From: Dan Williams <dan.j.williams@intel.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-arch <linux-arch@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>,
X86 ML <x86@kernel.org>, Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>, Andrew Honig <ahonig@google.com>,
Alan Cox <alan@linux.intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Kees Cook <keescook@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>An
Subject: Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution
Date: Fri, 19 Jan 2018 22:58:44 -0800 [thread overview]
Message-ID: <CAPcyv4iBHTahi66deUT1iSPpA2W2wjYZSaiUYUjpdK10d5Rt7g@mail.gmail.com> (raw)
In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com>
On Thu, Jan 18, 2018 at 4:01 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> Changes since v3 [1]
> * Drop 'ifence_array_ptr' and associated compile-time + run-time
> switching and just use the masking approach all the time.
>
> * Convert 'get_user' to use pointer sanitization via masking rather than
> lfence. '__get_user' and associated paths still rely on
> lfence. (Linus)
>
> "Basically, the rule is trivial: find all 'stac' users, and use
> address masking if those users already integrate the limit
> check, and lfence they don't."
>
> * At syscall entry sanitize the syscall number under speculation
> to remove a user controlled pointer de-reference in kernel
> space. (Linus)
>
> * Fix a raw lfence in the kvm code (added for v4.15-rc8) to use
> 'array_ptr'.
>
> * Propose 'array_idx' as a way to sanitize user input that is
> later used as an array index, but where the validation is
> happening in a different code block than the array reference.
> (Christian).
>
> * Fix grammar in speculation.txt (Kees)
>
> ---
>
> Quoting Mark's original RFC:
>
> "Recently, Google Project Zero discovered several classes of attack
> against speculative execution. One of these, known as variant-1, allows
> explicit bounds checks to be bypassed under speculation, providing an
> arbitrary read gadget. Further details can be found on the GPZ blog [2]
> and the Documentation patch in this series."
>
> A precondition of using this attack on the kernel is to get a user
> controlled pointer de-referenced (under speculation) in privileged code.
> The primary source of user controlled pointers in the kernel is the
> arguments passed to 'get_user' and '__get_user'. An example of other
> user controlled pointers are user-controlled array / pointer offsets.
>
> Better tooling is needed to find more arrays / pointers with user
> controlled indices / offsets that can be converted to use 'array_ptr' or
> 'array_idx'. A few are included in this set, and these are not expected
> to be complete. That said, the 'get_user' protections raise the bar on
> finding a vulnerable gadget in the kernel.
>
> These patches are also available via the 'nospec-v4' git branch here:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4
I've pushed out a nospec-v4.1 with the below minor cleanup, a fixup of
the changelog for "kvm, x86: fix spectre-v1 mitigation", and added
Paolo's ack.
git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4.1
diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index 8af35be1869e..b8a9222e34d1 100644
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -37,7 +37,7 @@ static inline unsigned long array_ptr_mask(unsigned
long idx, unsigned long sz)
unsigned long _i = (idx); \
unsigned long _mask = array_ptr_mask(_i, (sz)); \
\
- __u._ptr = _arr + (_i & _mask); \
+ __u._ptr = _arr + _i; \
__u._bit &= _mask; \
__u._ptr; \
})
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-arch <linux-arch@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>, Jonathan Corbet <corbet@lwn.net>,
X86 ML <x86@kernel.org>, Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>, Andrew Honig <ahonig@google.com>,
Alan Cox <alan@linux.intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Kees Cook <keescook@chromium.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Jim Mattson <jmattson@google.com>,
Christian Lamparter <chunkeey@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Linux Wireless List <linux-wireless@vger.kernel.org>,
stable@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Johannes Berg <johannes@sipsolutions.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution
Date: Fri, 19 Jan 2018 22:58:44 -0800 [thread overview]
Message-ID: <CAPcyv4iBHTahi66deUT1iSPpA2W2wjYZSaiUYUjpdK10d5Rt7g@mail.gmail.com> (raw)
Message-ID: <20180120065844.xX727UaxQ_K7nNpQwxJMLsKirEQk9Bp_Wv-nEnIf7xs@z> (raw)
In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com>
On Thu, Jan 18, 2018 at 4:01 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> Changes since v3 [1]
> * Drop 'ifence_array_ptr' and associated compile-time + run-time
> switching and just use the masking approach all the time.
>
> * Convert 'get_user' to use pointer sanitization via masking rather than
> lfence. '__get_user' and associated paths still rely on
> lfence. (Linus)
>
> "Basically, the rule is trivial: find all 'stac' users, and use
> address masking if those users already integrate the limit
> check, and lfence they don't."
>
> * At syscall entry sanitize the syscall number under speculation
> to remove a user controlled pointer de-reference in kernel
> space. (Linus)
>
> * Fix a raw lfence in the kvm code (added for v4.15-rc8) to use
> 'array_ptr'.
>
> * Propose 'array_idx' as a way to sanitize user input that is
> later used as an array index, but where the validation is
> happening in a different code block than the array reference.
> (Christian).
