Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2303612imm; Mon, 28 May 2018 05:44:13 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqO15ldkurF2Pc9Exo0zgK34X0kQPC5TVguIBAmU1c2VB7DxhCVoVf/kGgcY4A+a3MhQVqp X-Received: by 2002:a63:934d:: with SMTP id w13-v6mr10735057pgm.212.1527511453591; Mon, 28 May 2018 05:44:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527511453; cv=none; d=google.com; s=arc-20160816; b=cpHyKvl18YK2wwOHoJerEk1s1kjBqa138cWepSKTCSC7BkP4D9q33t5J8i1CxiGZF5 RO4daGps+BYbDK5lu26NZSG3F2KVBx2NyRZR/jNiZW8ru1XCE1nMCigoc+pz0lQeuk95 J1RGu7QHxN9FgjGXaRBn47VqX7AOu5bgu2RFN4YhUaTT+qgYPwq/ncOhZeayfKC3lvbl nzONUgmfiPGhMGcVrB1wWZd5MTMhw5epdgRaN4SU7qjbLGb87W6k2WXWRLyN6vbWTOr1 zYvUFhhZlTBZnM1GNhohlnx/qGe8mr3xENxQFw9ScypBknt2kMzRSWzTC11OP6U55k1s dNGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=h9gcIcEOUgBY5jS17UkwafH5RtSFqBvG9umCvUT+1pw=; b=a580evjw+hL9XIb4kUWVgDnsjlRxnt7HxzHZ6MKmE4DR8GGrAn/IoBLoU8ynqjThdC +tIp33gFs4Ud3OvcQhO6DyN0KvBBTRYr4Q4pm4jR1HvlvpzMRXIKX5aYSOzA6z5je8o+ HUZBTIjEJEw88ABWP+KvEH06GqPxhJWzN7sbNU0nT8tjxKG/fDrzYjcmdD1Qv1QcE+pm dOtBhJkChnhaYPh7S6zJddBam7E9YCqVoGw6vaJu2V6nHSIMKwojYzfG+00he0KAqMYN nT8GtyiORcsWI9s6xTqcZn00yh/6elqFKKxzZYzbqiOtOVMhZJQJOqQd6vJ4gKcyNkA1 v93g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DrrqkjGe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h67-v6si30678185pfk.15.2018.05.28.05.43.58; Mon, 28 May 2018 05:44:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DrrqkjGe; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S938918AbeE1MmS (ORCPT + 99 others); Mon, 28 May 2018 08:42:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:46326 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S937929AbeE1K6J (ORCPT ); Mon, 28 May 2018 06:58:09 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CE0BF2087E; Mon, 28 May 2018 10:58:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527505088; bh=XaiRRiIl/A7h1RVIM7SS5syk6Ii0auMKNxzFFewvqSg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DrrqkjGej2cTmZl+j8RdSEImeK+GCQF/IRd6BiBMbyEIlkkVS0Fp3Qizy/c8qc1yy 8igQEw3z8L7xSpw5whXRCEGRPsGJs6GHZxBKOItAtzpe/iAOxtSqS9wU852jAdofRH TBo7Ab5aNw5b+kwzaf/IasoMcMTmGZgSrzekc+fs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Balbir Singh , Madhavan Srinivasan , Michael Ellerman , Sasha Levin Subject: [PATCH 4.14 371/496] powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer Date: Mon, 28 May 2018 12:02:36 +0200 Message-Id: <20180528100335.450659664@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Madhavan Srinivasan [ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] The current Branch History Rolling Buffer (BHRB) code does not check for any privilege levels before updating the data from BHRB. This could leak kernel addresses to userspace even when profiling only with userspace privileges. Add proper checks to prevent it. Acked-by: Balbir Singh Signed-off-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/perf/core-book3s.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c @@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c /* invalid entry */ continue; + /* + * BHRB rolling buffer could very much contain the kernel + * addresses at this point. Check the privileges before + * exporting it to userspace (avoid exposure of regions + * where we could have speculative execution) + */ + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && + is_kernel_addr(addr)) + continue; + /* Branches are read most recent first (ie. mfbhrb 0 is * the most recent branch). * There are two types of valid entries: