From: Viresh Kumar <viresh.kumar@linaro.org>
To: stable@vger.kernel.org
Cc: Viresh Kumar <viresh.kumar@linaro.org>,
Julien Thierry <Julien.Thierry@arm.com>,
linux-arm-kernel@lists.infradead.org,
Catalin Marinas <catalin.marinas@arm.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Will Deacon <will.deacon@arm.com>,
Russell King <rmk+kernel@arm.linux.org.uk>,
Vincent Guittot <vincent.guittot@linaro.org>,
mark.brown@arm.com, guohanjun@huawei.com
Subject: [PATCH ARM32 v4.4 V2 27/47] ARM: spectre-v1: mitigate user accesses
Date: Thu, 1 Aug 2019 13:46:11 +0530 [thread overview]
Message-ID: <86231c8cbaacc44285a235db704e1029ae8ec64a.1564646727.git.viresh.kumar@linaro.org> (raw)
In-Reply-To: <cover.1564646727.git.viresh.kumar@linaro.org>
From: Russell King <rmk+kernel@armlinux.org.uk>
Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream.
Spectre variant 1 attacks are about this sequence of pseudo-code:
index = load(user-manipulated pointer);
access(base + index * stride);
In order for the cache side-channel to work, the access() must me made
to memory which userspace can detect whether cache lines have been
loaded. On 32-bit ARM, this must be either user accessible memory, or
a kernel mapping of that same user accessible memory.
The problem occurs when the load() speculatively loads privileged data,
and the subsequent access() is made to user accessible memory.
Any load() which makes use of a user-maniplated pointer is a potential
problem if the data it has loaded is used in a subsequent access. This
also applies for the access() if the data loaded by that access is used
by a subsequent access.
Harden the get_user() accessors against Spectre attacks by forcing out
of bounds addresses to a NULL pointer. This prevents get_user() being
used as the load() step above. As a side effect, put_user() will also
be affected even though it isn't implicated.
Also harden copy_from_user() by redoing the bounds check within the
arm_copy_from_user() code, and NULLing the pointer if out of bounds.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
arch/arm/include/asm/assembler.h | 4 ++++
arch/arm/lib/copy_from_user.S | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index 307901f88a1e..483481c6937e 100644
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -454,6 +454,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
adds \tmp, \addr, #\size - 1
sbcccs \tmp, \tmp, \limit
bcs \bad
+#ifdef CONFIG_CPU_SPECTRE
+ movcs \addr, #0
+ csdb
+#endif
#endif
.endm
diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
index 1512bebfbf1b..d36329cefedc 100644
--- a/arch/arm/lib/copy_from_user.S
+++ b/arch/arm/lib/copy_from_user.S
@@ -90,6 +90,15 @@
.text
ENTRY(arm_copy_from_user)
+#ifdef CONFIG_CPU_SPECTRE
+ get_thread_info r3
+ ldr r3, [r3, #TI_ADDR_LIMIT]
+ adds ip, r1, r2 @ ip=addr+size
+ sub r3, r3, #1 @ addr_limit - 1
+ cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
+ movcs r1, #0 @ addr = NULL
+ csdb
+#endif
#include "copy_template.S"
--
2.21.0.rc0.269.g1a574e7a288b
WARNING: multiple messages have this Message-ID (diff)
From: Viresh Kumar <viresh.kumar@linaro.org>
To: stable@vger.kernel.org
Cc: Mark Rutland <mark.rutland@arm.com>,
Julien Thierry <Julien.Thierry@arm.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
guohanjun@huawei.com, Will Deacon <will.deacon@arm.com>,
mark.brown@arm.com, Catalin Marinas <catalin.marinas@arm.com>,
Russell King <rmk+kernel@arm.linux.org.uk>,
linux-arm-kernel@lists.infradead.org
Subject: [PATCH ARM32 v4.4 V2 27/47] ARM: spectre-v1: mitigate user accesses
Date: Thu, 1 Aug 2019 13:46:11 +0530 [thread overview]
Message-ID: <86231c8cbaacc44285a235db704e1029ae8ec64a.1564646727.git.viresh.kumar@linaro.org> (raw)
In-Reply-To: <cover.1564646727.git.viresh.kumar@linaro.org>
From: Russell King <rmk+kernel@armlinux.org.uk>
Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream.
Spectre variant 1 attacks are about this sequence of pseudo-code:
index = load(user-manipulated pointer);
access(base + index * stride);
In order for the cache side-channel to work, the access() must me made
to memory which userspace can detect whether cache lines have been
loaded. On 32-bit ARM, this must be either user accessible memory, or
a kernel mapping of that same user accessible memory.
The problem occurs when the load() speculatively loads privileged data,
and the subsequent access() is made to user accessible memory.
Any load() which makes use of a user-maniplated pointer is a potential
problem if the data it has loaded is used in a subsequent access. This
also applies for the access() if the data loaded by that access is used
by a subsequent access.
Harden the get_user() accessors against Spectre attacks by forcing out
of bounds addresses to a NULL pointer. This prevents get_user() being
used as the load() step above. As a side effect, put_user() will also
be affected even though it isn't implicated.
Also harden copy_from_user() by redoing the bounds check within the
arm_copy_from_user() code, and NULLing the pointer if out of bounds.
