Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp1316039ybd;
        Sun, 23 Jun 2019 04:56:56 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz0LB7PSirQKfOuto+K/u8M+yuMVJ8JVKpHtjgYy/aJUfwFm05zwSkAa4ueYfb42oZY5qS7
X-Received: by 2002:a65:5004:: with SMTP id f4mr28465366pgo.268.1561291016670;
        Sun, 23 Jun 2019 04:56:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561291016; cv=none;
        d=google.com; s=arc-20160816;
        b=pycDRSLaF1wgMJvtb44IC0SutGxP/7pgj7eTVk4w8icL7NrRqLM+PaxYE9rMxOjJz4
         2B1beJFpO1C/yw9GyLJG3GaHu9yDHEhE+B9cmrAjNmGHy9fbmYRDaDLbLSw/OLiT1/3v
         6DELqE/tXaWtPCPwd20YSnD08jB40kHg0gseL+GYPw8wVUiPXw0aQ86SJP1YetopSViQ
         ve7rxjiRKLD2uKianpJSBIuKumJNDZACweN5BVfqTZYvZIPmXdVxJKeP0tCNmmY/n6jm
         XxwLe3ZUBAM+6L7m+vkmYOVFmVYOhhuB491dHmXrYtvACr2fr9va6Qc+dcP0+LWVtK9B
         HNLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=uGMyBzgNZoLjhURpOPZ2+AsAOuC9026sy5aRULMJeQI=;
        b=c1OsfkOW0fn7cmbhCFcRwt8RIQnk3IqamNAsIK8448AoP5UHxiuJzUa+nDs/PGQy1A
         ygXyMs716prhBykuBlpuTPN715eM0rjvZJuUKq1Ex1crxTEs+ViRXK7jw1Sw1V5cEqoL
         6qUFvs6wZGg3u9AS4dojgcETdJDxKQaKOI6Ex67OaqBWW6BoFKxRJ92rTpnYVH7xk33w
         SrExk3K3JMi9dy7A0od6D1rbAERDOvDIHS/h61OsoDIcaVfjwQOsFkm8axUH26D4wHov
         HouQrvySYquanCI+cOZ2kzCdnPQZs7bNhkeJ1pR+zSxBoR0aAKhiIjY/nIx88KPCb0c3
         Iuaw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z3si7117097plo.159.2019.06.23.04.56.40;
        Sun, 23 Jun 2019 04:56:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726565AbfFWL4F (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Sun, 23 Jun 2019 07:56:05 -0400
Received: from Galois.linutronix.de ([193.142.43.55]:33289 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726453AbfFWL4F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 23 Jun 2019 07:56:05 -0400
Received: from p5b06daab.dip0.t-ipconnect.de ([91.6.218.171] helo=nanos)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1hf16F-00006C-EP; Sun, 23 Jun 2019 13:55:59 +0200
Date:   Sun, 23 Jun 2019 13:55:58 +0200 (CEST)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     Dianzhang Chen <dianzhangchen0@gmail.com>
cc:     mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: tls: fix possible spectre-v1 in
 do_get_thread_area()
In-Reply-To: <1560258958-19291-1-git-send-email-dianzhangchen0@gmail.com>
Message-ID: <alpine.DEB.2.21.1906231353120.32342@nanos.tec.linutronix.de>
References: <1560258958-19291-1-git-send-email-dianzhangchen0@gmail.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 11 Jun 2019, Dianzhang Chen wrote:

Subject prefix is 'x86/tls:' please.

> The idx in do_get_thread_area() is controlled by userspace

The idx? Please to not variable names in the change log. The variable name
is an implementation detail.

  The index to access the threads tls array is controlled ....

Hmm?

> via syscall: ptrace(defined in kernel/ptrace.c), hence

sys_ptrace() again.

> leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from:
> 	ptrace -> arch_ptrace -> do_get_thread_area.
> 
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
> 
> Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
> ---
>  arch/x86/kernel/tls.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..4cd338c 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
>  #include <linux/user.h>
>  #include <linux/regset.h>
>  #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>  
>  #include <linux/uaccess.h>
>  #include <asm/desc.h>
> @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
>  		       struct user_desc __user *u_info)
>  {
>  	struct user_desc info;
> +	int index = idx - GDT_ENTRY_TLS_MIN;
>  
>  	if (idx == -1 && get_user(idx, &u_info->entry_number))
>  		return -EFAULT;

Broken in the same way as the other one.

Thanks,

	tglx