From: tip-bot for Dan Williams <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, dan.j.williams@intel.com,
torvalds@linux-foundation.org, tglx@linutronix.de,
keescook@chromium.org, viro@zeniv.linux.org.uk, mingo@kernel.org,
ak@linux.intel.com, hpa@zytor.com
Subject: [tip:x86/pti] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
Date: Tue, 30 Jan 2018 14:36:24 -0800 [thread overview]
Message-ID: <tip-304ec1b050310548db33063e567123fae8fd0301@git.kernel.org> (raw)
In-Reply-To: <151727416953.33451.10508284228526170604.stgit@dwillia2-desk3.amr.corp.intel.com>
Commit-ID: 304ec1b050310548db33063e567123fae8fd0301
Gitweb: https://git.kernel.org/tip/304ec1b050310548db33063e567123fae8fd0301
Author: Dan Williams <dan.j.williams@intel.com>
AuthorDate: Mon, 29 Jan 2018 17:02:49 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 30 Jan 2018 21:54:31 +0100
x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
Quoting Linus:
I do think that it would be a good idea to very expressly document
the fact that it's not that the user access itself is unsafe. I do
agree that things like "get_user()" want to be protected, but not
because of any direct bugs or problems with get_user() and friends,
but simply because get_user() is an excellent source of a pointer
that is obviously controlled from a potentially attacking user
space. So it's a prime candidate for then finding _subsequent_
accesses that can then be used to perturb the cache.
__uaccess_begin_nospec() covers __get_user() and copy_from_iter() where the
limit check is far away from the user pointer de-reference. In those cases
a barrier_nospec() prevents speculation with a potential pointer to
privileged memory. uaccess_try_nospec covers get_user_try.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727416953.33451.10508284228526170604.stgit@dwillia2-desk3.amr.corp.intel.com
---
arch/x86/include/asm/uaccess.h | 6 +++---
arch/x86/include/asm/uaccess_32.h | 6 +++---
arch/x86/include/asm/uaccess_64.h | 12 ++++++------
arch/x86/lib/usercopy_32.c | 4 ++--
4 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 663e9bd..aae77eb 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -450,7 +450,7 @@ do { \
({ \
int __gu_err; \
__inttype(*(ptr)) __gu_val; \
- __uaccess_begin(); \
+ __uaccess_begin_nospec(); \
__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
__uaccess_end(); \
(x) = (__force __typeof__(*(ptr)))__gu_val; \
@@ -557,7 +557,7 @@ struct __large_struct { unsigned long buf[100]; };
* get_user_ex(...);
* } get_user_catch(err)
*/
-#define get_user_try uaccess_try
+#define get_user_try uaccess_try_nospec
#define get_user_catch(err) uaccess_catch(err)
#define get_user_ex(x, ptr) do { \
@@ -591,7 +591,7 @@ extern void __cmpxchg_wrong_size(void)
__typeof__(ptr) __uval = (uval); \
__typeof__(*(ptr)) __old = (old); \
__typeof__(*(ptr)) __new = (new); \
- __uaccess_begin(); \
+ __uaccess_begin_nospec(); \
switch (size) { \
case 1: \
{ \
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
index 7295040..ba2dc19 100644
--- a/arch/x86/include/asm/uaccess_32.h
+++ b/arch/x86/include/asm/uaccess_32.h
@@ -29,21 +29,21 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n)
switch (n) {
case 1:
ret = 0;
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u8 *)to, from, ret,
"b", "b", "=q", 1);
__uaccess_end();
return ret;
case 2:
ret = 0;
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u16 *)to, from, ret,
"w", "w", "=r", 2);
__uaccess_end();
return ret;
case 4:
ret = 0;
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u32 *)to, from, ret,
"l", "k", "=r", 4);
__uaccess_end();
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index f07ef3c..62546b3 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -55,31 +55,31 @@ raw_copy_from_user(void *dst, const void __user *src, unsigned long size)
return copy_user_generic(dst, (__force void *)src, size);
switch (size) {
case 1:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u8 *)dst, (u8 __user *)src,
ret, "b", "b", "=q", 1);
__uaccess_end();
return ret;
