From: Pavel Machek <pavel@denx.de>
To: cip-dev@lists.cip-project.org
Subject: CVE-2023-0459: Spectre-v1 Usercopy Hardening was Re: [cip-dev] New CVE entries this week
Date: Thu, 20 Apr 2023 22:10:04 +0200 [thread overview]
Message-ID: <ZEGcHOWAk8S0zEBz@duo.ucw.cz> (raw)
In-Reply-To: <CAODzB9p6MuyqPJeiEpun8CDR9+ZJ9PHhhWG-wyM7f7C0d=krwA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2303 bytes --]
Hi!
> CVE-2023-0459: Spectre-v1 Usercopy Hardening
>
> CVSS v3 score is not provided.
>
> Missing speculation barriers causes a leaking kernel memory.
> The 4.4 kernel _copy_from_user() implementation is different from
> 4.19 and later. So this patch can not be applied.
> It seems as if the 4.4 kernel needs some barrier to prevent
> speculation bug in other ways.
I have this, and it passes basic testing, but no good way to really
test it or asses performance impact.
Attempt to fix CVE-2023-0459. Inspiration from
e0fbff18bbcee4f07d46bee172803fad63f6f4dd, but we simply add the check
to access_ok, as it is used in about gazillion places.
Best regards,
Pavel
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 829fa6d3e5611..ce45b6dcb6293 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -101,6 +101,7 @@ static inline void set_fs(mm_segment_t fs)
: "1" (__addr), "Ir" (size), \
"r" (current_thread_info()->addr_limit) \
: "cc"); \
+ barrier_nospec(); \
flag; \
})
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index ac6932bf1a016..ea1e4ef4a4d8e 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -95,8 +95,11 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
*/
#define access_ok(type, addr, size) \
({ \
+ bool ret; \
WARN_ON_IN_IRQ(); \
- likely(!__range_not_ok(addr, size, user_addr_max())); \
+ ret = likely(!__range_not_ok(addr, size, user_addr_max())); \
+ barrier_nospec(); \
+ ret; \
})
/*
diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index 0c5ef54fd4162..207ef2a20e485 100644
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -9,6 +9,10 @@
struct task_struct;
+#ifndef barrier_nospec
+# define barrier_nospec() do { } while (0)
+#endif
+
/**
* array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
* @index: array element index
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
next prev parent reply other threads:[~2023-04-20 20:10 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-19 23:49 New CVE entries this week Masami Ichikawa
2023-04-20 20:10 ` Pavel Machek [this message]
2023-04-21 7:27 ` CVE-2023-0459: Spectre-v1 Usercopy Hardening was Re: [cip-dev] " Masami Ichikawa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZEGcHOWAk8S0zEBz@duo.ucw.cz \
--to=pavel@denx.de \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox