From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Robin Murphy <robin.murphy@arm.com>,
Will Deacon <will.deacon@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Greg Hackmann <ghackmann@google.com>,
Mark Rutland <mark.rutland@arm.com>
Subject: [PATCH 4.9 14/66] arm64: Use pointer masking to limit uaccess speculation
Date: Tue, 17 Apr 2018 17:58:47 +0200 [thread overview]
Message-ID: <20180417155646.457770527@linuxfoundation.org> (raw)
In-Reply-To: <20180417155645.868055442@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
From: Robin Murphy <robin.murphy@arm.com>
commit 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce upstream.
Similarly to x86, mitigate speculation past an access_ok() check by
masking the pointer against the address limit before use.
Even if we don't expect speculative writes per se, it is plausible that
a CPU may still speculate at least as far as fetching a cache line for
writing, hence we also harden put_user() and clear_user() for peace of
mind.
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com> [v4.9 backport]
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -129,6 +129,26 @@ static inline unsigned long __range_ok(u
" .popsection\n"
/*
+ * Sanitise a uaccess pointer such that it becomes NULL if above the
+ * current addr_limit.
+ */
+#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
+static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
+{
+ void __user *safe_ptr;
+
+ asm volatile(
+ " bics xzr, %1, %2\n"
+ " csel %0, %1, xzr, eq\n"
+ : "=&r" (safe_ptr)
+ : "r" (ptr), "r" (current_thread_info()->addr_limit)
+ : "cc");
+
+ csdb();
+ return safe_ptr;
+}
+
+/*
* The "__xxx" versions of the user access functions do not verify the address
* space - it must have been done previously with a separate "access_ok()"
* call.
@@ -202,7 +222,7 @@ do { \
__typeof__(*(ptr)) __user *__p = (ptr); \
might_fault(); \
access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \
- __get_user((x), __p) : \
+ __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \
((x) = 0, -EFAULT); \
})
@@ -270,7 +290,7 @@ do { \
__typeof__(*(ptr)) __user *__p = (ptr); \
might_fault(); \
access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \
- __put_user((x), __p) : \
+ __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \
-EFAULT; \
})
@@ -331,7 +351,7 @@ static inline unsigned long __must_check
static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
{
if (access_ok(VERIFY_WRITE, to, n))
- n = __clear_user(to, n);
+ n = __clear_user(__uaccess_mask_ptr(to), n);
return n;
}
next prev parent reply other threads:[~2018-04-17 16:08 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-17 15:58 [PATCH 4.9 00/66] 4.9.95-stable review Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 01/66] media: v4l2-compat-ioctl32: dont oops on overlay Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 02/66] parisc: Fix out of array access in match_pci_device() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 03/66] Drivers: hv: vmbus: do not mark HV_PCIE as perf_device Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 04/66] perf intel-pt: Fix overlap detection to identify consecutive buffers correctly Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 05/66] perf intel-pt: Fix sync_switch Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 06/66] perf intel-pt: Fix error recovery from missing TIP packet Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 07/66] perf intel-pt: Fix timestamp following overflow Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 08/66] perf/core: Fix use-after-free in uprobe_perf_close() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 10/66] arm64: barrier: Add CSDB macros to control data-value prediction Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 11/66] arm64: Implement array_index_mask_nospec() Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 12/66] arm64: move TASK_* definitions to <asm/processor.h> Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 13/66] arm64: Make USER_DS an inclusive limit Greg Kroah-Hartman
2018-04-17 15:58 ` Greg Kroah-Hartman [this message]
2018-04-17 15:58 ` [PATCH 4.9 15/66] arm64: entry: Ensure branch through syscall table is bounded under speculation Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 16/66] arm64: uaccess: Prevent speculative use of the current addr_limit Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 17/66] arm64: uaccess: Dont bother eliding access_ok checks in __{get, put}_user Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 18/66] arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 19/66] arm64: cpufeature: __this_cpu_has_cap() shouldnt stop early Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 20/66] arm64: Run enable method for errata work arounds on late CPUs Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 21/66] arm64: cpufeature: Pass capability structure to ->enable callback Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 22/66] drivers/firmware: Expose psci_get_version through psci_ops structure Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 23/66] arm64: Factor out TTBR0_EL1 post-update workaround into a specific asm macro Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 24/66] arm64: Move post_ttbr_update_workaround to C code Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 25/66] arm64: Add skeleton to harden the branch predictor against aliasing attacks Greg Kroah-Hartman
