Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2003596imu;
        Fri, 14 Dec 2018 04:21:02 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UtJydYaCnahMHMNmIlid69x2LI+eB9Sf5iCR/ObmnaC9YuOqiR0Af2FODZgpkSrHKP5qQc
X-Received: by 2002:a17:902:e290:: with SMTP id cf16mr2735104plb.81.1544790062637;
        Fri, 14 Dec 2018 04:21:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544790062; cv=none;
        d=google.com; s=arc-20160816;
        b=aDmVZQWBC7/UyfjCo+7iQH4didl4f3fKS3dNfiADLGUpSa62R088LcxSuK5+2IgsdT
         G9cgg8t09ptnGlh6OOXc+A+LTVdHvH+FUhxBFv2zIht6VkWPYw4xql09hAB2tscqqDr5
         +U0v6iam3m8EJyoxBbTMjMoD/lZQo6Hsdu3PfmBWwkV3qaoj5SDBalRCtiZqptx4zTYm
         LiLG/E2IieJYWKM6HhJeO0PILjtmyJ6PuupOwjlkw6EX1vdGwzAAhbCN5yNmoLI2HmoM
         GjxnRpvW1CB8p2PU0llUioPSpOuXTcwtaoHG7IygCIoKbjU2GOr7G0ufGyRWjHylVQ6c
         gsaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=kPuOoIPuAbPgJwmwXTyWCVWrY4Y+r181bFSXRQKgioM=;
        b=Q/bhzU2QDu69ZpdRjq6ZHc/JCphWEiPasNjwg1oHcEwUmBfgBObus4pO3yY+9hJAnR
         uWxZUF8ZG5OLOCZnijaKM6KABGwSyZmBIsgj+TjF/jugesfvcolgRLMeVuqxjpQqYCmA
         ItjJIRwQND2k60vlXhKlnXHyZcn4m7FlZPYus1MGA78ssmg3xizrljUMr4jFy4tp226Q
         SASfAE8Cvxo0uoJgZ/H/wY8W1pOH1GVgrz9RiZfzFWDwVdaoTMZTUXWmTqW7MHxguRWP
         yYO6txiVAKksqZ9s7BevUzm27OTxZCoHYWUqEnW8p0saqXnI6MaBOG57p4HIDvbjjRA5
         DxUA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=CTB4DCKW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c24si3941337pgk.269.2018.12.14.04.20.48;
        Fri, 14 Dec 2018 04:21:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=CTB4DCKW;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732591AbeLNMPf (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Fri, 14 Dec 2018 07:15:35 -0500
Received: from mail.kernel.org ([198.145.29.99]:35448 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732554AbeLNMP2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Dec 2018 07:15:28 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D230521486;
        Fri, 14 Dec 2018 12:15:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1544789727;
        bh=VPNbF6WIOmJYcZVIQk/EmtIi1qdemUHNXAmN3pHIgjg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=CTB4DCKWlO3kePBO/Y3bO/ZP9q+M/nRQY4Wy4UBTauweIJRZv6Sivhr1RLFi6f0bp
         jkenv/TV3wiWjgwbGsvkkk4AQir5BpeuS2dV945Cjgx4Vtrgf8R9aPXDAJw1LfZeou
         03UAa4Wa0G3AO9VwcmixTcBM4mGzyGyE1BQxKdKo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <ak@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        linux-arch@vger.kernel.org, Tom Lendacky <thomas.lendacky@amd.com>,
        Kees Cook <keescook@chromium.org>,
        kernel-hardening@lists.openwall.com,
        Al Viro <viro@zeniv.linux.org.uk>, alan@linux.intel.com,
        Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.4 53/88] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
Date:   Fri, 14 Dec 2018 13:00:27 +0100
Message-Id: <20181214115706.737688974@linuxfoundation.org>
X-Mailer: git-send-email 2.20.0
In-Reply-To: <20181214115702.151309521@linuxfoundation.org>
References: <20181214115702.151309521@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd upstream.

For __get_user() paths, do not allow the kernel to speculate on the value
of a user controlled pointer. In addition to the 'stac' instruction for
Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the
access_ok() result to resolve in the pipeline before the CPU might take any
speculative action on the pointer value. Given the cost of 'stac' the
speculation barrier is placed after 'stac' to hopefully overlap the cost of
disabling SMAP with the cost of flushing the instruction pipeline.

Since __get_user is a major kernel interface that deals with user
controlled pointers, the __uaccess_begin_nospec() mechanism will prevent
speculative execution past an access_ok() permission check. While
speculative execution past access_ok() is not enough to lead to a kernel
memory leak, it is a necessary precondition.

To be clear, __uaccess_begin_nospec() is addressing a class of potential
problems near __get_user() usages.

Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used
to protect __get_user(), pointer masking similar to array_index_nospec()
will be used for get_user() since it incorporates a bounds check near the
usage.

uaccess_try_nospec provides the same mechanism for get_user_try.

No functional changes.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Andi Kleen <ak@linux.intel.com>
Suggested-by: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@dwillia2-desk3.amr.corp.intel.com
[bwh: Backported to 4.4: use current_thread_info()]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/uaccess.h |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -146,6 +146,11 @@ extern int __get_user_bad(void);
 
 #define __uaccess_begin() stac()
 #define __uaccess_end()   clac()
+#define __uaccess_begin_nospec()	\
+({					\
+	stac();				\
+	barrier_nospec();		\
+})
 
 /*
  * This is a type: either unsigned long, if the argument fits into
@@ -473,6 +478,10 @@ struct __large_struct { unsigned long bu
 	__uaccess_begin();						\
 	barrier();
 
+#define uaccess_try_nospec do {						\
+	current_thread_info()->uaccess_err = 0;				\
+	__uaccess_begin_nospec();					\
+
 #define uaccess_catch(err)						\
 	__uaccess_end();						\
 	(err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0);	\