* [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
@ 2024-05-31 0:44 Nathan Lynch via B4 Relay
2024-05-31 13:45 ` Breno Leitao
2024-07-06 23:10 ` Michael Ellerman
0 siblings, 2 replies; 8+ messages in thread
From: Nathan Lynch via B4 Relay @ 2024-05-31 0:44 UTC (permalink / raw)
To: Michael Ellerman, Nicholas Piggin, Christophe Leroy,
Naveen N. Rao
Cc: Breno Leitao, Nathan Lynch, linuxppc-dev
From: Nathan Lynch <nathanl@linux.ibm.com>
Smatch warns:
arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
spectre issue 'args.args' [r] (local cap)
The 'nargs' and 'nret' locals come directly from a user-supplied
buffer and are used as indexes into a small stack-based array and as
inputs to copy_to_user() after they are subject to bounds checks.
Use array_index_nospec() after the bounds checks to clamp these values
for speculative execution.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reported-by: Breno Leitao <leitao@debian.org>
---
Based on a change originally submitted by Breno Leitao in 2018:
https://lore.kernel.org/linuxppc-dev/1534876926-21849-1-git-send-email-leitao@debian.org/
I've used a Reported-by: tag to credit Breno, let me know if you would
prefer a different tag (perhaps Co-developed-by?)
---
arch/powerpc/kernel/rtas.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 8064d9c3de86..f7e86e09c49f 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -19,6 +19,7 @@
#include <linux/lockdep.h>
#include <linux/memblock.h>
#include <linux/mutex.h>
+#include <linux/nospec.h>
#include <linux/of.h>
#include <linux/of_fdt.h>
#include <linux/reboot.h>
@@ -1916,6 +1917,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
|| nargs + nret > ARRAY_SIZE(args.args))
return -EINVAL;
+ nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
+ nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
+
/* Copy in args. */
if (copy_from_user(args.args, uargs->args,
nargs * sizeof(rtas_arg_t)) != 0)
---
base-commit: be2fc65d66e0406cc9d39d40becaecdf4ee765f3
change-id: 20240530-sys_rtas-nargs-nret-a188eaf5a500
Best regards,
--
Nathan Lynch <nathanl@linux.ibm.com>
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-05-31 0:44 [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nathan Lynch via B4 Relay
@ 2024-05-31 13:45 ` Breno Leitao
2024-05-31 16:45 ` Nathan Lynch
2024-07-06 23:10 ` Michael Ellerman
1 sibling, 1 reply; 8+ messages in thread
From: Breno Leitao @ 2024-05-31 13:45 UTC (permalink / raw)
To: nathanl; +Cc: Naveen N. Rao, linuxppc-dev, Nicholas Piggin
On Thu, May 30, 2024 at 07:44:12PM -0500, Nathan Lynch via B4 Relay wrote:
> From: Nathan Lynch <nathanl@linux.ibm.com>
>
> Smatch warns:
>
> arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
> spectre issue 'args.args' [r] (local cap)
>
> The 'nargs' and 'nret' locals come directly from a user-supplied
> buffer and are used as indexes into a small stack-based array and as
> inputs to copy_to_user() after they are subject to bounds checks.
>
> Use array_index_nospec() after the bounds checks to clamp these values
> for speculative execution.
>
> Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
> Reported-by: Breno Leitao <leitao@debian.org>
Thanks for working on it.
Reviewed-by: Breno Leitao <leitao@debian.org>
> + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
> + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
On an unrelated note, can nargs and nret are integers and could be
eventually negative. Is this a valid use case?
Thanks!
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-05-31 13:45 ` Breno Leitao
@ 2024-05-31 16:45 ` Nathan Lynch
2024-05-31 17:20 ` Breno Leitao
0 siblings, 1 reply; 8+ messages in thread
From: Nathan Lynch @ 2024-05-31 16:45 UTC (permalink / raw)
To: Breno Leitao; +Cc: Naveen N. Rao, linuxppc-dev, Nicholas Piggin
Breno Leitao <leitao@debian.org> writes:
> On Thu, May 30, 2024 at 07:44:12PM -0500, Nathan Lynch via B4 Relay wrote:
>> From: Nathan Lynch <nathanl@linux.ibm.com>
>>
>> Smatch warns:
>>
>> arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
>> spectre issue 'args.args' [r] (local cap)
>>
>> The 'nargs' and 'nret' locals come directly from a user-supplied
>> buffer and are used as indexes into a small stack-based array and as
>> inputs to copy_to_user() after they are subject to bounds checks.
