Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp277918pxy;
        Wed, 5 May 2021 01:50:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzeNXN3xu7f41KbsyQn/7SkK7Tn0P5bUu1br5udhHXVUOglQfrIQ29V2IEcDtwi4vvBVxC/
X-Received: by 2002:a63:5017:: with SMTP id e23mr6342706pgb.284.1620204652224;
        Wed, 05 May 2021 01:50:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620204652; cv=none;
        d=google.com; s=arc-20160816;
        b=nF9mXxY0siKCgRfdUMYU3tQ54Fnnfu2xfTSd+CpdCLCt6hSUAT68UYkButnqYJ6AwQ
         ZoPy3+B607U4q9Wc0Qz7xFeTkfr84mriovrHibS3wkQ9FlgMS6yeaCOVgcrNWfTn3dmc
         hg9cDIsfzwqnTHtLfy7tQWvRr49/SraNUw9qhrrvVYiY9br9vCqejXL8mBpx+36Kt/Uq
         yNh1uaMvyGSnpMwfX6d2bCnOc4eaXeZxyo4qsCOY7S+6wojjSxjS5muvTng4j2vwi4Lx
         5SSxznHR1uJ0tAlGEKvC53XgXfWQ8qGEZNm4wqGfCfMSujOPxuexQ75aVQ/oITm8Qui7
         X7uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :mime-version:accept-language:in-reply-to:references:message-id:date
         :thread-index:thread-topic:subject:cc:to:from;
        bh=KTschkOwcTfTlFXJzWHtyabScoMAnACjWm+Tvair/iA=;
        b=BvlAouIwtgfGKo5oatIAb0We5/pxsuiRi6O87z9fnYyj8DgBHI/s4RwK1yJjVZBJnL
         Q28fF5VmHUWQizo7Ict+pqBOdg/Jk6Cf1gxJEPgRIZ8yxnb5hum9kw/ZcegC6I1RY4Bh
         S17MDqA8G3RwnnsLrDR8ksN/k+V39CIi4dsAdZTGiaWGcctrj94oEuS7whvGfL8cAr7R
         Uh6p5fjr4kvrfnW8KOXa3lvU3UA2pIyfnCWrTu3FwqJfw4rzkOdzAfKGwsH/JZNeRgvT
         2gRch33X+HKsS5c0QQnestIbEpKi6rYoNlalu+dca3uuxslRios6AAHph6HISgjGQ/SW
         kw2w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g17si6331147pjl.43.2021.05.05.01.50.39;
        Wed, 05 May 2021 01:50:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232098AbhEEItu convert rfc822-to-8bit (ORCPT
        <rfc822;liyi.pear@gmail.com> + 99 others);
        Wed, 5 May 2021 04:49:50 -0400
Received: from eu-smtp-delivery-151.mimecast.com ([185.58.86.151]:34430 "EHLO
        eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S231430AbhEEItt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 5 May 2021 04:49:49 -0400
Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using
 TLS) by relay.mimecast.com with ESMTP id
 uk-mta-215-3K92nTLWNMu_AZz6pphPbw-1; Wed, 05 May 2021 09:48:49 +0100
X-MC-Unique: 3K92nTLWNMu_AZz6pphPbw-1
Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by
 AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP
 Server (TLS) id 15.0.1497.2; Wed, 5 May 2021 09:48:48 +0100
Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by
 AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id
 15.00.1497.015; Wed, 5 May 2021 09:48:48 +0100
From:   David Laight <David.Laight@ACULAB.COM>
To:     'Josh Poimboeuf' <jpoimboe@redhat.com>,
        Al Viro <viro@zeniv.linux.org.uk>
CC:     "x86@kernel.org" <x86@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Will Deacon <will@kernel.org>,
        Dan Williams <dan.j.williams@intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        "Waiman Long" <longman@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        "Thomas Gleixner" <tglx@linutronix.de>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Andy Lutomirski <luto@kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        "Mark Rutland" <mark.rutland@arm.com>,
        Borislav Petkov <bp@alien8.de>
Subject: RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess
 speculation
Thread-Topic: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess
 speculation
Thread-Index: AQHXQWJqu8vqbxm3x0CYXgd0hdGkc6rUkPgw
Date:   Wed, 5 May 2021 08:48:48 +0000
Message-ID: <2f75c496ac774444b75ff808854b8e5f@AcuMS.aculab.com>
References: <cover.1620186182.git.jpoimboe@redhat.com>
 <5ba93cdbf35ab40264a9265fc24575a9b2f813b3.1620186182.git.jpoimboe@redhat.com>
In-Reply-To: <5ba93cdbf35ab40264a9265fc24575a9b2f813b3.1620186182.git.jpoimboe@redhat.com>
Accept-Language: en-GB, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.202.205.107]
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
        auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: aculab.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8BIT
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Josh Poimboeuf
> Sent: 05 May 2021 04:55
> 
> The x86 uaccess code uses barrier_nospec() in various places to prevent
> speculative dereferencing of user-controlled pointers (which might be
> combined with further gadgets or CPU bugs to leak data).
...
> Remove existing barrier_nospec() usage, and instead do user pointer
> masking, throughout the x86 uaccess code.  This is similar to what arm64
> is already doing with uaccess_mask_ptr().
...
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index fb75657b5e56..ebe9ab46b183 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -66,12 +66,35 @@ static inline bool pagefault_disabled(void);
>   * Return: true (nonzero) if the memory block may be valid, false (zero)
>   * if it is definitely invalid.
>   */
> -#define access_ok(addr, size)					\
> +#define access_ok(addr, size)						\
>  ({									\
>  	WARN_ON_IN_IRQ();						\
>  	likely(!__range_not_ok(addr, size, TASK_SIZE_MAX));		\
>  })
> 
> +/*
> + * Sanitize a user pointer such that it becomes NULL if it's not a valid user
> + * pointer.  This prevents speculatively dereferencing a user-controlled
> + * pointer to kernel space if access_ok() speculatively returns true.  This
> + * should be done *after* access_ok(), to avoid affecting error handling
> + * behavior.
> + */
> +#define mask_user_ptr(ptr)						\
> +({									\
> +	unsigned long _ptr = (__force unsigned long)ptr;		\
> +	unsigned long mask;						\
> +									\
> +	asm volatile("cmp %[max], %[_ptr]\n\t"				\
> +		     "sbb %[mask], %[mask]\n\t"				\
> +		     : [mask] "=r" (mask)				\
> +		     : [_ptr] "r" (_ptr),				\
> +		       [max] "r" (TASK_SIZE_MAX)			\
> +		     : "cc");						\
> +									\
> +	mask &= _ptr;							\
> +	((typeof(ptr)) mask);						\
> +})
> +

access_ok() and mask_user_ptr() are doing much the same check.
Is there scope for making access_ok() return the masked pointer?

So the canonical calling code would be:
	uptr = access_ok(uptr, size);
	if (!uptr)
		return -EFAULT;

This would error requests for address 0 earlier - but I don't
believe they are ever valid in Linux.
(Some historic x86 a.out formats did load to address 0.)

Clearly for a follow up patch.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)