Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2252725imm; Mon, 28 May 2018 04:49:51 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL0mBUrkmBpbPTHwWHhoa7on0LgwZQ/4AyHfwfEmSFdlk7MBMYW7PDd326XghhfL5WOclzH X-Received: by 2002:a62:c11:: with SMTP id u17-v6mr1778800pfi.60.1527508191188; Mon, 28 May 2018 04:49:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527508191; cv=none; d=google.com; s=arc-20160816; b=uqNFxVxgmYip84RgJ+NDwbDQqXcB4TZGeKHJlMkjl4s1DdUsjjCzUkgM/PJubjX8CD vy/X/Ioe9Z3JbPgAlltAOqo1Scvon2RfqCYnnKHlVKcavwCM2MED+wKu4E//sZMZQurE JMbK6EF5Twh3BggeTxr0FobnmEKz3ylQQxtX0mDJvroyHpt4cCzoTvcyPZdrS0ua7061 Njy0wBbaT5JauIwaG2lA0OaF9/hrFRSeSv577i3UM4mjUkzEujq20cR+KtNdKvGn/kuP v6deTP+0nWPoogInaJBlr1p6cxkwDjlI72LU7I/5Yq3HpVf5dPpXcee3PaLk6EED8Wki f0ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=2z8nYm+xuyCC8mwwh8ldHYh337gtNxsQYOX6+SrcNNE=; b=All+W5po97hl47yjoRWZ5C337Rx4/a7l3A9D4c7vcWV78pLIerMYsmNDN8RJd8TWTX BsSxSsJX1KMVd1x9Qv+mrW6jpQwaCUC/QCt0pilMpV+K193A4+D5aTkzDaLiXbWmYikx 31FEbrOwGsDu+0X2vhx5Ikr7yUeQt9KS1enRfeP0JH9Dyk9TlvyYO6GIBDQWWTfZE532 wHUKoQjj/5Z/Z5TCvrCz9njod/FCp18gVuCim3Hdn0LdBs8zzDz5AR+OtlScQ8NjtFJp rMUjp/zhkezF5AVkvfbwa4wc6dpWuKatIPcXG9kQ/if8JH97lk4QlK3k+5kxsQxANyRI rrAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l34DuUyc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b67-v6si30006557pfa.71.2018.05.28.04.49.36; Mon, 28 May 2018 04:49:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l34DuUyc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1423910AbeE1LKf (ORCPT + 99 others); Mon, 28 May 2018 07:10:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:58450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1423149AbeE1LKZ (ORCPT ); Mon, 28 May 2018 07:10:25 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 76A5C20845; Mon, 28 May 2018 11:10:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527505825; bh=YOkb3cZli/boXYytSZU7bS1vFYus2p6sgQXSWFE+hUI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l34DuUyceaE3jVwCD12Ht1HMvjxoOLaSqzRNQJoYKV6GTDXEaPqtGaJClrOhC1D37 HlrGFw6qulJ5hNYIrTWmjXbXiln11tjhdcxZAV5ePUKbXHSzIO6IqSJB2XjFqeztNo xJiZxgDmmrKDHshFWz1uoWRmdSF7VAXHh9FML4OU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Balbir Singh , Madhavan Srinivasan , Michael Ellerman , Sasha Levin Subject: [PATCH 4.16 114/272] powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer Date: Mon, 28 May 2018 12:02:27 +0200 Message-Id: <20180528100250.758284614@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100240.256525891@linuxfoundation.org> References: <20180528100240.256525891@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Madhavan Srinivasan [ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] The current Branch History Rolling Buffer (BHRB) code does not check for any privilege levels before updating the data from BHRB. This could leak kernel addresses to userspace even when profiling only with userspace privileges. Add proper checks to prevent it. Acked-by: Balbir Singh Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/perf/core-book3s.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c @@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c /* invalid entry */ continue; + /* + * BHRB rolling buffer could very much contain the kernel + * addresses at this point. Check the privileges before + * exporting it to userspace (avoid exposure of regions + * where we could have speculative execution) + */ + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && + is_kernel_addr(addr)) + continue; + /* Branches are read most recent first (ie. mfbhrb 0 is * the most recent branch). * There are two types of valid entries: