Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4458993ybi; Tue, 11 Jun 2019 07:03:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqzLdJHHmboz+icStjaaEKtQDrBIDx4XfuITrxOUXcuG1xzSffV6SxuZ9SdFWW5CqU5/mm/Z X-Received: by 2002:a17:902:2a29:: with SMTP id i38mr48475759plb.46.1560261784622; Tue, 11 Jun 2019 07:03:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560261784; cv=none; d=google.com; s=arc-20160816; b=upDpOnS5IPu5z0GTQ4scB6X2cfTq5nZKcQhIBhoPuQaFWxCH1bjY8lC0yheZPYILcF EtAGf64xcAuhB7F7/c5hsLjnDpiEqWzL+I91Hmv6yaVGrCZThniwNl5Hw51W2OIubXgC 9DbT0Th4ahU0f7A93O7bXZ29vFVaA+pQqGX1806CqHm4Bq5JNydJ3H9ZzC+a9OV2B+PO emNUQjz/hlB3sjHZqN7AjYvSEUQ4eO4KYpKN47cg9KwlPpf2gDn5Q+BJUPhsT9gbsQXC jwbXG1aevwd1sR+IJ8Lyd5Xk/jeJYIHCrCC/KSGyfTW+wTEPcLbc8rBcA32ROiLqVtdK TAXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=erpJ/1HwU0IvLlhAmNIzQUp5KsGSfUKo8w8/Al+yjSk=; b=gS3KUBn+NebFCtNAUUowu430mv4E+ftGJDHoOK0ADgpLAe4G70rOnOw0LmijNk4nbK v6DnUuItYCQPk7G2w09HjVnKdjYzomOTvzV9tI943N3s/tiRtbCs39LNNbtQ1rRZkrUY pZ8YiDgUIvQBsLPY9stjPuk66lLxjQHSpBG9s/QWnoYgiUmFsNC73aZSU7jvIlWsbtJV bV5ClM7SYLPXX+hAZ3kUq2qpfznU1s/RmFUQwhsBwQh8KD2h9jDZl1qE2Cwfiaxkt1qs IoeqWr9GWigUeYLB3mhgdZ+MsRAUP4O18EA10ZCxELMTNndy9cC0qojg+UpgAf0cMaS5 RjBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ec1UVKtK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g145si13202691pfb.173.2019.06.11.07.02.44; Tue, 11 Jun 2019 07:03:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ec1UVKtK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390609AbfFKNQK (ORCPT + 99 others); Tue, 11 Jun 2019 09:16:10 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:45126 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388792AbfFKNQK (ORCPT ); Tue, 11 Jun 2019 09:16:10 -0400 Received: by mail-pf1-f194.google.com with SMTP id s11so7405481pfm.12 for ; Tue, 11 Jun 2019 06:16:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=erpJ/1HwU0IvLlhAmNIzQUp5KsGSfUKo8w8/Al+yjSk=; b=Ec1UVKtKvBLJ0T9sJsPyd5alNTe1bKz12CZx8Gof7OI7rvWXJWj5zFkM3ELGh3YnZU 5CAuA549pdnNdT0Zobb0Gww6Kz0jhk4yciYsBVgsmcPC/OSIv8tzo8Vyofj4oSbAL35X MmRkQg0R8YNiAUkhapYCNcke40MDw86Dw9XR27m4p2efnJORWFKHm66XLLU32TtBJVzD sEMcq/V8QoN391vC86/fNyMRASsmpuUgmGIU01R1gH+V/46mAmddSlaW6mxm3UVdD/9h 5QVkOz7UHrWtQaHaAHPDn0P3YWAJQ7E7fbh8BIoH+nn9MsOIMu/DmI6MFYA09I23qTK2 bIVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=erpJ/1HwU0IvLlhAmNIzQUp5KsGSfUKo8w8/Al+yjSk=; b=EVlwEgxusI440jhCEJMvHqHJB9OmXua1KU8tWfLsNUZ4358CXGV5O64qIbl2cvoNRT eTONdZNgml221tqDuvxpCW6TP9fNbQ/ir1OS41DXkSNGpf5t0nzrgkg+EyvPiFnRJ4Ka hkSW2z0W7bgUf/mibjMyRfKY4Fwl30KCH30G/gZ0KvDxwp/o4/bGOHUNPxneOFwLdE5j GvY1qEqNYorJEBpeW6M2D6MmcFCUaxyUbKLjw5FKDvjOlG237u6knp2PodBlwEgeIDG7 r5GSbA41aFIyDR0ppjtpGXczsWQOuPZkx3u9bsPVxZXVe890NooHJceulU0vVGaMXyoY a13w== X-Gm-Message-State: APjAAAUIUz3V0KECodbi6J7aoglCXCFKVWHy1c5S0GagvPOGruwHAWVm pAyG1e0vb/wQeHuF/0dgdGyZ7tHJ9T0= X-Received: by 2002:aa7:8f24:: with SMTP id y4mr37343494pfr.36.1560258969435; Tue, 11 Jun 2019 06:16:09 -0700 (PDT) Received: from tom-pc.ipads-lab.se.sjtu.edu.cn ([202.120.40.82]) by smtp.gmail.com with ESMTPSA id q125sm21964880pfq.62.2019.06.11.06.16.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 11 Jun 2019 06:16:08 -0700 (PDT) From: Dianzhang Chen To: tglx@linutronix.de Cc: mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org, Dianzhang Chen Subject: [PATCH] x86: tls: fix possible spectre-v1 in do_get_thread_area() Date: Tue, 11 Jun 2019 21:15:58 +0800 Message-Id: <1560258958-19291-1-git-send-email-dianzhangchen0@gmail.com> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The idx in do_get_thread_area() is controlled by userspace via syscall: ptrace(defined in kernel/ptrace.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. The idx can be controlled from: ptrace -> arch_ptrace -> do_get_thread_area. Fix this by sanitizing idx before using it to index p->thread.tls_array. Signed-off-by: Dianzhang Chen --- arch/x86/kernel/tls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c index a5b802a..4cd338c 100644 --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx, struct user_desc __user *u_info) { struct user_desc info; + int index = idx - GDT_ENTRY_TLS_MIN; if (idx == -1 && get_user(idx, &u_info->entry_number)) return -EFAULT; @@ -227,8 +229,10 @@ int do_get_thread_area(struct task_struct *p, int idx, if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; + index = array_index_nospec(index, + GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1); fill_user_desc(&info, idx, - &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); + &p->thread.tls_array[index]); if (copy_to_user(u_info, &info, sizeof(info))) return -EFAULT; -- 2.7.4