case 2:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u16 *)dst, (u16 __user *)src,
ret, "w", "w", "=r", 2);
__uaccess_end();
return ret;
case 4:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u32 *)dst, (u32 __user *)src,
ret, "l", "k", "=r", 4);
__uaccess_end();
return ret;
case 8:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
ret, "q", "", "=r", 8);
__uaccess_end();
return ret;
case 10:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
ret, "q", "", "=r", 10);
if (likely(!ret))
@@ -89,7 +89,7 @@ raw_copy_from_user(void *dst, const void __user *src, unsigned long size)
__uaccess_end();
return ret;
case 16:
- __uaccess_begin();
+ __uaccess_begin_nospec();
__get_user_asm_nozero(*(u64 *)dst, (u64 __user *)src,
ret, "q", "", "=r", 16);
if (likely(!ret))
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
index de34367..7add8ba 100644
--- a/arch/x86/lib/usercopy_32.c
+++ b/arch/x86/lib/usercopy_32.c
@@ -331,7 +331,7 @@ do { \
unsigned long __copy_user_ll(void *to, const void *from, unsigned long n)
{
- __uaccess_begin();
+ __uaccess_begin_nospec();
if (movsl_is_ok(to, from, n))
__copy_user(to, from, n);
else
@@ -344,7 +344,7 @@ EXPORT_SYMBOL(__copy_user_ll);
unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *from,
unsigned long n)
{
- __uaccess_begin();
+ __uaccess_begin_nospec();
#ifdef CONFIG_X86_INTEL_USERCOPY
if (n > 64 && static_cpu_has(X86_FEATURE_XMM2))
n = __copy_user_intel_nocache(to, from, n);
next prev parent reply other threads:[~2018-01-30 22:40 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 1:02 [PATCH v6 00/13] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 01/13] Documentation: document array_index_nospec Dan Williams
2018-01-30 22:33 ` [tip:x86/pti] Documentation: Document array_index_nospec tip-bot for Mark Rutland
2018-01-30 1:02 ` [PATCH v6 02/13] array_index_nospec: sanitize speculative array de-references Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] array_index_nospec: Sanitize " tip-bot for Dan Williams
2018-02-16 8:55 ` [PATCH v6 02/13] array_index_nospec: sanitize " Christian Borntraeger
2018-01-30 1:02 ` [PATCH v6 03/13] x86: implement array_index_mask_nospec Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] x86: Implement array_index_mask_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 04/13] x86: introduce barrier_nospec Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86: Introduce barrier_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 05/13] x86: introduce __uaccess_begin_nospec Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 06/13] x86, usercopy: replace open coded stac/clac with __uaccess_{begin, end} Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86/usercopy: Replace " tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 07/13] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-30 22:36 ` tip-bot for Dan Williams [this message]
2018-01-30 1:02 ` [PATCH v6 08/13] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-30 22:36 ` [tip:x86/pti] x86/get_user: Use " tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 09/13] x86: sanitize syscall table de-references under speculation Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] x86/syscall: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 10/13] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] vfs, fdtable: Prevent " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 11/13] kvm, x86: update spectre-v1 mitigation Dan Williams
2018-01-31 3:22 ` Dan Williams
2018-01-31 8:07 ` Thomas Gleixner
2018-01-31 13:49 ` Paolo Bonzini
2018-01-31 15:42 ` Thomas Gleixner
2018-01-30 1:03 ` [PATCH v6 12/13] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] nl80211: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 13/13] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] x86/spectre: Report " tip-bot for Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-304ec1b050310548db33063e567123fae8fd0301@git.kernel.org \
--to=tipbot@zytor.com \
--cc=ak@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.