From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E3B7C3A5A4 for ; Fri, 30 Aug 2019 09:40:52 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4D0DC21670 for ; Fri, 30 Aug 2019 09:40:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="UO0r6aSt" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4D0DC21670 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=CR19O8dAqUJkg3EMN2+44v4oERask9sJ8L80+LmlcJ4=; b=UO0r6aStiOzl6p 0hrN93ZU8hxuNJircHkcy+0KQLiK/a5XxwjFF2IASou2V+wCRaNsswETkk3nyzyVa5Yev18UyILXz W2GWcyVAlUbUWv6Xqy6qhp8zZc4OQoVQdUTuu1LXcdsJPjviAdnQW9BGFihOa+oKwagpjc0AvrmDV FUp90xPhrcKWje0mfAb1Ke7mek7dxh1wPq5Skz1WEWs1mIlJ/ASC0k0loLrdanmWyxP4LHzGhfYFt VcB1HPlq3e+oPwHmhMql3O2uex/ML2tulq/GreWLffHXcCjHI5nYylsjBZ+zohxYPCmcO+Wr+pc26 LVbvqgwHr45dyzUP14Vg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1i3dOl-0002Yb-P7; Fri, 30 Aug 2019 09:40:51 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1i3dOS-0002Gf-Q0 for linux-arm-kernel@lists.infradead.org; Fri, 30 Aug 2019 09:40:34 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 37BA3344; Fri, 30 Aug 2019 02:40:32 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D2DCD3F718; Fri, 30 Aug 2019 02:40:30 -0700 (PDT) Date: Fri, 30 Aug 2019 10:40:28 +0100 From: Mark Rutland To: Viresh Kumar Subject: Re: [PATCH ARM64 v4.4 V3 05/44] arm64: Use pointer masking to limit uaccess speculation Message-ID: <20190830094028.GE46475@lakrids.cambridge.arm.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.1+11 (2f07cb52) (2018-12-01) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190830_024033_056140_4E6C4EB8 X-CRM114-Status: GOOD ( 19.78 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Julien Thierry , Marc Zyngier , Catalin Marinas , Will Deacon , stable@vger.kernel.org, mark.brown@arm.com, Russell King , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+infradead-linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Aug 29, 2019 at 05:03:50PM +0530, Viresh Kumar wrote: > From: Robin Murphy > > commit 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce upstream. > > Similarly to x86, mitigate speculation past an access_ok() check by > masking the pointer against the address limit before use. > > Even if we don't expect speculative writes per se, it is plausible that > a CPU may still speculate at least as far as fetching a cache line for > writing, hence we also harden put_user() and clear_user() for peace of > mind. > > Signed-off-by: Robin Murphy > Signed-off-by: Will Deacon > Signed-off-by: Catalin Marinas > Signed-off-by: Viresh Kumar Reviewed-by: Mark Rutland [v4.4 backport] Mark. > --- > arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++--- > 1 file changed, 23 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h > index c625cc5531fc..75363d723262 100644 > --- a/arch/arm64/include/asm/uaccess.h > +++ b/arch/arm64/include/asm/uaccess.h > @@ -121,6 +121,26 @@ static inline unsigned long __range_ok(unsigned long addr, unsigned long size) > #define access_ok(type, addr, size) __range_ok((unsigned long)(addr), size) > #define user_addr_max get_fs > > +/* > + * Sanitise a uaccess pointer such that it becomes NULL if above the > + * current addr_limit. > + */ > +#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) > +static inline void __user *__uaccess_mask_ptr(const void __user *ptr) > +{ > + void __user *safe_ptr; > + > + asm volatile( > + " bics xzr, %1, %2\n" > + " csel %0, %1, xzr, eq\n" > + : "=&r" (safe_ptr) > + : "r" (ptr), "r" (current_thread_info()->addr_limit) > + : "cc"); > + > + csdb(); > + return safe_ptr; > +} > + > /* > * The "__xxx" versions of the user access functions do not verify the address > * space - it must have been done previously with a separate "access_ok()" > @@ -193,7 +213,7 @@ do { \ > __typeof__(*(ptr)) __user *__p = (ptr); \ > might_fault(); \ > access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ > - __get_user((x), __p) : \ > + __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \ > ((x) = 0, -EFAULT); \ > }) > > @@ -259,7 +279,7 @@ do { \ > __typeof__(*(ptr)) __user *__p = (ptr); \ > might_fault(); \ > access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ > - __put_user((x), __p) : \ > + __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \ > -EFAULT; \ > }) > > @@ -297,7 +317,7 @@ static inline unsigned long __must_check copy_in_user(void __user *to, const voi > static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) > { > if (access_ok(VERIFY_WRITE, to, n)) > - n = __clear_user(to, n); > + n = __clear_user(__uaccess_mask_ptr(to), n); > return n; > } > > -- > 2.21.0.rc0.269.g1a574e7a288b > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel