From: Dan Williams <dan.j.williams@intel.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>,
Cyril Novikov <cnovikov@lynx.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jiri Slaby <jslaby@suse.cz>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-arch <linux-arch@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>,
X86 ML <x86@kernel.org>, Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>, Andrew Honig <ahonig@google.com>,
Alan Cox <alan@linux.intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Kees Cook <keescook@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <lu>
Subject: Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti
Date: Sat, 27 Jan 2018 11:26:37 -0800 [thread overview]
Message-ID: <CAPcyv4hZ0axyyzpRb1+fETXZOzgzM1v4mgsYM_FKqCAdKNAbSA@mail.gmail.com> (raw)
In-Reply-To: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com>
[ adding lkml ]
I had inadvertently dropped lkml when sending this to Thomas. Archive here:
https://marc.info/?l=linux-wireless&m=151704026325010&w=2
https://marc.info/?l=linux-arch&m=151704027225013&w=2
https://marc.info/?l=linux-arch&m=151704027225014&w=2
https://marc.info/?l=linux-arch&m=151704027625015&w=2
https://marc.info/?l=linux-arch&m=151704028225016&w=2
https://marc.info/?l=linux-arch&m=151704028725019&w=2
https://marc.info/?l=linux-arch&m=151704086725186&w=2
https://marc.info/?l=linux-arch&m=151704030025025&w=2
https://marc.info/?l=linux-arch&m=151704030525028&w=2
https://marc.info/?l=linux-arch&m=151704031125029&w=2
https://marc.info/?l=linux-arch&m=151704032225034&w=2
https://marc.info/?l=linux-arch&m=151704032625035&w=2
https://marc.info/?l=linux-arch&m=151704032725037&w=2
On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> Hi Thomas,
>
> Here's another spin of the spectre-v1 mitigations for 4.16.
>
> Changes since v4.1: [1]
> * Tweak the sanitization scheme yet again to make it even simpler. Now,
> instead of 'array_ptr' to get a sanitized pointer to an array element,
> just provide an array index sanitization helper 'array_idx' to be called
> after successfully validating the index is in bounds. I.e. in the
> exact same location one would otherwise put an lfence, place this
> sanitizer:
>
> if (idx < sz) {
> idx = array_idx(idx, sz);
> val = array[idx];
> }
>
> This lets the implementation include more sanity checking that the
> compiler can usually compile out. It otherwise appears to produce
> better assembly. This also cleans up the concern about comparing the
> value returned from array_ptr to create another speculation point.
> (Russell, Linus, Cyril)
>
> * Drop the syscall_64_fastpath. This is the straightforward patch from
> Linus that might also be in flight from Andy, but I went ahead and
> included it since I did not see it on LKML yet.
>
> * Kill the MASK_NOSPEC macro and just open code it. (Andy)
>
> * Add system-call-number sanitization to the slow path syscall table
> lookups.
>
> * Redo the array_ptr conversions with array_idx.
>
> * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
> the new protections. It now reports "Vulnerable: Minimal user pointer
> sanitization". (Jiri)
>
> ---
>
> Dan Williams (11):
> array_idx: sanitize speculative array de-references
> x86: implement array_idx_mask
> x86: introduce __uaccess_begin_nospec and ifence
> x86, __get_user: use __uaccess_begin_nospec
> x86, get_user: use pointer masking to limit speculation
> x86: remove the syscall_64 fast-path
> x86: sanitize sycall table de-references under speculation
> vfs, fdtable: prevent bounds-check bypass via speculative execution
> kvm, x86: update spectre-v1 mitigation
> nl80211: sanitize array index in parse_txq_params
> x86/spectre: report get_user mitigation for spectre_v1
>
> Mark Rutland (1):
> Documentation: document array_idx
>
>
> Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++
> arch/x86/entry/common.c | 3 +
> arch/x86/entry/entry_64.S | 116 -------------------------------------