2018-04-17 15:58 ` [PATCH 4.9 26/66] arm64: Move BP hardening to check_and_switch_context Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 27/66] mm: Introduce lm_alias Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 28/66] arm64: KVM: Use per-CPU vector when BP hardening is enabled Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 29/66] arm64: entry: Apply BP hardening for high-priority synchronous exceptions Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 30/66] arm64: entry: Apply BP hardening for suspicious interrupts from EL0 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 31/66] arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 32/66] arm64: cpu_errata: Allow an erratum to be match for all revisions of a core Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 33/66] arm64: Implement branch predictor hardening for affected Cortex-A CPUs Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 34/66] arm64: Branch predictor hardening for Cavium ThunderX2 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 35/66] arm64: KVM: Increment PC after handling an SMC trap Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 36/66] arm/arm64: KVM: Consolidate the PSCI include files Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 37/66] arm/arm64: KVM: Add PSCI_VERSION helper Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 38/66] arm/arm64: KVM: Add smccc accessors to PSCI code Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 39/66] arm/arm64: KVM: Implement PSCI 1.0 support Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 40/66] arm/arm64: KVM: Advertise SMCCC v1.1 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 41/66] arm64: KVM: Make PSCI_VERSION a fast path Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 42/66] arm/arm64: KVM: Turn kvm_psci_version into a static inline Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 43/66] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 44/66] arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 45/66] firmware/psci: Expose PSCI conduit Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 46/66] firmware/psci: Expose SMCCC version through psci_ops Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 47/66] arm/arm64: smccc: Make function identifiers an unsigned quantity Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 48/66] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 49/66] arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 50/66] arm64: Kill PSCI_GET_VERSION as a variant-2 workaround Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 51/66] sunrpc: remove incorrect HMAC request initialization Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 52/66] Revert "perf tests: Decompress kernel module before objdump" Greg Kroah-Hartman
2018-09-05 18:50 ` Florian Fainelli
2018-09-05 19:29 ` Greg Kroah-Hartman
2018-09-05 20:08 ` Florian Fainelli
2018-04-17 15:59 ` [PATCH 4.9 53/66] block/loop: fix deadlock after loop_set_status Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 54/66] nfit: fix region registration vs block-data-window ranges Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 55/66] s390/qdio: dont retry EQBS after CCQ 96 Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 56/66] s390/qdio: dont merge ERROR output buffers Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 57/66] s390/ipl: ensure loadparm valid flag is set Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 58/66] getname_kernel() needs to make sure that ->name != ->iname in long case Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 59/66] Bluetooth: Fix connection if directed advertising and privacy is used Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 60/66] rtl8187: Fix NULL pointer dereference in priv->conf_mutex Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 61/66] hwmon: (ina2xx) Fix access to uninitialized mutex Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 62/66] cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 63/66] rds: MP-RDS may use an invalid c_path Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 64/66] slip: Check if rstate is initialized before uncompressing Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 65/66] vhost: fix vhost_vq_access_ok() log check Greg Kroah-Hartman
2018-04-17 15:59 ` [PATCH 4.9 66/66] lan78xx: Correctly indicate invalid OTP Greg Kroah-Hartman
2018-04-17 21:04 ` [PATCH 4.9 00/66] 4.9.95-stable review Shuah Khan
2018-04-18 15:38 ` Guenter Roeck
2018-04-18 17:42 ` Dan Rue
2018-04-19 7:56 ` Greg Kroah-Hartman
2018-04-19 11:12 ` Naresh Kamboju
2018-04-19 12:09 ` Ben Hutchings
2018-04-19 12:30 ` Naresh Kamboju
2018-04-19 13:21 ` Dan Rue
2018-04-19 14:03 ` Greg Kroah-Hartman
2018-04-19 20:04 ` Dan Rue
2018-04-20 6:27 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417155646.457770527@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=catalin.marinas@arm.com \
--cc=ghackmann@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).