Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp294454ybd; Tue, 25 Jun 2019 21:41:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwUYT0UmCfPbZw8ngt3VN9794XPfM+4/iBfL+46hsMPV06C5U24AoowATaQRHyULkcg98H X-Received: by 2002:a17:902:7247:: with SMTP id c7mr2861188pll.202.1561524075109; Tue, 25 Jun 2019 21:41:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561524075; cv=none; d=google.com; s=arc-20160816; b=quup5F2f7LmU7BE3s+0daGZqPQ+2ZScYJfvCdMvF5lqUDL+qpoPgGTCAATR6/cPDJI I8tE3ubx955cj/ggBZF5z9a6apivazMpoIbXRgH8jSBB5KfZiJPUMqTaWH0u+4yV3xvu 1bBbFSNjtrlLjzc4MycpdhdQHl0UX1I0utko6oerENUzB05hyijA2yyqrqyUrKKzzOuu GOxKYyjX3BWp2VIGhZFNSv0UpZzbcDDrEmugGqPeDmuf/bHejg6nCsMHT7vkvQnQ9t7+ Er+xAJNLBWNp9mKrsj/L8dPC2m7/QGs45jos4ytprIR6hGuxl65BPRz9EreGs6lANNqP ShSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=M1Tx6hW48tWiA/Izb/w3vicI3ly2WQB2siq+u/tEzxo=; b=hhbbEJeqVOxLNDreEslaE1U2UYgOKOiXaziTN/EpLGQrX24ph2MXbMlku3PixQU1Fq TIGUDGVPSLOcSp7hfosVKlWg+l2asOQTWABRmEY/C/LO96K3wo2IvH1nkEzdWoukzNag 2xT79xFFSnC122PKiTyO8dLWiFaddN1RY0zix9dOUo0jqMUybFB8TpH8VJb6v9dYg1BM MY4QsGPVNAi59b47m0ueHXuYELWeJELcNgQrgqf0A1+xXqEP34Z5URANIByQFpnA7Abj I0dfT3rtSbjvSz13C+sBzkLpLU7R0H9Ko59yFPgBwWuZSSIU7a9R5m3ckgJIcsxnPC0I aT0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gDG9THSo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31si2284686pld.245.2019.06.25.21.40.56; Tue, 25 Jun 2019 21:41:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=gDG9THSo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726535AbfFZEkO (ORCPT + 99 others); Wed, 26 Jun 2019 00:40:14 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:34778 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725954AbfFZEkN (ORCPT ); Wed, 26 Jun 2019 00:40:13 -0400 Received: by mail-ot1-f67.google.com with SMTP id n5so1228820otk.1 for ; Tue, 25 Jun 2019 21:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M1Tx6hW48tWiA/Izb/w3vicI3ly2WQB2siq+u/tEzxo=; b=gDG9THSojY0XQqfQlzWkYg3ux8Ratr6ecHKdE4kag2yxNI2HzUDTaPuex8a79ZTUHg KbA9skWcdhdIjp/WPLtaOARIGP18dHP8xYNj+LeaeAw0+hdgfj+hrIon7LR5t8zBmIv2 dyLVCZZbYt5v3UbtDcMAAMa4spIXnnZ6n5CSpAb2/NnqQnyhXknkGsr1/6M34mPoS7t5 XCRf1Vw/27pVy6ipVYnGRGeF4ww+dFdvvodRXMQdg3yQ2SwzvLC46/SLUyGs/o9UI1BA rpl4qyMaxB7YCc7eyeqjD7+z5l+pa/27DAXWoFMC0Ft8SfF2VyLTLW4wYawaMl/+LX9O wLzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M1Tx6hW48tWiA/Izb/w3vicI3ly2WQB2siq+u/tEzxo=; b=ACF8rutsY+mJQOcVo4X/l3K9v0dOkV08eXXJ6nHJVM9L00itc50ga1MxPJQ75pqVhp +7eIEPiMmmQ/peAgT+R4xeRjBsAaOLIUBywdHeOrvK/Uc4IN+rh/4dP/ddJuZ3o6Unzl QYjpbPWTSoU0uiy6gYe73zUD9RdBXJZayy2Zsfh5ceKtinqpk2I6+A8PfiA8eJZ90t+z M/rWif+NmMf/1xVmBfOwCmmTPoMUZnYUmBrPpiML/z5Y2YhUz4uYtxNjqWezl7Yf/r3C AiUu+CnViMEQtqtNEGlNbcgzHI56XH65mzmo/bLGDdJWrt7sNCQ8tlsvTdcqsChO4LEy TQLw== X-Gm-Message-State: APjAAAVVQ1T3JAXPLNlZC9voPdTzzyLVAnyCRQPfbgBRttTIWsoQxsud 72Uf0crF2E/ARJGGmLnacioGe4bTfgVK6E/hiTqhyf6/9Wg= X-Received: by 2002:a9d:67d6:: with SMTP id c22mr1704290otn.327.1561524013040; Tue, 25 Jun 2019 21:40:13 -0700 (PDT) MIME-Version: 1.0 References: <1561479779-6660-1-git-send-email-dianzhangchen0@gmail.com> In-Reply-To: From: Dianzhang Chen Date: Wed, 26 Jun 2019 12:40:01 +0800 Message-ID: Subject: Re: [PATCH v2] x86/tls: Fix possible spectre-v1 in do_get_thread_area() To: Thomas Gleixner Cc: mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 26, 2019 at 12:38 AM Thomas Gleixner wrote: > > On Wed, 26 Jun 2019, Dianzhang Chen wrote: > > > The index to access the threads tls array is controlled by userspace > > via syscall: sys_ptrace(), hence leading to a potential exploitation > > of the Spectre variant 1 vulnerability. > > The idx can be controlled from: > > ptrace -> arch_ptrace -> do_get_thread_area. > > > > Fix this by sanitizing idx before using it to index p->thread.tls_array. > > Just that I can't find a place which sanitizes the value.... > > > +#include > > and nothing which uses anything from this header file. > > > #include > > #include > > @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx, > > struct user_desc __user *u_info) > > { > > struct user_desc info; > > + int index; > > > > if (idx == -1 && get_user(idx, &u_info->entry_number)) > > return -EFAULT; > > @@ -227,8 +229,9 @@ int do_get_thread_area(struct task_struct *p, int idx, > > if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) > > return -EINVAL; > > > > - fill_user_desc(&info, idx, > > - &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]); > > + index = idx - GDT_ENTRY_TLS_MIN; > > + > > + fill_user_desc(&info, idx, &p->thread.tls_array[index]); > > So this is just a cosmetic change and the compiler will create probably > exactly the same binary. > > Thanks, > > tglx > sorry for being careless, my bad. And thanks for suggestion, i'll fix that in next version.