From: <gregkh@linuxfoundation.org>
To: jinpu.wang@profitbricks.com, dan.j.williams@intel.com,
dwmw@amazon.co.uk, gregkh@linuxfoundation.org, luto@kernel.org,
tglx@linutronix.de, torvalds@linux-foundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "x86/syscall: Sanitize syscall table de-references under speculation" has been added to the 4.4-stable tree
Date: Fri, 23 Feb 2018 17:39:32 +0100 [thread overview]
Message-ID: <151940397212105@kroah.com> (raw)
In-Reply-To: <1519382538-15143-16-git-send-email-jinpu.wangl@profitbricks.com>
This is a note to let you know that I've just added the patch titled
x86/syscall: Sanitize syscall table de-references under speculation
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Fri Feb 23 17:23:58 CET 2018
From: Jack Wang <jinpu.wang@profitbricks.com>
Date: Fri, 23 Feb 2018 11:42:04 +0100
Subject: x86/syscall: Sanitize syscall table de-references under speculation
To: gregkh@linuxfoundation.org, stable@vger.kernel.org
Cc: Dan Williams <dan.j.williams@intel.com>, Thomas Gleixner <tglx@linutronix.de>, linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Andy Lutomirski <luto@kernel.org>, alan@linux.intel.com, David Woodhouse <dwmw@amazon.co.uk>, Jack Wang <jinpu.wang@profitbricks.com>
Message-ID: <1519382538-15143-16-git-send-email-jinpu.wangl@profitbricks.com>
From: Dan Williams <dan.j.williams@intel.com>
(cherry picked from commit 2fbd7af5af8665d18bcefae3e9700be07e22b681)
The syscall table base is a user controlled function pointer in kernel
space. Use array_index_nospec() to prevent any out of bounds speculation.
While retpoline prevents speculating into a userspace directed target it
does not stop the pointer de-reference, the concern is leaking memory
relative to the syscall table base, by observing instruction cache
behavior.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Andy Lutomirski <luto@kernel.org>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
[jwang: port to 4.4, no syscall_64]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/entry/common.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -20,6 +20,7 @@
#include <linux/export.h>
#include <linux/context_tracking.h>
#include <linux/user-return-notifier.h>
+#include <linux/nospec.h>
#include <linux/uprobes.h>
#include <asm/desc.h>
@@ -381,6 +382,7 @@ __always_inline void do_syscall_32_irqs_
}
if (likely(nr < IA32_NR_syscalls)) {
+ nr = array_index_nospec(nr, IA32_NR_syscalls);
/*
* It's possible that a 32-bit syscall implementation
* takes a 64-bit parameter but nonetheless assumes that
Patches currently in stable-queue which might be from jinpu.wang@profitbricks.com are
queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch
queue-4.4/documentation-document-array_index_nospec.patch
queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch
queue-4.4/x86-nospec-fix-header-guards-names.patch
queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch
queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch
queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch
queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch
queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch
queue-4.4/x86-implement-array_index_mask_nospec.patch
queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch
queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch
queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch
queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch
queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch
queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch
queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch
queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch
queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch
queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch
queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch
queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch
queue-4.4/x86-introduce-barrier_nospec.patch
queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch
queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch
queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch
queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch
queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch
queue-4.4/kvm-nvmx-kmap-can-t-fail.patch
next prev parent reply other threads:[~2018-02-23 16:43 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 10:41 [stable 4.4 00/29] some stable-4.4 backport Jack Wang
2018-02-23 10:41 ` [stable 4.4 01/29] KVM: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready" exceptions simultaneously Jack Wang
2018-02-23 10:41 ` [stable 4.4 02/29] x86/retpoline: Remove the esp/rsp thunk Jack Wang
2018-02-23 16:39 ` Patch "x86/retpoline: Remove the esp/rsp thunk" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 03/29] KVM: x86: Make indirect calls in emulator speculation safe Jack Wang
2018-02-23 16:37 ` Patch "KVM: x86: Make indirect calls in emulator speculation safe" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 04/29] KVM: VMX: Make indirect call speculation safe Jack Wang
2018-02-23 16:37 ` Patch "KVM: VMX: Make indirect call speculation safe" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 05/29] module/retpoline: Warn about missing retpoline in module Jack Wang
2018-02-23 16:37 ` Patch "module/retpoline: Warn about missing retpoline in module" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 06/29] x86/nospec: Fix header guards names Jack Wang
