Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3492393ybi; Mon, 27 May 2019 00:41:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqw4XpyH8+TC01gxkJ7q6sgCzWk4eZq+jqXi9P7SpUlQ38IkUf/mZEDBqJHjTQ3iJKMTWDEB X-Received: by 2002:a65:5004:: with SMTP id f4mr17645304pgo.268.1558942901656; Mon, 27 May 2019 00:41:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558942901; cv=none; d=google.com; s=arc-20160816; b=Ntw3JGYo9l9F3U9F16LfFM1movyGym1X1dVP19PBV0JH+VIVVPsYD8BRrPP93ZT+nq CI2oQlARmro3etiPUR/OCHlmeGSoUHeseoJh5KRlVLkEM9hp4aXOVLU4OvhGXOccRKtL Be+e4DUXY1Ga4xhq+P8wX5Wp/dOx3Ul2kjgtATgMGczvLz6udrgcy8NwqK0CDDclVIhN DYx9Tw7Yt8wCzTj6CeAKjkhXhqoLFV61frMmNm+Ay8BuUBDadwDErgAywGIBZaVM84sF rhTo4yO2yqay0GhMiY/MYhkF9pA2TLMdjdNw/9gqR/RTrmrmyWbmFtDndqy72EznwcS9 tCKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=OnF5vlOhiefqGSZXh+n1mosDCaj568K6lYr/Rle7pp0=; b=uyTbRdD4MEhKBKRmtt3ZPoaUJFBBTBuKeu7nbzk5ul6aixh+3aoWGLHQ6SGhMMRJZS Fe4uR6btCDD7x6vtfhb4OrBgqKdSlkBXwnx0JeGc81BI23XnQ8MQMukH8+KAuBeER8Sm NEJlAhJr2PEAIKG5WZkwQ2Ev8RAsizes9ofHPioiSHd21wq6+PAcX4NpBZcl5ZRT7Juk x3rShl59dO7/Nq/1I1LMjiKBGsmdbA3GzJTIDiilk/HGt21I7+OQ9Nq+XSOBPZcwfpwh Cz+64xis/IfY9QgS5pKA7DEok4aFWK10YSXbp1x2ZGCTvrETR6BHIbbDQUf7rliQYyih 92dQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GY8m0hOW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bx8si16056194pjb.79.2019.05.27.00.41.26; Mon, 27 May 2019 00:41:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GY8m0hOW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726209AbfE0Hi4 (ORCPT + 99 others); Mon, 27 May 2019 03:38:56 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:35762 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725869AbfE0Hi4 (ORCPT ); Mon, 27 May 2019 03:38:56 -0400 Received: by mail-lf1-f67.google.com with SMTP id a25so1447468lfg.2 for ; Mon, 27 May 2019 00:38:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=OnF5vlOhiefqGSZXh+n1mosDCaj568K6lYr/Rle7pp0=; b=GY8m0hOWCVjaWJ4jZGrE65epBF6vNIz4YhB5bd4s3r+B4jyY19FANWvYo9UIujm4yq MOazijALm+pSFEPx/J7OliL/UFKNSPr04M9jkl0+Umm88Nu0/0XM/uct7nHQn9hq1Nhw TJCDnDRXA0Zk4BlEL495LXd42iBuv07b/cSeX7AsDCpmkaXEjpi08LsChMFLHG3oQdp3 ApF3eRsNOlNfEtiOnHSyDP8GsvbLJR/0Uq1rmYGuvEx9yvj1BIf5Va3RgCq0tIEA9FnW VuePvLlFUpJ46LH0aCkqyD7x1wJ4eorHOgr3T+vTaAFgszCDvWlv2BI9GBfgIngG8D5q AXyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=OnF5vlOhiefqGSZXh+n1mosDCaj568K6lYr/Rle7pp0=; b=i7GBrf5IFWgxWyT2hogWvkeuzirV6/lbx73cix0NY5X9ZcVvNpHkFoZRTK1sd9dhm5 cKj+6NU2xU91t8Twt/Dxh8199jwBAsGPMKyQdY7eKrfxDn1CREntQFTLuyRmeAS5CPaL UE4WXI2guc5EOyn3BbZ6R3ZwRplWQhUD6uQuBmRIIrGQpQk5AGQRuHDyt7UEiWzN4G3L 6oowImQSk/AI+YuhljyyEkwfwBEXmcnb8fIli49JCivLQ0d7nBKpymoopYBUifr3ZjfK 9zo4rFw/Dyqlz59EJJx9Pt5uZ3saRCcUYdn/paIuy7xXH70wt7ZdaR+QAlGu/eJRmYsF p7iQ== X-Gm-Message-State: APjAAAUIEioVLSRQquV+dM2ZYBS1c4h2+dgH9sBdfA/2wxDDW6WgkquY Qi/InnTW5ZVIbmr2bNwQBvzqHxFy X-Received: by 2002:ac2:5a10:: with SMTP id q16mr369343lfn.49.1558942734140; Mon, 27 May 2019 00:38:54 -0700 (PDT) Received: from uranus.localdomain ([5.18.103.226]) by smtp.gmail.com with ESMTPSA id h23sm2127908ljf.28.2019.05.27.00.38.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 27 May 2019 00:38:53 -0700 (PDT) Received: by uranus.localdomain (Postfix, from userid 1000) id C4586460C2C; Mon, 27 May 2019 10:38:52 +0300 (MSK) Date: Mon, 27 May 2019 10:38:52 +0300 From: Cyrill Gorcunov To: Dianzhang Chen Cc: akpm@linux-foundation.org, kristina.martsenko@arm.com, ebiederm@xmission.com, j.neuschaefer@gmx.net, jannh@google.com, mortonm@chromium.org, yang.shi@linux.alibaba.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit() Message-ID: <20190527073852.GK11013@uranus> References: <1558941788-969-1-git-send-email-dianzhangchen0@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1558941788-969-1-git-send-email-dianzhangchen0@gmail.com> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 27, 2019 at 03:23:08PM +0800, Dianzhang Chen wrote: > The `resource` in do_prlimit() is controlled by userspace via syscall: setrlimit(defined in kernel/sys.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. > The relevant code in do_prlimit() is as below: > > if (resource >= RLIM_NLIMITS) > return -EINVAL; > ... > rlim = tsk->signal->rlim + resource; // use resource as index > ... > *old_rlim = *rlim; > > Fix this by sanitizing resource before using it to index tsk->signal->rlim. > > Signed-off-by: Dianzhang Chen > --- > kernel/sys.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/sys.c b/kernel/sys.c > index bdbfe8d..7eba1ca 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -1532,6 +1532,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource, > > if (resource >= RLIM_NLIMITS) > return -EINVAL; > + > + resource = array_index_nospec(resource, RLIM_NLIMITS); > if (new_rlim) { > if (new_rlim->rlim_cur > new_rlim->rlim_max) > return -EINVAL; Could you please explain in details how array_index_nospec is different from resource >= RLIM_NLIMITS? Since I don't get how it is related to spectre issue.