>
> * Fix grammar in speculation.txt (Kees)
>
> ---
>
> Quoting Mark's original RFC:
>
> "Recently, Google Project Zero discovered several classes of attack
> against speculative execution. One of these, known as variant-1, allows
> explicit bounds checks to be bypassed under speculation, providing an
> arbitrary read gadget. Further details can be found on the GPZ blog [2]
> and the Documentation patch in this series."
>
> A precondition of using this attack on the kernel is to get a user
> controlled pointer de-referenced (under speculation) in privileged code.
> The primary source of user controlled pointers in the kernel is the
> arguments passed to 'get_user' and '__get_user'. An example of other
> user controlled pointers are user-controlled array / pointer offsets.
>
> Better tooling is needed to find more arrays / pointers with user
> controlled indices / offsets that can be converted to use 'array_ptr' or
> 'array_idx'. A few are included in this set, and these are not expected
> to be complete. That said, the 'get_user' protections raise the bar on
> finding a vulnerable gadget in the kernel.
>
> These patches are also available via the 'nospec-v4' git branch here:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4
I've pushed out a nospec-v4.1 with the below minor cleanup, a fixup of
the changelog for "kvm, x86: fix spectre-v1 mitigation", and added
Paolo's ack.
git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4.1
diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index 8af35be1869e..b8a9222e34d1 100644
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -37,7 +37,7 @@ static inline unsigned long array_ptr_mask(unsigned
long idx, unsigned long sz)
unsigned long _i = (idx); \
unsigned long _mask = array_ptr_mask(_i, (sz)); \
\
- __u._ptr = _arr + (_i & _mask); \
+ __u._ptr = _arr + _i; \
__u._bit &= _mask; \
__u._ptr; \
})
next prev parent reply other threads:[~2018-01-20 6:58 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-19 0:01 [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:01 ` Dan Williams
2018-01-19 0:01 ` [PATCH v4 01/10] Documentation: document array_ptr Dan Williams
2018-01-19 0:01 ` [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references Dan Williams
2018-01-19 0:01 ` Dan Williams
2018-01-19 10:20 ` [kernel-hardening] " Jann Horn
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 18:12 ` Dan Williams
2018-01-19 18:18 ` Will Deacon
2018-01-19 18:18 ` [kernel-hardening] " Will Deacon
2018-01-19 18:26 ` Dan Williams
2018-01-19 18:18 ` Linus Torvalds
2018-01-19 18:18 ` [kernel-hardening] " Linus Torvalds
2018-01-19 20:55 ` Dan Williams
2018-01-25 7:09 ` Cyril Novikov
2018-01-25 7:09 ` Cyril Novikov
2018-01-25 22:37 ` Dan Williams
2018-01-25 22:37 ` Dan Williams
2018-01-19 0:01 ` [PATCH v4 03/10] x86: implement array_ptr_mask() Dan Williams
2018-01-19 0:01 ` [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence Dan Williams
2018-01-19 0:02 ` [PATCH v4 05/10] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-19 0:02 ` [PATCH v4 06/10] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-19 0:02 ` [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation Dan Williams
2018-01-24 14:40 ` Jiri Slaby
2018-02-06 19:29 ` Luis Henriques
2018-02-06 19:48 ` Dan Williams
2018-02-06 19:48 ` Dan Williams
2018-02-06 20:26 ` Linus Torvalds
2018-02-06 20:26 ` Linus Torvalds
2018-02-06 20:37 ` Dan Williams
2018-02-06 20:42 ` Linus Torvalds
2018-02-06 20:42 ` Linus Torvalds
2018-02-06 20:43 ` Linus Torvalds
2018-02-06 20:43 ` Linus Torvalds
2018-02-06 20:49 ` Andy Lutomirski
2018-02-06 20:49 ` Andy Lutomirski
2018-02-06 20:58 ` Linus Torvalds
2018-02-06 20:58 ` Linus Torvalds
2018-02-06 21:37 ` Dan Williams
2018-02-06 22:52 ` Linus Torvalds
2018-02-06 22:52 ` Linus Torvalds
2018-02-07 0:33 ` Dan Williams
2018-02-07 1:23 ` Linus Torvalds
2018-02-06 22:51 ` Luis Henriques
2018-02-06 22:51 ` Luis Henriques
2018-01-19 0:02 ` [PATCH v4 08/10] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-19 0:02 ` [PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-19 8:42 ` Paolo Bonzini
2018-01-19 8:42 ` Paolo Bonzini
[not found] ` <151632009605.21271.11304291057104672116.stgit-p8uTFz9XbKj2zm6wflaqv1nYeNYlB/vhral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-01-19 0:02 ` [PATCH v4 10/10] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-21 10:37 ` Johannes Berg
2018-01-20 6:58 ` Dan Williams [this message]
2018-01-20 6:58 ` [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcyv4iBHTahi66deUT1iSPpA2W2wjYZSaiUYUjpdK10d5Rt7g@mail.gmail.com \
--to=dan.j.williams@intel.com \
--cc=ahonig@google.com \
--cc=ak@linux.intel.com \
--cc=alan@linux.intel.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=elena.reshetova@intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).