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
---
arch/arm/include/asm/assembler.h | 4 ++++
arch/arm/lib/copy_from_user.S | 9 +++++++++
2 files changed, 13 insertions(+)
diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index 307901f88a1e..483481c6937e 100644
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -454,6 +454,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
adds \tmp, \addr, #\size - 1
sbcccs \tmp, \tmp, \limit
bcs \bad
+#ifdef CONFIG_CPU_SPECTRE
+ movcs \addr, #0
+ csdb
+#endif
#endif
.endm
diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
index 1512bebfbf1b..d36329cefedc 100644
--- a/arch/arm/lib/copy_from_user.S
+++ b/arch/arm/lib/copy_from_user.S
@@ -90,6 +90,15 @@
.text
ENTRY(arm_copy_from_user)
+#ifdef CONFIG_CPU_SPECTRE
+ get_thread_info r3
+ ldr r3, [r3, #TI_ADDR_LIMIT]
+ adds ip, r1, r2 @ ip=addr+size
+ sub r3, r3, #1 @ addr_limit - 1
+ cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
+ movcs r1, #0 @ addr = NULL
+ csdb
+#endif
#include "copy_template.S"
--
2.21.0.rc0.269.g1a574e7a288b
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-08-01 8:20 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-01 8:15 [PATCH ARM32 v4.4 V2 00/47] V4.4 backport of arm32 Spectre patches Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 01/47] ARM: 8478/2: arm/arm64: add arm-smccc Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 02/47] arm/arm64: KVM: Advertise SMCCC v1.1 Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 03/47] arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 04/47] drivers/firmware: Expose psci_get_version through psci_ops structure Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 05/47] firmware/psci: Expose PSCI conduit Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 06/47] firmware/psci: Expose SMCCC version through psci_ops Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 07/47] arm/arm64: smccc: Make function identifiers an unsigned quantity Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 08/47] arm/arm64: smccc: Implement SMCCC v1.1 inline primitive Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 09/47] ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 10/47] ARM: bugs: prepare processor bug infrastructure Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 11/47] ARM: bugs: hook processor bug checking into SMP and suspend paths Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 12/47] ARM: bugs: add support for per-processor bug checking Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 13/47] ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 14/47] ARM: spectre-v2: harden branch predictor on context switches Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:15 ` [PATCH ARM32 v4.4 V2 15/47] ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit Viresh Kumar
2019-08-01 8:15 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 16/47] ARM: spectre-v2: harden user aborts in kernel space Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 17/47] ARM: spectre-v2: add firmware based hardening Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 18/47] ARM: spectre-v2: warn about incorrect context switching functions Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 19/47] ARM: spectre-v1: add speculation barrier (csdb) macros Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 20/47] ARM: spectre-v1: add array_index_mask_nospec() implementation Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 21/47] ARM: spectre-v1: fix syscall entry Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 22/47] ARM: signal: copy registers using __copy_from_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 23/47] ARM: vfp: use __copy_from_user() when restoring VFP state Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 24/47] ARM: oabi-compat: copy semops using __copy_from_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 25/47] ARM: use __inttype() in get_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 26/47] ARM: spectre-v1: use get_user() for __get_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar [this message]
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 27/47] ARM: spectre-v1: mitigate user accesses Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 28/47] ARM: 8789/1: signal: copy registers using __copy_to_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 29/47] ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 30/47] ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 31/47] ARM: 8793/1: signal: replace __put_user_error with __put_user Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 32/47] ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 33/47] ARM: uaccess: remove put_user() code duplication Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 34/47] ARM: 8795/1: spectre-v1.1: use put_user() for __put_user() Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 35/47] ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 35/47] ARM: 8796/1: spectre-v1, v1.1: " Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 36/47] ARM: 8797/1: spectre-v1.1: harden __copy_to_user Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 37/47] ARM: 8809/1: proc-v7: fix Thumb annotation of cpu_v7_hvc_switch_mm Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 38/47] ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 39/47] ARM: make lookup_processor_type() non-__init Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 40/47] ARM: split out processor lookup Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 41/47] ARM: clean up per-processor check_bugs method call Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 42/47] ARM: add PROC_VTABLE and PROC_TABLE macros Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 43/47] arch: Introduce post-init read-only memory Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 44/47] ARM: 8595/2: apply more __ro_after_init Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 45/47] ARM: spectre-v2: per-CPU vtables to work around big.Little systems Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 46/47] ARM: ensure that processor vtables is not lost after boot Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-01 8:16 ` [PATCH ARM32 v4.4 V2 47/47] ARM: fix the cockup in the previous patch Viresh Kumar
2019-08-01 8:16 ` Viresh Kumar
2019-08-29 11:40 ` [PATCH ARM32 v4.4 V2 00/47] V4.4 backport of arm32 Spectre patches Viresh Kumar
2019-08-29 11:40 ` Viresh Kumar
2019-10-11 6:35 ` Viresh Kumar
2019-10-11 6:35 ` Viresh Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86231c8cbaacc44285a235db704e1029ae8ec64a.1564646727.git.viresh.kumar@linaro.org \
--to=viresh.kumar@linaro.org \
--cc=Julien.Thierry@arm.com \
--cc=catalin.marinas@arm.com \
--cc=guohanjun@huawei.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=mark.brown@arm.com \
--cc=mark.rutland@arm.com \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=stable@vger.kernel.org \
--cc=vincent.guittot@linaro.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.