syscall_64] This is not complete IMO, the syscall is indeed there, only written in assembly in 4.4 yet. So this patch looks like it is missing these two hunks (from my SLE12-SP2 backport): > --- a/arch/x86/entry/entry_64.S > +++ b/arch/x86/entry/entry_64.S > @@ -184,6 +184,8 @@ entry_SYSCALL_64_fastpath: > cmpl $__NR_syscall_max, %eax > #endif > ja 1f /* return -ENOSYS (already in pt_regs->ax) */ > + sbb %rcx, %rcx /* array_index_mask_nospec() */ > + and %rcx, %rax > movq %r10, %rcx > #ifdef CONFIG_RETPOLINE > movq sys_call_table(, %rax, 8), %rax > @@ -282,6 +284,8 @@ tracesys_phase2: > cmpl $__NR_syscall_max, %eax > #endif > ja 1f /* return -ENOSYS (already in pt_regs->ax) */ > + sbb %rcx, %rcx /* array_index_mask_nospec() */ > + and %rcx, %rax > movq %r10, %rcx /* fixup for C */ > #ifdef CONFIG_RETPOLINE > movq sys_call_table(, %rax, 8), %rax Discovered by Jan Beulich. thanks, -- js suse labs