From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: ACJfBovTK+LUyIC7jt+chod9PVxtE4kreUwwW5e8we4yT86dklkAW11rqGTL8iIl2iA4HaRBbOlg ARC-Seal: i=1; a=rsa-sha256; t=1516320665; cv=none; d=google.com; s=arc-20160816; b=DlDir0X54rfsouxuGBXNAvf6oBwGonumWqyGPqw0yitScgIIeC2UO5O9wLBbgPVE+k 5ZUVc0or7YxLRNKWjIICEPhgVJwmQiOskMUtnspZfzUspcBpGJVBZJv4TMq1cFoHEM65 r62+PYife1DmV/mtqI+RAdi4YniTuJZyQW74qnORM/Y71VZGgC8ntG6zRpQAeZpFA44A KILnkhDxJTLcxrtENjtJSZ8yH9sWMOUH9vxhMVtGyjzJ6bhK08XRCQuGnmJhAAsy8bSo ATObsWEQ0CaCQa9nZGS4Zd0tckRJepu/wAf/MWXcOTUB5gEy+2zdInU/rLfj6x3QmXoP tUEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject :arc-authentication-results; bh=aQONaGOklx2q0QKWlFKd13eyF9mpd/V6IBCE5Bvw2Yo=; b=lCJf3Mmo41nKr5TIwRqkhulinCr4G8Uxaj+a1vuO7O4eqPwQuf1IxEyD8HjxW6/FMU cDsoLWuIjs66SA981vV5vlXnx7gwX01xZO1Vj5Nt39fF+LGKHGPEftA2LkEdD+MT4AWS O7MIACYqCyV2CPEjtd4f7NN0LzbHwWbMDJRi1CeDuP72mNeI/jCQavTYY0C7u8o4CgOu ak9WJlReZLaFafxNthO1+RdcNYN/PTSyECm9SwKPU0W6dyx0iava1eAAbA1vz+CCoOWE E+9SbkU1ZuNCpDsP0F/dcmLXAEt6YHedwrVcO4b1MCUcA5HUn21R6dQC19tDI3+mSAL9 1O5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dan.j.williams@intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com Authentication-Results: mx.google.com; spf=pass (google.com: domain of dan.j.williams@intel.com designates 192.55.52.120 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,379,1511856000"; d="scan'208";a="196773624" Subject: [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence From: Dan Williams To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Tom Lendacky , Andi Kleen , Kees Cook , kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Al Viro , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com Bcc: dan.j.williams@intel.com Date: Thu, 18 Jan 2018 16:01:58 -0800 Message-ID: <151632011850.21271.10818623225693888975.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1589977457964032909?= X-GMAIL-MSGID: =?utf-8?q?1589977457964032909?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: For '__get_user' paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection, an 'ifence' causes the 'access_ok' result to resolve in the pipeline before the cpu might take any speculative action on the pointer value. Since __get_user is a major kernel interface that deals with user controlled pointers, the '__uaccess_begin_nospec' mechanism will prevent speculative execution past an 'access_ok' permission check. While speculative execution past 'access_ok' is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, '__uaccess_begin_nospec' is addressing a class of potential problems near '__get_user' usages. Note, that while ifence is used to protect '__get_user', pointer masking will be used for 'get_user' since it incorporates a bounds check near the usage. There are no functional changes in this patch. Suggested-by: Linus Torvalds Suggested-by: Andi Kleen Cc: Tom Lendacky Cc: Al Viro Cc: Kees Cook Cc: Thomas Gleixner Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: x86@kernel.org Signed-off-by: Dan Williams --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- arch/x86/include/asm/uaccess.h | 9 +++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 67f6d4707a2c..0f48c832d1fb 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -48,6 +48,10 @@ static inline unsigned long array_ptr_mask(unsigned long idx, unsigned long sz) return mask; } +/* prevent speculative execution past this barrier */ +#define ifence() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h index 07962f5f6fba..e426d2a33ff3 100644 --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + ifence(); return rdtsc(); } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 574dff4d2913..626caf58183a 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -124,6 +124,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + ifence(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -487,6 +492,10 @@ struct __large_struct { unsigned long buf[100]; }; __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \ From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Williams Date: Thu, 18 Jan 2018 16:01:58 -0800 Message-ID: <151632011850.21271.10818623225693888975.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Tom Lendacky , Andi Kleen , Kees Cook , kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Al Viro , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com List-ID: For '__get_user' paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection, an 'ifence' causes the 'access_ok' result to resolve in the pipeline before the cpu might take any speculative action on the pointer value. Since __get_user is a major kernel interface that deals with user controlled pointers, the '__uaccess_begin_nospec' mechanism will prevent speculative execution past an 'access_ok' permission check. While speculative execution past 'access_ok' is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, '__uaccess_begin_nospec' is addressing a class of potential problems near '__get_user' usages. Note, that while ifence is used to protect '__get_user', pointer masking will be used for 'get_user' since it incorporates a bounds check near the usage. There are no functional changes in this patch. Suggested-by: Linus Torvalds Suggested-by: Andi Kleen Cc: Tom Lendacky Cc: Al Viro Cc: Kees Cook Cc: Thomas Gleixner Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: x86@kernel.org Signed-off-by: Dan Williams --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- arch/x86/include/asm/uaccess.h | 9 +++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 67f6d4707a2c..0f48c832d1fb 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -48,6 +48,10 @@ static inline unsigned long array_ptr_mask(unsigned long idx, unsigned long sz) return mask; } +/* prevent speculative execution past this barrier */ +#define ifence() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h index 07962f5f6fba..e426d2a33ff3 100644 --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + ifence(); return rdtsc(); } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 574dff4d2913..626caf58183a 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -124,6 +124,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + ifence(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -487,6 +492,10 @@ struct __large_struct { unsigned long buf[100]; }; __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \