From: linux@armlinux.org.uk (Russell King - ARM Linux)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 6/6] ARM: spectre-v1: mitigate user accesses
Date: Thu, 26 Jul 2018 14:20:06 +0100 [thread overview]
Message-ID: <20180726132006.GY17271@n2100.armlinux.org.uk> (raw)
In-Reply-To: <20180726124900.syqvsltidm4c2oud@lakrids.cambridge.arm.com>
On Thu, Jul 26, 2018 at 01:49:00PM +0100, Mark Rutland wrote:
> On Tue, Jul 10, 2018 at 03:14:12PM +0100, Russell King wrote:
> > Spectre variant 1 attacks are about this sequence of pseudo-code:
> >
> > index = load(user-manipulated pointer);
> > access(base + index * stride);
> >
> > In order for the cache side-channel to work, the access() must me made
> > to memory which userspace can detect whether cache lines have been
> > loaded. On 32-bit ARM, this must be either user accessible memory, or
> > a kernel mapping of that same user accessible memory.
> >
> > The problem occurs when the load() speculatively loads privileged data,
> > and the subsequent access() is made to user accessible memory.
> >
> > Any load() which makes use of a user-maniplated pointer is a potential
> > problem if the data it has loaded is used in a subsequent access. This
> > also applies for the access() if the data loaded by that access is used
> > by a subsequent access.
> >
> > Harden the get_user() accessors against Spectre attaacks by forcing out
> > of bounds addresses to a NULL pointer. This prevents get_user() being
> > used as the load() step above. As a side effect, put_user() will also
> > be affected even though it isn't implicated.
> >
> > Also harden copy_from_user() by redoing the bounds check within the
> > arm_copy_from_user() code, and NULLing the pointer if out of bounds.
> >
> > Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
> > ---
> > arch/arm/include/asm/assembler.h | 4 ++++
> > arch/arm/lib/copy_from_user.S | 7 +++++++
> > 2 files changed, 11 insertions(+)
> >
> > diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
> > index ef1386b1af9b..f0515f60cff5 100644
> > --- a/arch/arm/include/asm/assembler.h
> > +++ b/arch/arm/include/asm/assembler.h
> > @@ -460,6 +460,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
> > adds \tmp, \addr, #\size - 1
> > sbcccs \tmp, \tmp, \limit
> > bcs \bad
> > +#ifdef CONFIG_CPU_SPECTRE
> > + movcs \addr, #0
> > + csdb
> > +#endif
> > #endif
> > .endm
> >
> > diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
> > index 7a4b06049001..ebf292e9478f 100644
> > --- a/arch/arm/lib/copy_from_user.S
> > +++ b/arch/arm/lib/copy_from_user.S
> > @@ -90,6 +90,13 @@
> > .text
> >
> > ENTRY(arm_copy_from_user)
> > + get_thread_info r3
> > + ldr r3, [r3, #TI_ADDR_LIMIT]
> > + adds ip, r1, r2 @ ip=addr+size
> > + sub r3, r3, #1 @ addr_limit - 1
> > + cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
> > + movcs r1, #0 @ addr = NULL
> > + csdb
>
> Given spectre-v1.1, I believe we need to do the same for
> arm_copy_to_user().
Spectre v1.1 is not covered by this patch series and is a subject for
future work.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line in suburbia: sync at 13.8Mbps down 630kbps up
According to speedtest.net: 13Mbps down 490kbps up
next prev parent reply other threads:[~2018-07-26 13:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-10 14:13 [PATCH 0/6] Further spectre variant 1 mitigations Russell King - ARM Linux
2018-07-10 14:13 ` [PATCH 1/6] ARM: signal: copy registers using __copy_from_user() Russell King
2018-07-26 12:23 ` Mark Rutland
2018-07-26 13:56 ` Russell King - ARM Linux
2018-07-26 14:02 ` Mark Rutland
2018-07-10 14:13 ` [PATCH 2/6] ARM: vfp: use __copy_from_user() when restoring VFP state Russell King
2018-07-26 12:32 ` Mark Rutland
2018-07-26 14:02 ` Russell King - ARM Linux
2018-08-14 6:10 ` Kees Cook
2018-08-02 10:52 ` Julien Thierry
2018-07-10 14:13 ` [PATCH 3/6] ARM: oabi-compat: copy semops using __copy_from_user() Russell King
2018-07-26 12:35 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 4/6] ARM: use __inttype() in get_user() Russell King
2018-07-26 12:40 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 5/6] ARM: spectre-v1: use get_user() for __get_user() Russell King
2018-07-26 12:44 ` Mark Rutland
2018-07-26 13:19 ` Russell King - ARM Linux
2018-07-27 10:51 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 6/6] ARM: spectre-v1: mitigate user accesses Russell King
2018-07-26 12:49 ` Mark Rutland
2018-07-26 13:20 ` Russell King - ARM Linux [this message]
2018-07-27 5:32 ` Robert Jarzmik
2018-07-26 14:12 ` Russell King - ARM Linux
2018-07-27 10:55 ` Mark Rutland
2018-07-19 10:19 ` [PATCH 0/6] Further spectre variant 1 mitigations Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180726132006.GY17271@n2100.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).