Received: by 10.192.165.156 with SMTP id m28csp251653imm; Tue, 17 Apr 2018 09:32:04 -0700 (PDT) X-Google-Smtp-Source: AIpwx4934SGSOGfREXRpyOCoTNmVgmw+Wc6Mbr1TqIGUTnargdN4SFqKe0VCBfbPFZOXv6VjBkiz X-Received: by 10.101.100.13 with SMTP id a13mr2333356pgv.360.1523982724221; Tue, 17 Apr 2018 09:32:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523982724; cv=none; d=google.com; s=arc-20160816; b=0qLqH5rsi3ovK9xKXX5NRqcAvHym4E6DHAIlhA1XPoVl3r2b5YasBIzCfbxPzI4aCh 2nn0NfQmhxfjLuBScwmTUXUeiMmZqc4pOOd9IVRjYrrkLgruLrVK+Vv3hwcdv2wmh6mN FkTJLRofQU+TvCvRN0XB17V4wlO/278CoYkZtr5nj3iwh/xMkO1h8PnDFVqlhP40k7VB XvMQ8wHe8BatFZcs45rc1ZdT/cCDMDIng54RRqSrj7iGSmLb/CHKm+9pNhGTddOknlNC tNUdI0YkX626OW2eZU8F3hE7UI/zUrx1kssBg7mvwx52HwiAzKTi+C6mLy9VFeRU3ie8 mYMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ilNKYfVdMdrzvAM8nORJTrAF6BlaRIAbNfK7T8WqzYw=; b=Q4qG4QZd251jhrKTEKIf1qzfsOhBFR21hDhHDWY34kNHJ010CqHvok1qx57tvk5Uo7 Kyt8zdf2Le3BspNLm08bk26QFuurHfMRX6uT7xTueWV+BFqLrmllyiMsimVNtdlbalP0 b3uYKhBw7OyVCkhl75U6nl4OsY5ASrd8B0DDNr6tIsl6VmrDxCslPsjZd2chWvEuspz/ yDcisz/X2WgxeZJZRJZ0GEPL/iOHVFODiUCBdzXIP4b3Gxx6XV8wc6fVRKOFhHLHqUtc LyLkwhBNN+MwaUn7cTh0jvnstzmUHJc4lklNBQzwG7c93ztIjsyOPf7M7NdlNf1G3TuA JERQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y2si11342233pgv.246.2018.04.17.09.31.50; Tue, 17 Apr 2018 09:32:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754141AbeDQQaR (ORCPT + 99 others); Tue, 17 Apr 2018 12:30:17 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:35464 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755351AbeDQQIR (ORCPT ); Tue, 17 Apr 2018 12:08:17 -0400 Received: from localhost (unknown [46.44.180.42]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A5347E66; Tue, 17 Apr 2018 16:08:16 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Robin Murphy , Will Deacon , Catalin Marinas , Greg Hackmann , Mark Rutland Subject: [PATCH 4.9 14/66] arm64: Use pointer masking to limit uaccess speculation Date: Tue, 17 Apr 2018 17:58:47 +0200 Message-Id: <20180417155646.457770527@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180417155645.868055442@linuxfoundation.org> References: <20180417155645.868055442@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mark Rutland From: Robin Murphy commit 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce upstream. Similarly to x86, mitigate speculation past an access_ok() check by masking the pointer against the address limit before use. Even if we don't expect speculative writes per se, it is plausible that a CPU may still speculate at least as far as fetching a cache line for writing, hence we also harden put_user() and clear_user() for peace of mind. Signed-off-by: Robin Murphy Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Mark Rutland [v4.9 backport] Tested-by: Greg Hackmann Signed-off-by: Greg Kroah-Hartman --- arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -129,6 +129,26 @@ static inline unsigned long __range_ok(u " .popsection\n" /* + * Sanitise a uaccess pointer such that it becomes NULL if above the + * current addr_limit. + */ +#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) +static inline void __user *__uaccess_mask_ptr(const void __user *ptr) +{ + void __user *safe_ptr; + + asm volatile( + " bics xzr, %1, %2\n" + " csel %0, %1, xzr, eq\n" + : "=&r" (safe_ptr) + : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "cc"); + + csdb(); + return safe_ptr; +} + +/* * The "__xxx" versions of the user access functions do not verify the address * space - it must have been done previously with a separate "access_ok()" * call. @@ -202,7 +222,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ - __get_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \ ((x) = 0, -EFAULT); \ }) @@ -270,7 +290,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ - __put_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \ -EFAULT; \ }) @@ -331,7 +351,7 @@ static inline unsigned long __must_check static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) { if (access_ok(VERIFY_WRITE, to, n)) - n = __clear_user(to, n); + n = __clear_user(__uaccess_mask_ptr(to), n); return n; }