Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp1313753ybd; Sun, 23 Jun 2019 04:53:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqy5oHzulnuLQ2rq6Xo+9m+j9IbNrlV61YpFg/Jev9h8KtfjNQT+OtyJUWriHgcwQT6Fsz0L X-Received: by 2002:a17:90a:22aa:: with SMTP id s39mr18225773pjc.39.1561290805225; Sun, 23 Jun 2019 04:53:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561290805; cv=none; d=google.com; s=arc-20160816; b=CJNfeRqJx6Gfild4c9kfadgaDf8cM41f9GTopEfP9CEnL0WyHWpalnGcW05WFsind1 1W9kZT5VaV3SjKt8FmEtHai7yW6vr1XcU4chcDs7YkFyTrNPGHLWmh7s9P6V6cdhJj6H qwlaMbT++7G+kaTl4Vh9ETe5yNglGf1cdhIgnyN/wO5olWbecdpgCgbp1S4J7vNScrtV jNrzqG03ur9c7RHrHE9c4QorqnRdc9hdlxFpRW5y8BNPwnSG/ZtHInEfAbgYCLZUaHx7 CRYBKzcgwrS7rDBdZhw7v4HqlSAJn2KPqKzyEbzrc/ElmbTrIJL/ey4MLtMrgpZCejLb jzNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=Kd3oY/yR2jZhXs0BB4BYXaLBUImva+BcdzHTNvxfRms=; b=BMRsI7MuLhkJWxIXWuXrjpVYNmpt/I7AUAhh91xPW+zkyywnpKynTmcA/J81lkf9Ah 4t9+6YbmlRrLpzZnJS30XYj/XbbkE+4mvheWWujLIgNJU7srgvaTzlND+Lc8lhNprZSB iula1Zt1XiA4eooKVd8xypLR5JspP4uk7+fB1OhQCK9eCofgfl4FF0V1uuGrm6naW3jN ASJMsxx55Mz+urqjfoWEgP2Ze+0bvuC31U1AhwE1CPLL7KmU/uF5qImaez/3f6gUaXQ6 7udZabIJiQMhsJWzIDcAE8sgIs/s9w52DNRGKBJMMKVqTCtsXzC0FdpuRd3esNwqaQlS rtyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s7si7651770plp.66.2019.06.23.04.53.09; Sun, 23 Jun 2019 04:53:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726566AbfFWLxC (ORCPT + 99 others); Sun, 23 Jun 2019 07:53:02 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:33279 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726483AbfFWLxC (ORCPT ); Sun, 23 Jun 2019 07:53:02 -0400 Received: from p5b06daab.dip0.t-ipconnect.de ([91.6.218.171] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hf13E-0008VJ-Nn; Sun, 23 Jun 2019 13:52:52 +0200 Date: Sun, 23 Jun 2019 13:52:51 +0200 (CEST) From: Thomas Gleixner To: Dianzhang Chen cc: oleg@redhat.com, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] x86: fix possible spectre-v1 in ptrace_get_debugreg() In-Reply-To: <1558702622-15143-1-git-send-email-dianzhangchen0@gmail.com> Message-ID: References: <1558702622-15143-1-git-send-email-dianzhangchen0@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 24 May 2019, Dianzhang Chen wrote: > Subject : [PATCH] x86: fix possible spectre-v1 in ptrace_get_debugreg() Please use the proper prefix. Run git log on the file and you'll find it. Also please start the short summary sentence after the prefix with an upper case letter. > The n in ptrace_get_debugreg() is indirectly controlled by userspace via syscall: ptrace(defined in kernel/ptrace.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability. > The n can be controlled from: ptrace -> arch_ptrace -> ptrace_get_debugreg. > Please format the text proper with a line break around column 70. Also please refrain from '(defined in kernel/ptrace.c)'. Use sys_ptrace() which is entirely clear. > Fix this by sanitizing n before using it to index thread->ptrace_bps. > > Signed-off-by: Dianzhang Chen > --- > arch/x86/kernel/ptrace.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c > index 4b8ee05..3f8f158 100644 > --- a/arch/x86/kernel/ptrace.c > +++ b/arch/x86/kernel/ptrace.c > @@ -24,6 +24,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -644,7 +645,8 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n) > unsigned long val = 0; > > if (n < HBP_NUM) { > - struct perf_event *bp = thread->ptrace_bps[n]; > + struct perf_event *bp = > + thread->ptrace_bps[array_index_nospec(n, HBP_NUM)]; Please use an intermediate variable to calculate the index instead of this weird line break. Thanks, tglx