[PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693)

linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693)
@ 2018-07-10 18:01 Mark Rutland
  2018-07-10 18:01 ` [PATCH 1/2] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() Mark Rutland
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Mark Rutland @ 2018-07-10 18:01 UTC (permalink / raw)
  To: linux-arm-kernel

These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the
same mitigation applied to existing spectre-v1-read gadgets.

This issue is also known as CVE-2018-3693, or "bounds check bypass store".
More details can be found in the Arm Cache Speculation Side-channels
whitepaper, available from the Arm security updates site [1].

Thanks,
Mark.

[1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Mark Rutland (2):
  arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
  KVM: arm/arm64: vgic: fix possible spectre-v1 write in
    vgic_mmio_write_apr()

 arch/arm64/kernel/ptrace.c       | 19 +++++++++++--------
 virt/kvm/arm/vgic/vgic-mmio-v2.c |  3 +++
 2 files changed, 14 insertions(+), 8 deletions(-)

-- 
2.11.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
  2018-07-10 18:01 [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Mark Rutland
@ 2018-07-10 18:01 ` Mark Rutland
  2018-07-10 18:01 ` [PATCH 2/2] KVM: arm/arm64: vgic: fix possible spectre-v1 write in vgic_mmio_write_apr() Mark Rutland
  2018-07-10 19:28 ` [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Alan J. Wylie
  2 siblings, 0 replies; 4+ messages in thread
From: Mark Rutland @ 2018-07-10 18:01 UTC (permalink / raw)
  To: linux-arm-kernel

It's possible for userspace to control idx. Sanitize idx when using it
as an array index, to inhibit the potential spectre-v1 write gadget.

Found by smatch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
---
 arch/arm64/kernel/ptrace.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 5c338ce5a7fa..db5440339ab3 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -277,19 +277,22 @@ static int ptrace_hbp_set_event(unsigned int note_type,
 
 	switch (note_type) {
 	case NT_ARM_HW_BREAK:
-		if (idx < ARM_MAX_BRP) {
-			tsk->thread.debug.hbp_break[idx] = bp;
-			err = 0;
-		}
+		if (idx >= ARM_MAX_BRP)
+			goto out;
+		idx = array_index_nospec(idx, ARM_MAX_BRP);
+		tsk->thread.debug.hbp_break[idx] = bp;
+		err = 0;
 		break;
 	case NT_ARM_HW_WATCH:
-		if (idx < ARM_MAX_WRP) {
-			tsk->thread.debug.hbp_watch[idx] = bp;
-			err = 0;
-		}
+		if (idx >= ARM_MAX_WRP)
+			goto out;
+		idx = array_index_nospec(idx, ARM_MAX_WRP);
+		tsk->thread.debug.hbp_watch[idx] = bp;
+		err = 0;
 		break;
 	}
 
+out:
 	return err;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] KVM: arm/arm64: vgic: fix possible spectre-v1 write in vgic_mmio_write_apr()
  2018-07-10 18:01 [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Mark Rutland
  2018-07-10 18:01 ` [PATCH 1/2] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() Mark Rutland
@ 2018-07-10 18:01 ` Mark Rutland
  2018-07-10 19:28 ` [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Alan J. Wylie
  2 siblings, 0 replies; 4+ messages in thread
From: Mark Rutland @ 2018-07-10 18:01 UTC (permalink / raw)
  To: linux-arm-kernel

It's possible for userspace to control n. Sanitize n when using it as an
array index, to inhibit the potential spectre-v1 write gadget.

Note that while it appears that n must be bound to the interval [0,3]
due to the way it is extracted from addr, we cannot guarantee that
compiler transformations (and/or future refactoring) will ensure this is
the case, and given this is a slow path it's better to always perform
the masking.

Found by smatch.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Christoffer Dall <christoffer.dall@arm.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: kvmarm at lists.cs.columbia.edu
---
 virt/kvm/arm/vgic/vgic-mmio-v2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/virt/kvm/arm/vgic/vgic-mmio-v2.c b/virt/kvm/arm/vgic/vgic-mmio-v2.c
index ffc587bf4742..64e571cc02df 100644
--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c
+++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c
@@ -352,6 +352,9 @@ static void vgic_mmio_write_apr(struct kvm_vcpu *vcpu,
 
 		if (n > vgic_v3_max_apr_idx(vcpu))
 			return;
+
+		n = array_index_nospec(n, 4);
+
 		/* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */
 		vgicv3->vgic_ap1r[n] = val;
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693)
  2018-07-10 18:01 [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Mark Rutland
  2018-07-10 18:01 ` [PATCH 1/2] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() Mark Rutland
  2018-07-10 18:01 ` [PATCH 2/2] KVM: arm/arm64: vgic: fix possible spectre-v1 write in vgic_mmio_write_apr() Mark Rutland
@ 2018-07-10 19:28 ` Alan J. Wylie
  2 siblings, 0 replies; 4+ messages in thread
From: Alan J. Wylie @ 2018-07-10 19:28 UTC (permalink / raw)
  To: linux-arm-kernel

Mark Rutland <mark.rutland@arm.com> writes:

> These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the
> same mitigation applied to existing spectre-v1-read gadgets.
>
> This issue is also known as CVE-2018-3693, or "bounds check bypass store".
> More details can be found in the Arm Cache Speculation Side-channels
> whitepaper, available from the Arm security updates site [1].

> [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

>From that web page:

| Variant 1: bounds check bypass store (CVE-2017-5753) and bounds check
| bypass store (CVE-2018-3693)

Isn't -5753 a "read" vulnerability, not "store"?

-- 
Alan J. Wylie                                          https://www.wylie.me.uk/

Dance like no-one's watching. / Encrypt like everyone is.
Security is inversely proportional to convenience

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-07-10 19:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-10 18:01 [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Mark Rutland
2018-07-10 18:01 ` [PATCH 1/2] arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() Mark Rutland
2018-07-10 18:01 ` [PATCH 2/2] KVM: arm/arm64: vgic: fix possible spectre-v1 write in vgic_mmio_write_apr() Mark Rutland
2018-07-10 19:28 ` [PATCH 0/2] arm64: spectre-v1 write fixes (CVE-2018-3693) Alan J. Wylie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).