> arch/x86/entry/syscall_64.c | 7 +-
> arch/x86/include/asm/barrier.h | 26 ++++++++
> arch/x86/include/asm/msr.h | 3 -
> arch/x86/include/asm/uaccess.h | 15 ++++-
> arch/x86/include/asm/uaccess_32.h | 6 +-
> arch/x86/include/asm/uaccess_64.h | 12 ++--
> arch/x86/kernel/cpu/bugs.c | 2 -
> arch/x86/kvm/vmx.c | 14 +++-
> arch/x86/lib/getuser.S | 10 +++
> arch/x86/lib/usercopy_32.c | 8 +--
> include/linux/fdtable.h | 5 +-
> include/linux/nospec.h | 64 ++++++++++++++++++++
> net/wireless/nl80211.c | 9 ++-
> 16 files changed, 239 insertions(+), 148 deletions(-)
> create mode 100644 Documentation/speculation.txt
> create mode 100644 include/linux/nospec.h
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>,
Cyril Novikov <cnovikov@lynx.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jiri Slaby <jslaby@suse.cz>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-arch <linux-arch@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>,
X86 ML <x86@kernel.org>, Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>, Andrew Honig <ahonig@google.com>,
Alan Cox <alan@linux.intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Kees Cook <keescook@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
Jim Mattson <jmattson@google.com>,
Christian Lamparter <chunkeey@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Linux Wireless List <linux-wireless@vger.kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Johannes Berg <johannes@sipsolutions.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti
Date: Sat, 27 Jan 2018 11:26:37 -0800 [thread overview]
Message-ID: <CAPcyv4hZ0axyyzpRb1+fETXZOzgzM1v4mgsYM_FKqCAdKNAbSA@mail.gmail.com> (raw)
Message-ID: <20180127192637.kmjlqPr7VGiHBj3Cn4ZxiqThskoYkViaI5ytf4Br_T0@z> (raw)
In-Reply-To: <151703971300.26578.1185595719337719486.stgit@dwillia2-desk3.amr.corp.intel.com>
[ adding lkml ]
I had inadvertently dropped lkml when sending this to Thomas. Archive here:
https://marc.info/?l=linux-wireless&m=151704026325010&w=2
https://marc.info/?l=linux-arch&m=151704027225013&w=2
https://marc.info/?l=linux-arch&m=151704027225014&w=2
https://marc.info/?l=linux-arch&m=151704027625015&w=2
https://marc.info/?l=linux-arch&m=151704028225016&w=2
https://marc.info/?l=linux-arch&m=151704028725019&w=2
https://marc.info/?l=linux-arch&m=151704086725186&w=2
https://marc.info/?l=linux-arch&m=151704030025025&w=2
https://marc.info/?l=linux-arch&m=151704030525028&w=2
https://marc.info/?l=linux-arch&m=151704031125029&w=2
https://marc.info/?l=linux-arch&m=151704032225034&w=2
https://marc.info/?l=linux-arch&m=151704032625035&w=2
https://marc.info/?l=linux-arch&m=151704032725037&w=2
On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> Hi Thomas,
>
> Here's another spin of the spectre-v1 mitigations for 4.16.
>
> Changes since v4.1: [1]
> * Tweak the sanitization scheme yet again to make it even simpler. Now,
> instead of 'array_ptr' to get a sanitized pointer to an array element,
> just provide an array index sanitization helper 'array_idx' to be called
> after successfully validating the index is in bounds. I.e. in the
> exact same location one would otherwise put an lfence, place this
> sanitizer:
>
> if (idx < sz) {
> idx = array_idx(idx, sz);
> val = array[idx];
> }
>
> This lets the implementation include more sanity checking that the
> compiler can usually compile out. It otherwise appears to produce
> better assembly. This also cleans up the concern about comparing the
> value returned from array_ptr to create another speculation point.
> (Russell, Linus, Cyril)
>
> * Drop the syscall_64_fastpath. This is the straightforward patch from
> Linus that might also be in flight from Andy, but I went ahead and
> included it since I did not see it on LKML yet.
>
> * Kill the MASK_NOSPEC macro and just open code it. (Andy)
>
> * Add system-call-number sanitization to the slow path syscall table
> lookups.
>
> * Redo the array_ptr conversions with array_idx.
