From: tip-bot for Dan Williams <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: thomas.lendacky@amd.com, dan.j.williams@intel.com,
viro@zeniv.linux.org.uk, torvalds@linux-foundation.org,
keescook@chromium.org, hpa@zytor.com,
linux-kernel@vger.kernel.org, tglx@linutronix.de,
ak@linux.intel.com, mingo@kernel.org, mingo@redhat.com
Subject: [tip:x86/pti] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
Date: Tue, 30 Jan 2018 14:35:34 -0800 [thread overview]
Message-ID: <tip-b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd@git.kernel.org> (raw)
In-Reply-To: <151727415922.33451.5796614273104346583.stgit@dwillia2-desk3.amr.corp.intel.com>
Commit-ID: b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd
Gitweb: https://git.kernel.org/tip/b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd
Author: Dan Williams <dan.j.williams@intel.com>
AuthorDate: Mon, 29 Jan 2018 17:02:39 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 30 Jan 2018 21:54:30 +0100
x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
For __get_user() paths, do not allow the kernel to speculate on the value
of a user controlled pointer. In addition to the 'stac' instruction for
Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the
access_ok() result to resolve in the pipeline before the CPU might take any
speculative action on the pointer value. Given the cost of 'stac' the
speculation barrier is placed after 'stac' to hopefully overlap the cost of
disabling SMAP with the cost of flushing the instruction pipeline.
Since __get_user is a major kernel interface that deals with user
controlled pointers, the __uaccess_begin_nospec() mechanism will prevent
speculative execution past an access_ok() permission check. While
speculative execution past access_ok() is not enough to lead to a kernel
memory leak, it is a necessary precondition.
To be clear, __uaccess_begin_nospec() is addressing a class of potential
problems near __get_user() usages.
Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used
to protect __get_user(), pointer masking similar to array_index_nospec()
will be used for get_user() since it incorporates a bounds check near the
usage.
uaccess_try_nospec provides the same mechanism for get_user_try.
No functional changes.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Andi Kleen <ak@linux.intel.com>
Suggested-by: Ingo Molnar <mingo@redhat.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@dwillia2-desk3.amr.corp.intel.com
---
arch/x86/include/asm/uaccess.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 574dff4..663e9bd 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -124,6 +124,11 @@ extern int __get_user_bad(void);
#define __uaccess_begin() stac()
#define __uaccess_end() clac()
+#define __uaccess_begin_nospec() \
+({ \
+ stac(); \
+ barrier_nospec(); \
+})
/*
* This is a type: either unsigned long, if the argument fits into
@@ -487,6 +492,10 @@ struct __large_struct { unsigned long buf[100]; };
__uaccess_begin(); \
barrier();
+#define uaccess_try_nospec do { \
+ current->thread.uaccess_err = 0; \
+ __uaccess_begin_nospec(); \
+
#define uaccess_catch(err) \
__uaccess_end(); \
(err) |= (current->thread.uaccess_err ? -EFAULT : 0); \
next prev parent reply other threads:[~2018-01-30 22:38 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 1:02 [PATCH v6 00/13] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 01/13] Documentation: document array_index_nospec Dan Williams
2018-01-30 22:33 ` [tip:x86/pti] Documentation: Document array_index_nospec tip-bot for Mark Rutland
2018-01-30 1:02 ` [PATCH v6 02/13] array_index_nospec: sanitize speculative array de-references Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] array_index_nospec: Sanitize " tip-bot for Dan Williams
2018-02-16 8:55 ` [PATCH v6 02/13] array_index_nospec: sanitize " Christian Borntraeger
2018-01-30 1:02 ` [PATCH v6 03/13] x86: implement array_index_mask_nospec Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] x86: Implement array_index_mask_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 04/13] x86: introduce barrier_nospec Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86: Introduce barrier_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 05/13] x86: introduce __uaccess_begin_nospec Dan Williams
2018-01-30 22:35 ` tip-bot for Dan Williams [this message]
2018-01-30 1:02 ` [PATCH v6 06/13] x86, usercopy: replace open coded stac/clac with __uaccess_{begin, end} Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86/usercopy: Replace " tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 07/13] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-30 22:36 ` [tip:x86/pti] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 08/13] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-30 22:36 ` [tip:x86/pti] x86/get_user: Use " tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 09/13] x86: sanitize syscall table de-references under speculation Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] x86/syscall: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 10/13] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] vfs, fdtable: Prevent " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 11/13] kvm, x86: update spectre-v1 mitigation Dan Williams
2018-01-31 3:22 ` Dan Williams
2018-01-31 8:07 ` Thomas Gleixner
2018-01-31 13:49 ` Paolo Bonzini
2018-01-31 15:42 ` Thomas Gleixner
2018-01-30 1:03 ` [PATCH v6 12/13] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] nl80211: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 13/13] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] x86/spectre: Report " tip-bot for Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd@git.kernel.org \
--to=tipbot@zytor.com \
--cc=ak@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.