From: tip-bot for Dan Williams <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: dan.j.williams@intel.com, linux-kernel@vger.kernel.org,
torvalds@linux-foundation.org, viro@zeniv.linux.org.uk,
luto@kernel.org, tglx@linutronix.de, hpa@zytor.com,
mingo@kernel.org, keescook@chromium.org
Subject: [tip:x86/pti] x86/get_user: Use pointer masking to limit speculation
Date: Tue, 30 Jan 2018 14:36:49 -0800 [thread overview]
Message-ID: <tip-c7f631cb07e7da06ac1d231ca178452339e32a94@git.kernel.org> (raw)
In-Reply-To: <151727417469.33451.11804043010080838495.stgit@dwillia2-desk3.amr.corp.intel.com>
Commit-ID: c7f631cb07e7da06ac1d231ca178452339e32a94
Gitweb: https://git.kernel.org/tip/c7f631cb07e7da06ac1d231ca178452339e32a94
Author: Dan Williams <dan.j.williams@intel.com>
AuthorDate: Mon, 29 Jan 2018 17:02:54 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 30 Jan 2018 21:54:31 +0100
x86/get_user: Use pointer masking to limit speculation
Quoting Linus:
I do think that it would be a good idea to very expressly document
the fact that it's not that the user access itself is unsafe. I do
agree that things like "get_user()" want to be protected, but not
because of any direct bugs or problems with get_user() and friends,
but simply because get_user() is an excellent source of a pointer
that is obviously controlled from a potentially attacking user
space. So it's a prime candidate for then finding _subsequent_
accesses that can then be used to perturb the cache.
Unlike the __get_user() case get_user() includes the address limit check
near the pointer de-reference. With that locality the speculation can be
mitigated with pointer narrowing rather than a barrier, i.e.
array_index_nospec(). Where the narrowing is performed by:
cmp %limit, %ptr
sbb %mask, %mask
and %mask, %ptr
With respect to speculation the value of %ptr is either less than %limit
or NULL.
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>
Cc: kernel-hardening@lists.openwall.com
Cc: gregkh@linuxfoundation.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: torvalds@linux-foundation.org
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@dwillia2-desk3.amr.corp.intel.com
---
arch/x86/lib/getuser.S | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index c97d935..49b167f 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -40,6 +40,8 @@ ENTRY(__get_user_1)
mov PER_CPU_VAR(current_task), %_ASM_DX
cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
+ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
+ and %_ASM_DX, %_ASM_AX
ASM_STAC
1: movzbl (%_ASM_AX),%edx
xor %eax,%eax
@@ -54,6 +56,8 @@ ENTRY(__get_user_2)
mov PER_CPU_VAR(current_task), %_ASM_DX
cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
+ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
+ and %_ASM_DX, %_ASM_AX
ASM_STAC
2: movzwl -1(%_ASM_AX),%edx
xor %eax,%eax
@@ -68,6 +72,8 @@ ENTRY(__get_user_4)
mov PER_CPU_VAR(current_task), %_ASM_DX
cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
+ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
+ and %_ASM_DX, %_ASM_AX
ASM_STAC
3: movl -3(%_ASM_AX),%edx
xor %eax,%eax
@@ -83,6 +89,8 @@ ENTRY(__get_user_8)
mov PER_CPU_VAR(current_task), %_ASM_DX
cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user
+ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
+ and %_ASM_DX, %_ASM_AX
ASM_STAC
4: movq -7(%_ASM_AX),%rdx
xor %eax,%eax
@@ -94,6 +102,8 @@ ENTRY(__get_user_8)
mov PER_CPU_VAR(current_task), %_ASM_DX
cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX
jae bad_get_user_8
+ sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */
+ and %_ASM_DX, %_ASM_AX
ASM_STAC
4: movl -7(%_ASM_AX),%edx
5: movl -3(%_ASM_AX),%ecx
next prev parent reply other threads:[~2018-01-30 22:39 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 1:02 [PATCH v6 00/13] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 01/13] Documentation: document array_index_nospec Dan Williams
2018-01-30 22:33 ` [tip:x86/pti] Documentation: Document array_index_nospec tip-bot for Mark Rutland
2018-01-30 1:02 ` [PATCH v6 02/13] array_index_nospec: sanitize speculative array de-references Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] array_index_nospec: Sanitize " tip-bot for Dan Williams
2018-02-16 8:55 ` [PATCH v6 02/13] array_index_nospec: sanitize " Christian Borntraeger
2018-01-30 1:02 ` [PATCH v6 03/13] x86: implement array_index_mask_nospec Dan Williams
2018-01-30 22:34 ` [tip:x86/pti] x86: Implement array_index_mask_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 04/13] x86: introduce barrier_nospec Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86: Introduce barrier_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 05/13] x86: introduce __uaccess_begin_nospec Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 06/13] x86, usercopy: replace open coded stac/clac with __uaccess_{begin, end} Dan Williams
2018-01-30 22:35 ` [tip:x86/pti] x86/usercopy: Replace " tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 07/13] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-30 22:36 ` [tip:x86/pti] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec tip-bot for Dan Williams
2018-01-30 1:02 ` [PATCH v6 08/13] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-30 22:36 ` tip-bot for Dan Williams [this message]
2018-01-30 1:02 ` [PATCH v6 09/13] x86: sanitize syscall table de-references under speculation Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] x86/syscall: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 10/13] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-30 22:37 ` [tip:x86/pti] vfs, fdtable: Prevent " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 11/13] kvm, x86: update spectre-v1 mitigation Dan Williams
2018-01-31 3:22 ` Dan Williams
2018-01-31 8:07 ` Thomas Gleixner
2018-01-31 13:49 ` Paolo Bonzini
2018-01-31 15:42 ` Thomas Gleixner
2018-01-30 1:03 ` [PATCH v6 12/13] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] nl80211: Sanitize " tip-bot for Dan Williams
2018-01-30 1:03 ` [PATCH v6 13/13] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-30 22:38 ` [tip:x86/pti] x86/spectre: Report " tip-bot for Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-c7f631cb07e7da06ac1d231ca178452339e32a94@git.kernel.org \
--to=tipbot@zytor.com \
--cc=dan.j.williams@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.