>>
>> Use array_index_nospec() after the bounds checks to clamp these values
>> for speculative execution.
>>
>> Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
>> Reported-by: Breno Leitao <leitao@debian.org>
>
> Thanks for working on it.
>
> Reviewed-by: Breno Leitao <leitao@debian.org>
Thanks!
>
>> + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
>> + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
>
> On an unrelated note, can nargs and nret are integers and could be
> eventually negative. Is this a valid use case?
No, it's not valid for a caller to provide negative nargs or nret. I
convinced myself that this bounds check:
nargs = be32_to_cpu(args.nargs);
nret = be32_to_cpu(args.nret);
if (nargs >= ARRAY_SIZE(args.args)
|| nret > ARRAY_SIZE(args.args)
|| nargs + nret > ARRAY_SIZE(args.args))
return -EINVAL;
rejects negative values of nargs or nret due to C's "usual arithmetic
conversions", where nargs and nret are implicitly converted to size_t
for the comparisons.
However I don't see any value in keeping them as signed int. I have some
changes in progress in this area and I'll plan on making these unsigned.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-05-31 16:45 ` Nathan Lynch
@ 2024-05-31 17:20 ` Breno Leitao
0 siblings, 0 replies; 8+ messages in thread
From: Breno Leitao @ 2024-05-31 17:20 UTC (permalink / raw)
To: Nathan Lynch; +Cc: Naveen N. Rao, linuxppc-dev, Nicholas Piggin
On Fri, May 31, 2024 at 11:45:48AM -0500, Nathan Lynch wrote:
> Breno Leitao <leitao@debian.org> writes:
>
> > On Thu, May 30, 2024 at 07:44:12PM -0500, Nathan Lynch via B4 Relay wrote:
> >> From: Nathan Lynch <nathanl@linux.ibm.com>
> >> + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
> >> + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
> >
> > On an unrelated note, can nargs and nret are integers and could be
> > eventually negative. Is this a valid use case?
>
> No, it's not valid for a caller to provide negative nargs or nret. I
> convinced myself that this bounds check:
>
> nargs = be32_to_cpu(args.nargs);
> nret = be32_to_cpu(args.nret);
>
> if (nargs >= ARRAY_SIZE(args.args)
> || nret > ARRAY_SIZE(args.args)
> || nargs + nret > ARRAY_SIZE(args.args))
> return -EINVAL;
>
> rejects negative values of nargs or nret due to C's "usual arithmetic
> conversions", where nargs and nret are implicitly converted to size_t
> for the comparisons.
>
> However I don't see any value in keeping them as signed int. I have some
> changes in progress in this area and I'll plan on making these unsigned.
yea, I think it will help to make this code easier to read/review.
Thanks again for fixing it.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-05-31 0:44 [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nathan Lynch via B4 Relay
2024-05-31 13:45 ` Breno Leitao
@ 2024-07-06 23:10 ` Michael Ellerman
1 sibling, 0 replies; 8+ messages in thread
From: Michael Ellerman @ 2024-07-06 23:10 UTC (permalink / raw)
To: Michael Ellerman, Nicholas Piggin, Christophe Leroy,
Naveen N. Rao, Nathan Lynch
Cc: Breno Leitao, linuxppc-dev
On Thu, 30 May 2024 19:44:12 -0500, Nathan Lynch wrote:
> Smatch warns:
>
> arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
> spectre issue 'args.args' [r] (local cap)
>
> The 'nargs' and 'nret' locals come directly from a user-supplied
> buffer and are used as indexes into a small stack-based array and as
> inputs to copy_to_user() after they are subject to bounds checks.
>
> [...]
Applied to powerpc/next.
[1/1] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
https://git.kernel.org/powerpc/c/0974d03eb479384466d828d65637814bee6b26d7
cheers
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
@ 2024-12-13 3:44 haixiao.yan.cn
2024-12-13 11:14 ` Greg KH
2024-12-13 11:15 ` Greg KH
0 siblings, 2 replies; 8+ messages in thread
From: haixiao.yan.cn @ 2024-12-13 3:44 UTC (permalink / raw)
To: nathanl, gregkh
Cc: mpe, benh, paulus, linuxppc-dev, linux-kernel, stable,
haixiao.yan.cn
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit 0974d03eb479384466d828d65637814bee6b26d7 ]
Smatch warns:
arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
spectre issue 'args.args' [r] (local cap)
The 'nargs' and 'nret' locals come directly from a user-supplied
buffer and are used as indexes into a small stack-based array and as
inputs to copy_to_user() after they are subject to bounds checks.