2018-02-23 16:39 ` Patch "x86/nospec: Fix header guards names" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 07/29] x86/bugs: Drop one "mitigation" from dmesg Jack Wang
2018-02-23 16:39 ` Patch "x86/bugs: Drop one "mitigation" from dmesg" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 08/29] x86/cpu/bugs: Make retpoline module warning conditional Jack Wang
2018-02-23 16:39 ` Patch "x86/cpu/bugs: Make retpoline module warning conditional" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 09/29] x86/spectre: Check CONFIG_RETPOLINE in command line parser Jack Wang
2018-02-23 16:39 ` Patch "x86/spectre: Check CONFIG_RETPOLINE in command line parser" has been added to the 4.4-stable tree gregkh
2018-02-23 10:41 ` [stable 4.4 10/29] Documentation: Document array_index_nospec Jack Wang
2018-02-23 16:36 ` Patch "Documentation: Document array_index_nospec" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 11/29] array_index_nospec: Sanitize speculative array de-references Jack Wang
2018-02-23 16:36 ` Patch "array_index_nospec: Sanitize speculative array de-references" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 12/29] x86: Implement array_index_mask_nospec Jack Wang
2018-02-23 16:39 ` Patch "x86: Implement array_index_mask_nospec" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 13/29] x86: Introduce barrier_nospec Jack Wang
2018-02-23 16:39 ` Patch "x86: Introduce barrier_nospec" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 14/29] x86/get_user: Use pointer masking to limit speculation Jack Wang
2018-02-23 16:39 ` Patch "x86/get_user: Use pointer masking to limit speculation" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 15/29] x86/syscall: Sanitize syscall table de-references under speculation Jack Wang
2018-02-23 16:39 ` gregkh [this message]
2018-02-23 10:42 ` [stable 4.4 16/29] vfs, fdtable: Prevent bounds-check bypass via speculative execution Jack Wang
2018-02-23 16:38 ` Patch "vfs, fdtable: Prevent bounds-check bypass via speculative execution" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 17/29] nl80211: Sanitize array index in parse_txq_params Jack Wang
2018-02-23 16:38 ` Patch "nl80211: Sanitize array index in parse_txq_params" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 18/29] x86/spectre: Report get_user mitigation for spectre_v1 Jack Wang
2018-02-23 16:39 ` Patch "x86/spectre: Report get_user mitigation for spectre_v1" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 19/29] x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" Jack Wang
2018-02-23 10:42 ` Jack Wang
2018-02-23 16:39 ` Patch "x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable"" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 20/29] x86/paravirt: Remove 'noreplace-paravirt' cmdline option Jack Wang
2018-02-23 16:39 ` Patch "x86/paravirt: Remove 'noreplace-paravirt' cmdline option" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 21/29] x86/kvm: Update spectre-v1 mitigation Jack Wang
2018-02-23 16:39 ` Patch "x86/kvm: Update spectre-v1 mitigation" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 22/29] x86/retpoline: Avoid retpolines for built-in __init functions Jack Wang
2018-02-23 16:39 ` Patch "x86/retpoline: Avoid retpolines for built-in __init functions" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 23/29] x86/spectre: Simplify spectre_v2 command line parsing Jack Wang
2018-02-23 16:39 ` Patch "x86/spectre: Simplify spectre_v2 command line parsing" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 24/29] x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL Jack Wang
2018-02-23 16:39 ` Patch "x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 25/29] KVM: nVMX: kmap() can't fail Jack Wang
2018-02-23 16:37 ` Patch "KVM: nVMX: kmap() can't fail" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 26/29] KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail Jack Wang
2018-02-23 16:37 ` Patch "KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail" has been added to the 4.4-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 27/29] kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types Jack Wang
2018-02-23 10:42 ` [stable 4.4 28/29] KVM: VMX: clean up declaration of VPID/EPT invalidation types Jack Wang
2018-02-23 10:54 ` Greg KH
2018-02-23 11:03 ` Jinpu Wang
2018-02-23 16:37 ` Patch "KVM: VMX: clean up declaration of VPID/EPT invalidation types" has been added to the 4.4-stable tree gregkh
2018-02-23 16:39 ` Patch "KVM: VMX: clean up declaration of VPID/EPT invalidation types" has been added to the 4.9-stable tree gregkh
2018-02-23 10:42 ` [stable 4.4 29/29] KVM: nVMX: invvpid handling improvements Jack Wang
2018-02-23 16:37 ` Patch "KVM: nVMX: invvpid handling improvements" has been added to the 4.4-stable tree gregkh
2018-02-23 16:39 ` Patch "KVM: nVMX: invvpid handling improvements" has been added to the 4.9-stable tree gregkh
2018-02-23 10:53 ` [stable 4.4 00/29] some stable-4.4 backport Greg KH
2018-02-23 11:07 ` Jinpu Wang
2018-02-23 16:19 ` Greg KH
2018-02-23 16:36 ` Greg KH
2018-02-26 8:29 ` Jinpu Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=151940397212105@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=dan.j.williams@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jinpu.wang@profitbricks.com \
--cc=luto@kernel.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.