Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2419306imu;
        Wed, 21 Nov 2018 11:19:08 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UB5AZ3mm1aaexY4qmj05c+7NCcTBkMuxCccU/CizOV04YtUKZtet3EUFj7V6JrwJOQ3RHX
X-Received: by 2002:a63:b54f:: with SMTP id u15mr7088374pgo.420.1542827947950;
        Wed, 21 Nov 2018 11:19:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542827947; cv=none;
        d=google.com; s=arc-20160816;
        b=ZmtJQuio2RpCYtelfQcZkdW7E0FcvPX4DkX41iok2INDYF5i0xAOwMI8LieL2RhvNz
         kNOpzDJ0IN249c3VLkgl2Jx5/VN0UAmmufvjbNElC7gGwrf9bCsLbv14PJ/P/L+IACI+
         CnJ8rbT28c/PgxqzlB1V/BdEOuSUVRgJ0hP0ZyxbI48idRRhT5r/pyuTl4hhDqpNKX5D
         uOcE0nQRjKwkuqjRO4EK5g/FzX56RZuekzVPU2Dv+xcX02zXeNfXmvoDL/GbT3AENrqw
         Wvtx2iVx/APztYUt1wdK9+HyoiAmtyXkUdVJ+8pJSw/XrcdnVHJfQwewQzbHDMGM5XyM
         9Rog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=wXn2KWjRw/a+7FqREiJBCIVOTZ5OHf3mNxSSS9ZApRM=;
        b=IX2GM3aN3JubwdGDPQRa2UQ7sHP8kp2VISBZHfA/aqYp57His/xU1W3s9XDDeaO/SP
         hHdGQTe1QFHU8gdE8z5V9rhnoEorJwMeVX+Sm3DX1KF/CEmvw009iiWe9G5aEcihA353
         1OV7Mw36QtkBOINmI3CK1gcm5+wA+xgBvvfjeFIhPI/Hi7CdAT1gMLVIZidEWghyLVpt
         j1cdzI5D/aWzGTVIyi+d4hnIge+IJqAL66hioffORbshjAard8GJJpzB5qST/2JnOnQv
         Pp8MlSLmskl+J2MH2/W4Us8sJu0HoLGAHRExZob9j+IPV01Keksjt+m0rOx6uU90bsEo
         OXZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="b/le/XwQ";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c1si7316638pld.194.2018.11.21.11.18.53;
        Wed, 21 Nov 2018 11:19:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="b/le/XwQ";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389113AbeKVFrZ (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Thu, 22 Nov 2018 00:47:25 -0500
Received: from mail.kernel.org ([198.145.29.99]:42886 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731945AbeKVFrY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Nov 2018 00:47:24 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 13F5C214D9;
        Wed, 21 Nov 2018 19:11:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1542827511;
        bh=ZFP9p4ZLY//od3U0F+OGgKB6Ou+MEPdaNmkJkHkMgSw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=b/le/XwQ0zkKmJ5iPG+s7S1OcwKh3zewp4GxlPLtuSy2WolN1FiS7Yg7YcuDrh42c
         iwUFkSeojkM+N8o+4NWiR9iOkGje9RGs1ATLClXY7o78uSngdhJK6a3dGBN3ol6VIt
         JKsaHy+xlh4OJ89LtpAYBGADYL18xxi3Q5VwGwxA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Mark Rutland <mark.rutland@arm.com>,
        Russell King <rmk+kernel@armlinux.org.uk>,
        "David A. Long" <dave.long@linaro.org>
Subject: [PATCH 4.9 59/59] ARM: spectre-v1: mitigate user accesses
Date:   Wed, 21 Nov 2018 20:07:14 +0100
Message-Id: <20181121183510.635668628@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181121183508.262873520@linuxfoundation.org>
References: <20181121183508.262873520@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@armlinux.org.uk>

Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream.

Spectre variant 1 attacks are about this sequence of pseudo-code:

	index = load(user-manipulated pointer);
	access(base + index * stride);

In order for the cache side-channel to work, the access() must me made
to memory which userspace can detect whether cache lines have been
loaded.  On 32-bit ARM, this must be either user accessible memory, or
a kernel mapping of that same user accessible memory.

The problem occurs when the load() speculatively loads privileged data,
and the subsequent access() is made to user accessible memory.

Any load() which makes use of a user-maniplated pointer is a potential
problem if the data it has loaded is used in a subsequent access.  This
also applies for the access() if the data loaded by that access is used
by a subsequent access.

Harden the get_user() accessors against Spectre attacks by forcing out
of bounds addresses to a NULL pointer.  This prevents get_user() being
used as the load() step above.  As a side effect, put_user() will also
be affected even though it isn't implicated.

Also harden copy_from_user() by redoing the bounds check within the
arm_copy_from_user() code, and NULLing the pointer if out of bounds.

Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/assembler.h |    4 ++++
 arch/arm/lib/copy_from_user.S    |    9 +++++++++
 2 files changed, 13 insertions(+)

--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -458,6 +458,10 @@ THUMB(	orr	\reg , \reg , #PSR_T_BIT	)
 	adds	\tmp, \addr, #\size - 1
 	sbcccs	\tmp, \tmp, \limit
 	bcs	\bad
+#ifdef CONFIG_CPU_SPECTRE
+	movcs	\addr, #0
+	csdb
+#endif
 #endif
 	.endm
 
--- a/arch/arm/lib/copy_from_user.S
+++ b/arch/arm/lib/copy_from_user.S
@@ -90,6 +90,15 @@
 	.text
 
 ENTRY(arm_copy_from_user)
+#ifdef CONFIG_CPU_SPECTRE
+	get_thread_info r3
+	ldr	r3, [r3, #TI_ADDR_LIMIT]
+	adds	ip, r1, r2	@ ip=addr+size
+	sub	r3, r3, #1	@ addr_limit - 1
+	cmpcc	ip, r3		@ if (addr+size > addr_limit - 1)
+	movcs	r1, #0		@ addr = NULL
+	csdb
+#endif
 
 #include "copy_template.S"