Received: by 10.192.165.156 with SMTP id m28csp250930imm; Tue, 17 Apr 2018 09:31:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+PIU1HnPdLoII8+/ITlXUG5OXV5qZwyGrXHGF+bIWR8QnmxujHj8T/edPrvRZruP/zUdS3 X-Received: by 10.99.95.20 with SMTP id t20mr2270421pgb.400.1523982684241; Tue, 17 Apr 2018 09:31:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523982684; cv=none; d=google.com; s=arc-20160816; b=JtCAXd1Sid2j7ow0Yh/pjB2qkF+jYaZ1Xs0e8oFZYSaVU9HsG8RcL62AkM73VuImmQ xQoM5fT/ioMjcJrVv/RY7v68zG7SzBZNIIOIOaTz8cZfrxFXFTOOMY3U8Rd+/OX/fSEG 7FhBgiSP9ppsg9OO4oGPWTH/snf4Cqdtv9JfTYw9rxSe6PN8633/CC/ZPCzQ694sGbpz +Ha/1Gk9tVEMI9CKG0TAkZT0bdwuaSvcHfo+YE2P6DKWxiGgO6Y74U7XmfXk5sV1HqaZ KfCrSRX5CCPgtaKPgrb6aw+WwwSO93nobKSUXxs4Vyc+aV0Srh0sIq8GJYXa93TzDI0f ggnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=iZcw+pFAp4yCcJy/h3rn/hHEhVJh9sx/9bxLep2++iU=; b=V1lU4aoiIxJcYby9HfdtakyzI6DXgQyQK4QTGMtjKyCYw7m3qz6Rr5fcOPZmd/pgOq qGMS5IMo1WeUiaP/ClNZWGTJXqDynZzLLpot8wn7UraEfgPa4D7GNthXNhZf2qyzC+If cKZ0aYKshREUCHpQmXTJApBCwYJhmtGdkFCmydXOnRDLDXJh1rX5g5u026cZYl5Z7eJS uNRIgSlrAniZ5awFDHVsRTf/4rBemMrddTMrz9yA+Vz8U3I4gLJ6/evV8fRbsHLSKdKu nMF6SWW09huY8Mfb3MqnMRi5C50lVKk8KwOS9/Cf1zsm4YRPNJ8jBZM/BJHNP66vJRdm csrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x3si11681358pgp.298.2018.04.17.09.31.09; Tue, 17 Apr 2018 09:31:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755423AbeDQQIW (ORCPT + 99 others); Tue, 17 Apr 2018 12:08:22 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35472 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755405AbeDQQIU (ORCPT ); Tue, 17 Apr 2018 12:08:20 -0400 Received: from localhost (unknown [46.44.180.42]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 6C57AE66; Tue, 17 Apr 2018 16:08:19 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Mark Rutland , Will Deacon , Catalin Marinas , Greg Hackmann Subject: [PATCH 4.9 15/66] arm64: entry: Ensure branch through syscall table is bounded under speculation Date: Tue, 17 Apr 2018 17:58:48 +0200 Message-Id: <20180417155646.506079589@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180417155645.868055442@linuxfoundation.org> References: <20180417155645.868055442@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mark Rutland From: Will Deacon commit 6314d90e64936c584f300a52ef173603fb2461b5 upstream. In a similar manner to array_index_mask_nospec, this patch introduces an assembly macro (mask_nospec64) which can be used to bound a value under speculation. This macro is then used to ensure that the indirect branch through the syscall table is bounded under speculation, with out-of-range addresses speculating as calls to sys_io_setup (0). Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas [v4.9: use existing scno & sc_nr definitions] Signed-off-by: Mark Rutland [v4.9 backport] Tested-by: Greg Hackmann Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/assembler.h | 11 +++++++++++ arch/arm64/kernel/entry.S | 1 + 2 files changed, 12 insertions(+) --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h @@ -94,6 +94,17 @@ .endm /* + * Sanitise a 64-bit bounded index wrt speculation, returning zero if out + * of bounds. + */ + .macro mask_nospec64, idx, limit, tmp + sub \tmp, \idx, \limit + bic \tmp, \tmp, \idx + and \idx, \idx, \tmp, asr #63 + csdb + .endm + +/* * NOP sequence */ .macro nops, num --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -795,6 +795,7 @@ el0_svc_naked: // compat entry point b.ne __sys_trace cmp scno, sc_nr // check upper syscall limit b.hs ni_sys + mask_nospec64 scno, sc_nr, x19 // enforce bounds for syscall number ldr x16, [stbl, scno, lsl #3] // address in the syscall table blr x16 // call sys_* routine b ret_fast_syscall