Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp528224pxy; Wed, 5 May 2021 07:54:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8uQr9qJFfTs6nDJyjSMZdvICqmV5oWKT6Ln702WR4bprNrR+dqMpdpOwNVKBUChsE+QFK X-Received: by 2002:a05:6402:138f:: with SMTP id b15mr32868021edv.121.1620226476693; Wed, 05 May 2021 07:54:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620226476; cv=none; d=google.com; s=arc-20160816; b=Mg1C/flXjpHFfhydeiJt0fe9wZA8EfmuoxBMqVIda4fmBoFxwuwBjeNghZRiEFbKUu 87vxdGsjeJAU8+0nWTREdJXwr74DU3UV3Kd7sKA5UKXrWaeXgFZHpNgNojYQlzfwoAa4 fTTO4C2ZL/H/fM3wYL00gjxJQZlUQhMQ6TbqSO6TTqYdXj+V8UclQQvawDC1JRcoVBh4 yYcUzB431cI3647lSFsbI1iHQec96444SYIs487CYW0tKtdbJ+VArBUta57ZJkiBuLnW hCEGODdSroxFcH8/BMePAtOzDKjdAnKplQl2Xy/2cqq9wara2P5AuK8IU6W27mSmQwC1 ofrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=xCEd5qRIGsk0+G3LtP/HWyq08CVN4cJyPqw0jK7K8ak=; b=r7qvvxhv8vEHSeGZ34lEkOIXXuPD19/DQWHH42kGkxHRvKNQUSyJVRxIqcg9wNrvkR ZJq7HkFWysZm1T5RUtKUHXY3vBdqF2c0B+v/7ZH2+w1sbC8LMEu6jrW5oi2MU3UuZ1cu L7mIJYcMTbq0jZ16ug9fJE5zgGpZ9HdnH/9W10hTZfSUIt2NbMjYMW+ulvkH5TWd58qB gPgFioEY1csBVFVycJA22bUZx+MpyfndHnKAoJ5kepthmiwJzLNfFL+yXt/f0a3i6AsS 5/EgoDJJsscms+Bi8O8iz2wuTYSNtEcmQz/AkPuvTKU7/P4f9q48i8kr9IYFOtIpwnhv szsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e8si1744888edq.509.2021.05.05.07.54.08; Wed, 05 May 2021 07:54:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233426AbhEEOuy convert rfc822-to-8bit (ORCPT + 99 others); Wed, 5 May 2021 10:50:54 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([185.58.85.151]:48276 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233362AbhEEOux (ORCPT ); Wed, 5 May 2021 10:50:53 -0400 Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-122-_Y0hW93EMm-eOjbjZrBEGQ-1; Wed, 05 May 2021 15:49:54 +0100 X-MC-Unique: _Y0hW93EMm-eOjbjZrBEGQ-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 5 May 2021 15:49:53 +0100 Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id 15.00.1497.015; Wed, 5 May 2021 15:49:53 +0100 From: David Laight To: 'Mark Rutland' , Josh Poimboeuf CC: Al Viro , "x86@kernel.org" , "linux-kernel@vger.kernel.org" , Linus Torvalds , Will Deacon , Dan Williams , Andrea Arcangeli , "Waiman Long" , Peter Zijlstra , "Thomas Gleixner" , Andrew Cooper , Andy Lutomirski , Christoph Hellwig , "Borislav Petkov" Subject: RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation Thread-Topic: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation Thread-Index: AQHXQbqHu8vqbxm3x0CYXgd0hdGkc6rU8ocA Date: Wed, 5 May 2021 14:49:53 +0000 Message-ID: References: <5ba93cdbf35ab40264a9265fc24575a9b2f813b3.1620186182.git.jpoimboe@redhat.com> <20210505142542.GC5605@C02TD0UTHF1T.local> In-Reply-To: <20210505142542.GC5605@C02TD0UTHF1T.local> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Rutland > Sent: 05 May 2021 15:26 ... > > +/* > > + * Sanitize a user pointer such that it becomes NULL if it's not a valid user > > + * pointer. This prevents speculatively dereferencing a user-controlled > > + * pointer to kernel space if access_ok() speculatively returns true. This > > + * should be done *after* access_ok(), to avoid affecting error handling > > + * behavior. > > + */ > > +#define mask_user_ptr(ptr) \ > > +({ \ > > + unsigned long _ptr = (__force unsigned long)ptr; \ > > + unsigned long mask; \ > > + \ > > + asm volatile("cmp %[max], %[_ptr]\n\t" \ > > + "sbb %[mask], %[mask]\n\t" \ > > + : [mask] "=r" (mask) \ > > + : [_ptr] "r" (_ptr), \ > > + [max] "r" (TASK_SIZE_MAX) \ > > + : "cc"); \ > > + \ > > + mask &= _ptr; \ > > + ((typeof(ptr)) mask); \ > > +}) > > On arm64 we needed to have a sequence here because the addr_limit used > to be variable, but now that we've removed set_fs() and split the > user/kernel access routines we could simplify that to an AND with an > immediate mask to force all pointers into the user half of the address > space. IIUC x86_64 could do the same, and I think that was roughly what > David was suggesting. Something like that :-) For 64bit you can either unconditionally mask the user address (to clear a few high bits) or mask with a calculated value if the address is invalid. The former is almost certainly better. The other thing is that a valid length has to be less than the TASK_SIZE_MAX. Provided there are 2 zero bits at the top of every user address you can check 'addr | size < limit' and know that 'addr + size' won't wrap into kernel space. 32bit is more difficult. User addresses (probably) go up to 0xc0000000 and the kernel starts (almost) immediately. If you never map a 4k page on one side of the boundary then you only need to check the base address provided the user buffer is less than 4k, or the accesses are guaranteed to be sequential. While the full window test isn't that complicated ignoring the length will remove some code - especially for hot paths that use __get_user() to access a fixed size structure > That does mean that you could still speculatively access user memory > erroneously other than to NULL, but that's also true for speculated > pointers below TASK_SIZE_MAX when using the more complex sequence. True, but there are almost certainly easier ways to speculatively access user addresses than passing a kernel alias of the address into a system call! David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)