>
> * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
> the new protections. It now reports "Vulnerable: Minimal user pointer
> sanitization". (Jiri)
>
> ---
>
> Dan Williams (11):
> array_idx: sanitize speculative array de-references
> x86: implement array_idx_mask
> x86: introduce __uaccess_begin_nospec and ifence
> x86, __get_user: use __uaccess_begin_nospec
> x86, get_user: use pointer masking to limit speculation
> x86: remove the syscall_64 fast-path
> x86: sanitize sycall table de-references under speculation
> vfs, fdtable: prevent bounds-check bypass via speculative execution
> kvm, x86: update spectre-v1 mitigation
> nl80211: sanitize array index in parse_txq_params
> x86/spectre: report get_user mitigation for spectre_v1
>
> Mark Rutland (1):
> Documentation: document array_idx
>
>
> Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++
> arch/x86/entry/common.c | 3 +
> arch/x86/entry/entry_64.S | 116 -------------------------------------
> arch/x86/entry/syscall_64.c | 7 +-
> arch/x86/include/asm/barrier.h | 26 ++++++++
> arch/x86/include/asm/msr.h | 3 -
> arch/x86/include/asm/uaccess.h | 15 ++++-
> arch/x86/include/asm/uaccess_32.h | 6 +-
> arch/x86/include/asm/uaccess_64.h | 12 ++--
> arch/x86/kernel/cpu/bugs.c | 2 -
> arch/x86/kvm/vmx.c | 14 +++-
> arch/x86/lib/getuser.S | 10 +++
> arch/x86/lib/usercopy_32.c | 8 +--
> include/linux/fdtable.h | 5 +-
> include/linux/nospec.h | 64 ++++++++++++++++++++
> net/wireless/nl80211.c | 9 ++-
> 16 files changed, 239 insertions(+), 148 deletions(-)
> create mode 100644 Documentation/speculation.txt
> create mode 100644 include/linux/nospec.h
next prev parent reply other threads:[~2018-01-27 19:26 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-27 7:55 [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-27 7:55 ` [PATCH v5 01/12] Documentation: document array_idx Dan Williams
2018-01-27 7:55 ` [PATCH v5 02/12] array_idx: sanitize speculative array de-references Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-28 8:55 ` Ingo Molnar
2018-01-28 11:36 ` Thomas Gleixner
2018-01-28 11:36 ` Thomas Gleixner
2018-01-28 16:28 ` Dan Williams
2018-01-28 18:33 ` Ingo Molnar
2018-01-29 16:45 ` Dan Williams
2018-01-29 16:45 ` Dan Williams
2018-01-28 18:36 ` Thomas Gleixner
2018-01-28 18:36 ` Thomas Gleixner
2018-01-30 6:29 ` Dan Williams
2018-01-30 6:29 ` Dan Williams
2018-01-30 19:38 ` Linus Torvalds
2018-01-30 20:13 ` Dan Williams
2018-01-30 20:27 ` Van De Ven, Arjan
2018-01-31 8:03 ` Ingo Molnar
2018-01-31 14:13 ` Van De Ven, Arjan
2018-01-31 14:21 ` Greg KH
2018-01-27 7:55 ` [PATCH v5 03/12] x86: implement array_idx_mask Dan Williams
2018-01-28 9:02 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 04/12] x86: introduce __uaccess_begin_nospec and ifence Dan Williams
2018-01-28 9:06 ` Ingo Molnar
2018-01-28 9:14 ` Ingo Molnar
2018-01-29 20:41 ` Dan Williams
2018-01-29 20:41 ` Dan Williams
2018-01-30 6:56 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 05/12] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-28 9:19 ` Ingo Molnar
2018-01-28 9:19 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 06/12] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-28 9:25 ` Ingo Molnar
2018-01-28 9:25 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 07/12] x86: remove the syscall_64 fast-path Dan Williams
2018-01-28 9:29 ` Ingo Molnar
2018-01-28 9:29 ` Ingo Molnar
2018-01-28 15:22 ` Andy Lutomirski
2018-01-28 15:22 ` Andy Lutomirski
2018-01-27 7:55 ` [PATCH v5 08/12] x86: sanitize sycall table de-references under speculation Dan Williams
2018-01-28 9:36 ` Ingo Molnar
2018-01-27 7:56 ` [PATCH v5 09/12] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-27 7:56 ` [PATCH v5 10/12] kvm, x86: update spectre-v1 mitigation Dan Williams
[not found] ` <151703971300.26578.1185595719337719486.stgit-p8uTFz9XbKj2zm6wflaqv1nYeNYlB/vhral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-01-27 7:56 ` [PATCH v5 11/12] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-27 7:56 ` Dan Williams
2018-01-27 7:56 ` [PATCH v5 12/12] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-28 9:50 ` Ingo Molnar
2018-01-29 22:05 ` Dan Williams
2018-01-31 8:07 ` Ingo Molnar
2018-02-01 20:23 ` Dan Williams
2018-02-01 20:23 ` Dan Williams
2018-01-27 18:52 ` [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Linus Torvalds
2018-01-27 18:52 ` Linus Torvalds
2018-01-27 19:26 ` Dan Williams [this message]
2018-01-27 19:26 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcyv4hZ0axyyzpRb1+fETXZOzgzM1v4mgsYM_FKqCAdKNAbSA@mail.gmail.com \
--to=dan.j.williams@intel.com \
--cc=ahonig@google.com \
--cc=ak@linux.intel.com \
--cc=alan@linux.intel.com \
--cc=catalin.marinas@arm.com \
--cc=cnovikov@lynx.com \
--cc=corbet@lwn.net \
--cc=elena.reshetova@intel.com \
--cc=hpa@zytor.com \
--cc=jslaby@suse.cz \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).