Use array_index_nospec() after the bounds checks to clamp these values
for speculative execution.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
---
This commit is backporting 0974d03eb479 to the branch linux-5.15.y to
solve the CVE-2024-46774.
arch/powerpc/kernel/rtas.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index d01a0ad57e38..f2378f51cbed 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -16,6 +16,7 @@
#include <linux/capability.h>
#include <linux/delay.h>
#include <linux/cpu.h>
+#include <linux/nospec.h>
#include <linux/sched.h>
#include <linux/smp.h>
#include <linux/completion.h>
@@ -1076,6 +1077,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs)
|| nargs + nret > ARRAY_SIZE(args.args))
return -EINVAL;
+ nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args));
+ nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs);
+
/* Copy in args. */
if (copy_from_user(args.args, uargs->args,
nargs * sizeof(rtas_arg_t)) != 0)
--
2.35.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-12-13 3:44 haixiao.yan.cn
@ 2024-12-13 11:14 ` Greg KH
2024-12-13 11:15 ` Greg KH
1 sibling, 0 replies; 8+ messages in thread
From: Greg KH @ 2024-12-13 11:14 UTC (permalink / raw)
To: haixiao.yan.cn
Cc: nathanl, mpe, benh, paulus, linuxppc-dev, linux-kernel, stable,
haixiao.yan.cn
On Fri, Dec 13, 2024 at 11:44:22AM +0800, haixiao.yan.cn@eng.windriver.com wrote:
> From: Nathan Lynch <nathanl@linux.ibm.com>
>
> [ Upstream commit 0974d03eb479384466d828d65637814bee6b26d7 ]
>
> Smatch warns:
>
> arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential
> spectre issue 'args.args' [r] (local cap)
>
> The 'nargs' and 'nret' locals come directly from a user-supplied
> buffer and are used as indexes into a small stack-based array and as
> inputs to copy_to_user() after they are subject to bounds checks.
>
> Use array_index_nospec() after the bounds checks to clamp these values
> for speculative execution.
>
> Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
> Reported-by: Breno Leitao <leitao@debian.org>
> Reviewed-by: Breno Leitao <leitao@debian.org>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm.com
> Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
> ---
> This commit is backporting 0974d03eb479 to the branch linux-5.15.y to
> solve the CVE-2024-46774.
Now deleted, please see:
https://lore.kernel.org/r/2024121322-conjuror-gap-b542@gregkh
for what you all need to do, TOGETHER, to get this fixed and so that I
can accept patches from your company in the future.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
2024-12-13 3:44 haixiao.yan.cn
2024-12-13 11:14 ` Greg KH
@ 2024-12-13 11:15 ` Greg KH
1 sibling, 0 replies; 8+ messages in thread
From: Greg KH @ 2024-12-13 11:15 UTC (permalink / raw)
To: haixiao.yan.cn
Cc: nathanl, mpe, benh, paulus, linuxppc-dev, linux-kernel, stable,
haixiao.yan.cn
On Fri, Dec 13, 2024 at 11:44:22AM +0800, haixiao.yan.cn@eng.windriver.com wrote:
> From: Nathan Lynch <nathanl@linux.ibm.com>
>
> [ Upstream commit 0974d03eb479384466d828d65637814bee6b26d7 ]
>
Now deleted, please see:
https://lore.kernel.org/r/2024121322-conjuror-gap-b542@gregkh
for what you all need to do, TOGETHER, to get this fixed and so that I
can accept patches from your company in the future.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-12-13 11:15 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-31 0:44 [PATCH] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Nathan Lynch via B4 Relay
2024-05-31 13:45 ` Breno Leitao
2024-05-31 16:45 ` Nathan Lynch
2024-05-31 17:20 ` Breno Leitao
2024-07-06 23:10 ` Michael Ellerman
-- strict thread matches above, loose matches on Subject: below --
2024-12-13 3:44 haixiao.yan.cn
2024-12-13 11:14 ` Greg KH
2024-12-13 11:15 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).