Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2861442pxv; Mon, 12 Jul 2021 03:50:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjgrHEAN2Iw5WsrXP4dOhrVRLpWODEXheqMM1pZl1V/V5DSfPDyRQhlUUBdWf8Andkm/U9 X-Received: by 2002:a02:8241:: with SMTP id q1mr43586301jag.134.1626087027272; Mon, 12 Jul 2021 03:50:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626087027; cv=none; d=google.com; s=arc-20160816; b=qHbaoSCGjlcUJVAv0Xm1lx8euliHYlN91Z18LF/ZYxRTHADWz2Ypbg32sZWzXvmbRc 342d7VD00rvEbySxlBmJXQ0KCzYmeqCMFTLqFarZqEcURdTqlDThYRNa0w7dK409jjSX xM0EqeTiku1fQ31/4g11g6ZfLWpmR8XLmI19ggbzwk+heBly6gF6mwI8pRCwpLx4tMjQ pPoDO/tuy4kIPL6Gi8FXj8E+K/41mZRnw40zvCJhdEoWweTTTBPctMRNGu5RjDCXk1te vKI2jEP7M1rAI0srap8PzZX2QV8Txx7glsZ4zhsUaoeXjKntinTjRQGDZlnOotj8LZ3E Ju5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+0qfw/bC/dR+ePOaOegh8qaSCnp9YmzAkNZA8xt0Qqw=; b=Qni6lttaFcnE/4bfQ0JP5B8Ivp9qRrI1f29U3uyH68tGYRmUNPliqckFMKZAXDXlnQ qN2HfwpsqQ3LMxir8bmiPGBvF0eiEJ8zo3pqLqkaepZxvZbaML7okYNUnfVTD54JIoSp cobYo+tWwwLM2S5maX8HvOqYng4XZ2wECThJMcmhAi1I7v6l0AgghkjLk+4e+kCqxsy+ vQUO4RacGIZSQ/7OI8bU7Om35Fmbx6qHqGHZ2UlzyE79RzTcYQ2SWqw0GfVxLEPz0rzA Edo5cjhGVVSer3Yp6E6TAWomvmrz0HS+TKFcsrf4oOii0Hrdf6OXPQSHNGiVofryByGT AQfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ox6mDeyJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si16205332ilp.101.2021.07.12.03.50.15; Mon, 12 Jul 2021 03:50:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ox6mDeyJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351074AbhGLIM5 (ORCPT + 99 others); Mon, 12 Jul 2021 04:12:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:43946 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343708AbhGLH2r (ORCPT ); Mon, 12 Jul 2021 03:28:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BD2B56052B; Mon, 12 Jul 2021 07:24:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626074669; bh=ZBnETahcEzDe114zWt58kNq+jk1cxqTLk0Vx9wYDjGs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ox6mDeyJT/TWI+rtYohTyZ92NqiEf7wzziECKWKK4bcySDboNhonzURXsm0UU8+Ag xwuIF7IXaM8MU3P3t8gUPDVfe2PV5w37ynYjVw0oy4d/mf4iv01/ca0A3a06TYLMWr du4sC2hPAY30QpvBwixMWXf1xyYSnWdaBcJ5iDA4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicholas Piggin , Michael Ellerman , Sasha Levin Subject: [PATCH 5.12 656/700] powerpc/64s: Fix copy-paste data exposure into newly created tasks Date: Mon, 12 Jul 2021 08:12:19 +0200 Message-Id: <20210712061045.661663925@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210712060924.797321836@linuxfoundation.org> References: <20210712060924.797321836@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicholas Piggin [ Upstream commit f35d2f249ef05b9671e7898f09ad89aa78f99122 ] copy-paste contains implicit "copy buffer" state that can contain arbitrary user data (if the user process executes a copy instruction). This could be snooped by another process if a context switch hits while the state is live. So cp_abort is executed on context switch to clear out possible sensitive data and prevent the leak. cp_abort is done after the low level _switch(), which means it is never reached by newly created tasks, so they could snoop on this buffer between their first and second context switch. Fix this by doing the cp_abort before calling _switch. Add some comments which should make the issue harder to miss. Fixes: 07d2a628bc000 ("powerpc/64s: Avoid cpabort in context switch when possible") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210622053036.474678-1-npiggin@gmail.com Signed-off-by: Sasha Levin --- arch/powerpc/kernel/process.c | 48 +++++++++++++++++++++++------------ 1 file changed, 32 insertions(+), 16 deletions(-) diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c index 3231c2df9e26..03d7261e1492 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c @@ -1212,6 +1212,19 @@ struct task_struct *__switch_to(struct task_struct *prev, __flush_tlb_pending(batch); batch->active = 0; } + + /* + * On POWER9 the copy-paste buffer can only paste into + * foreign real addresses, so unprivileged processes can not + * see the data or use it in any way unless they have + * foreign real mappings. If the new process has the foreign + * real address mappings, we must issue a cp_abort to clear + * any state and prevent snooping, corruption or a covert + * channel. ISA v3.1 supports paste into local memory. + */ + if (new->mm && (cpu_has_feature(CPU_FTR_ARCH_31) || + atomic_read(&new->mm->context.vas_windows))) + asm volatile(PPC_CP_ABORT); #endif /* CONFIG_PPC_BOOK3S_64 */ #ifdef CONFIG_PPC_ADV_DEBUG_REGS @@ -1257,30 +1270,33 @@ struct task_struct *__switch_to(struct task_struct *prev, last = _switch(old_thread, new_thread); + /* + * Nothing after _switch will be run for newly created tasks, + * because they switch directly to ret_from_fork/ret_from_kernel_thread + * etc. Code added here should have a comment explaining why that is + * okay. + */ + #ifdef CONFIG_PPC_BOOK3S_64 + /* + * This applies to a process that was context switched while inside + * arch_enter_lazy_mmu_mode(), to re-activate the batch that was + * deactivated above, before _switch(). This will never be the case + * for new tasks. + */ if (current_thread_info()->local_flags & _TLF_LAZY_MMU) { current_thread_info()->local_flags &= ~_TLF_LAZY_MMU; batch = this_cpu_ptr(&ppc64_tlb_batch); batch->active = 1; } - if (current->thread.regs) { + /* + * Math facilities are masked out of the child MSR in copy_thread. + * A new task does not need to restore_math because it will + * demand fault them. + */ + if (current->thread.regs) restore_math(current->thread.regs); - - /* - * On POWER9 the copy-paste buffer can only paste into - * foreign real addresses, so unprivileged processes can not - * see the data or use it in any way unless they have - * foreign real mappings. If the new process has the foreign - * real address mappings, we must issue a cp_abort to clear - * any state and prevent snooping, corruption or a covert - * channel. ISA v3.1 supports paste into local memory. - */ - if (current->mm && - (cpu_has_feature(CPU_FTR_ARCH_31) || - atomic_read(¤t->mm->context.vas_windows))) - asm volatile(PPC_CP_ABORT); - } #endif /* CONFIG_PPC_BOOK3S_64 */ return last; -- 2.30.2