From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:56282 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751728AbeBWQnB (ORCPT ); Fri, 23 Feb 2018 11:43:01 -0500 Subject: Patch "x86/syscall: Sanitize syscall table de-references under speculation" has been added to the 4.4-stable tree To: jinpu.wang@profitbricks.com, dan.j.williams@intel.com, dwmw@amazon.co.uk, gregkh@linuxfoundation.org, luto@kernel.org, tglx@linutronix.de, torvalds@linux-foundation.org Cc: , From: Date: Fri, 23 Feb 2018 17:39:32 +0100 In-Reply-To: <1519382538-15143-16-git-send-email-jinpu.wangl@profitbricks.com> Message-ID: <151940397212105@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled x86/syscall: Sanitize syscall table de-references under speculation to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Fri Feb 23 17:23:58 CET 2018 From: Jack Wang Date: Fri, 23 Feb 2018 11:42:04 +0100 Subject: x86/syscall: Sanitize syscall table de-references under speculation To: gregkh@linuxfoundation.org, stable@vger.kernel.org Cc: Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, Andy Lutomirski , alan@linux.intel.com, David Woodhouse , Jack Wang Message-ID: <1519382538-15143-16-git-send-email-jinpu.wangl@profitbricks.com> From: Dan Williams (cherry picked from commit 2fbd7af5af8665d18bcefae3e9700be07e22b681) The syscall table base is a user controlled function pointer in kernel space. Use array_index_nospec() to prevent any out of bounds speculation. While retpoline prevents speculating into a userspace directed target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base, by observing instruction cache behavior. Reported-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Andy Lutomirski Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727417984.33451.1216731042505722161.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse [jwang: port to 4.4, no syscall_64] Signed-off-by: Jack Wang Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/common.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -381,6 +382,7 @@ __always_inline void do_syscall_32_irqs_ } if (likely(nr < IA32_NR_syscalls)) { + nr = array_index_nospec(nr, IA32_NR_syscalls); /* * It's possible that a 32-bit syscall implementation * takes a 64-bit parameter but nonetheless assumes that Patches currently in stable-queue which might be from jinpu.wang@profitbricks.com are queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch queue-4.4/documentation-document-array_index_nospec.patch queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch queue-4.4/x86-nospec-fix-header-guards-names.patch queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch queue-4.4/x86-implement-array_index_mask_nospec.patch queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch queue-4.4/x86-introduce-barrier_nospec.patch queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch queue-4.4/kvm-nvmx-kmap-can-t-fail.patch