Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp507330pxy; Wed, 5 May 2021 07:28:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnmzzCESOvqLI7jq5yUxH1k+TalAZA/WvE3Wgg/dfrHgaJnvg9EYZBPu7uVoNjl7aHvhTu X-Received: by 2002:a50:c004:: with SMTP id r4mr31725396edb.192.1620224900185; Wed, 05 May 2021 07:28:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620224900; cv=none; d=google.com; s=arc-20160816; b=Klp1PYnhAFa5DzkEwM0LEvz+9ap0gmsQaTdbs3sz9VDYX72Qny7cNiQ8y4Rs9srkWP 7pBDsXflMfvRKZTTRlYnh90JlXXCBXNpGQeoXfMh8HgaoFx2qr3oqvNxh9vEpKCAHCB/ rRD/3Dkyg24kN3pp1wBzL/8LZ3wTykweOdPKH5/eoHgVrhETFDtEZCZPjxO92PJu4BND zAbBPhuBcVOZlCD+wj7qo5W/4YkuDe1tf0jU5JcrDFQA0Vn6GyM2iBd89FAg99Fo+BcE VnCeAIKcKnurPcMLjCTXceCQENSHCwlCnukmc4O1ua4LmAv597wxNZG5O1aQuV9Y15NE LMvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Wt5K2g/9hHjPCSbm1RchO7vWMtbjfpVCnTp5uF6mHag=; b=rUJpc0c3ZyUw6NtPXjXinAv84OEunASy3tLbHM2lwjnkq4NObVITaRvhMxTm42zxid TEXgKrkfrnpGLfPp+W7qVsOysZhyw/1dIK6ItvShOZDk9T0Tg1/LXhMa+rpwLzVn/DC2 XfYHHTlLygwWupebrhlVkMzaOyWSSkbpF1eBvGdeGrnGD4VkdiPWLVkAtSGJSff+pvab rUoFyPKDWiWuZlbWpvCFHezasDP1Fb6LSZ/NAbUaPtCa0miszYPqzAIDG1Ili5fFhj7J BMjbosfiZKAHU9thGYqEz5EP02nCDEa0XwDMLoDYfIjCJdXWd+UogKCbNzhULPDjhxb7 7PfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s25si5914343edy.17.2021.05.05.07.27.56; Wed, 05 May 2021 07:28:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232882AbhEEO0o (ORCPT + 99 others); Wed, 5 May 2021 10:26:44 -0400 Received: from foss.arm.com ([217.140.110.172]:45544 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232706AbhEEO0n (ORCPT ); Wed, 5 May 2021 10:26:43 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E4741ED1; Wed, 5 May 2021 07:25:46 -0700 (PDT) Received: from C02TD0UTHF1T.local (unknown [10.57.28.242]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 7A9193F718; Wed, 5 May 2021 07:25:44 -0700 (PDT) Date: Wed, 5 May 2021 15:25:42 +0100 From: Mark Rutland To: Josh Poimboeuf , David Laight Cc: Al Viro , x86@kernel.org, linux-kernel@vger.kernel.org, Linus Torvalds , Will Deacon , Dan Williams , Andrea Arcangeli , Waiman Long , Peter Zijlstra , Thomas Gleixner , Andrew Cooper , Andy Lutomirski , Christoph Hellwig , Borislav Petkov Subject: Re: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation Message-ID: <20210505142542.GC5605@C02TD0UTHF1T.local> References: <5ba93cdbf35ab40264a9265fc24575a9b2f813b3.1620186182.git.jpoimboe@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5ba93cdbf35ab40264a9265fc24575a9b2f813b3.1620186182.git.jpoimboe@redhat.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Josh, David, On Tue, May 04, 2021 at 10:54:31PM -0500, Josh Poimboeuf wrote: > The x86 uaccess code uses barrier_nospec() in various places to prevent > speculative dereferencing of user-controlled pointers (which might be > combined with further gadgets or CPU bugs to leak data). > > There are some issues with the current implementation: > > - The barrier_nospec() in copy_from_user() was inadvertently removed > with: 4b842e4e25b1 ("x86: get rid of small constant size cases in > raw_copy_{to,from}_user()") > > - copy_to_user() and friends should also have a speculation barrier, > because a speculative write to a user-controlled address can still > populate the cache line with the original data. > > - The LFENCE in barrier_nospec() is overkill, when more lightweight user > pointer masking can be used instead. > > Remove existing barrier_nospec() usage, and instead do user pointer > masking, throughout the x86 uaccess code. This is similar to what arm64 > is already doing with uaccess_mask_ptr(). > +/* > + * Sanitize a user pointer such that it becomes NULL if it's not a valid user > + * pointer. This prevents speculatively dereferencing a user-controlled > + * pointer to kernel space if access_ok() speculatively returns true. This > + * should be done *after* access_ok(), to avoid affecting error handling > + * behavior. > + */ > +#define mask_user_ptr(ptr) \ > +({ \ > + unsigned long _ptr = (__force unsigned long)ptr; \ > + unsigned long mask; \ > + \ > + asm volatile("cmp %[max], %[_ptr]\n\t" \ > + "sbb %[mask], %[mask]\n\t" \ > + : [mask] "=r" (mask) \ > + : [_ptr] "r" (_ptr), \ > + [max] "r" (TASK_SIZE_MAX) \ > + : "cc"); \ > + \ > + mask &= _ptr; \ > + ((typeof(ptr)) mask); \ > +}) On arm64 we needed to have a sequence here because the addr_limit used to be variable, but now that we've removed set_fs() and split the user/kernel access routines we could simplify that to an AND with an immediate mask to force all pointers into the user half of the address space. IIUC x86_64 could do the same, and I think that was roughly what David was suggesting. That does mean that you could still speculatively access user memory erroneously other than to NULL, but that's also true for speculated pointers below TASK_SIZE_MAX when using the more complex sequence. Thanks, Mark.