From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: ACJfBoud1wqBUctKOZtzl8+ymT/vEwqXoBjE9C0+CD8/wULzqp1xupJyJkZr/KyEVFrUlUFEhynH ARC-Seal: i=1; a=rsa-sha256; t=1516320686; cv=none; d=google.com; s=arc-20160816; b=tDtabAPAiSmIVItj/7MAbSXOodCWZfEmqZsKCl2vf8n1CBZDAhMQCgm640WxssVotu YOuRtLMmmu4/QONSy8SEFZ7cZT8zgX3e+gAbJySu9CRyTIeP23CwIY11u0C4snDk7n01 73sepCF1fVMczVVVVrxBhWpcHteGHjwmqhtmPM0ANjzm4y/pYXvybZjdcXKHy7gMYHaL g0a+0ypOPserLnFYPuMu1/+Vvjpk1ommk5CzhWs/mDwjrNVSoATlNX7lX3G2SRSuMaBE 7tS+kH1GXSoA53Ntu+ukA/H/AuKF9wpmEv4APPHjZgFeNtKjLGm6j4jChVcdcRLwUjJ/ 1nSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject :arc-authentication-results; bh=GA/W8M5p81MH7kcJzfbDnEfPaSnOL9BfuL+E7z4PyFc=; b=CmP4us4SBHHiNNe24fSc5WjxI2Hv+HQE1TcyUjQtKzdA3MIV8U/YmkJ2olJKKrw8vz b7QF7VpA+V9Rt6qdwF2xa0IL+se+B/TI7Rf6wT3d6c9CsKUbrWRUug+3uTzoI6HiIkBy 6hrVT0BiOijPaSDsRvFrSVufx5wdedyYNH9Sh9iIFWpPnYX1m1lpqMEDpOopXfJPUk8K vhOEhzwNiHF3yaaUkvg3ypicLhXHOaQar86jSq26z+oIvgMyHIiZUJ4UAjxd8wTCCOhg 04Nq+e9ay9LgZhubzpcU3+QZ4KQW74sQ+7FyDUZ+fJNrn/8En83HOApCRaEXIdVARNB9 Jg6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dan.j.williams@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com Authentication-Results: mx.google.com; spf=pass (google.com: domain of dan.j.williams@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,379,1511856000"; d="scan'208";a="10885770" Subject: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation From: Dan Williams To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com Bcc: dan.j.williams@intel.com Date: Thu, 18 Jan 2018 16:02:21 -0800 Message-ID: <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1589977480308913684?= X-GMAIL-MSGID: =?utf-8?q?1589977480308913684?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: The syscall table base is a user controlled function pointer in kernel space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds speculation. While retpoline prevents speculating into the user controlled target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base. Reported-by: Linus Torvalds Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Andy Lutomirski Signed-off-by: Dan Williams --- arch/x86/entry/entry_64.S | 2 ++ arch/x86/include/asm/smap.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 4f8e1d35a97c..2320017077d4 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -264,6 +265,7 @@ entry_SYSCALL_64_fastpath: cmpl $__NR_syscall_max, %eax #endif ja 1f /* return -ENOSYS (already in pt_regs->ax) */ + MASK_NOSPEC %r11 %rax /* sanitize syscall_nr wrt speculation */ movq %r10, %rcx /* diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h index 2b4ad4c6a226..3b5b2cf58dc6 100644 --- a/arch/x86/include/asm/smap.h +++ b/arch/x86/include/asm/smap.h @@ -35,7 +35,14 @@ * this directs the cpu to speculate with a NULL ptr rather than * something targeting kernel memory. * - * assumes CF is set from a previous 'cmp TASK_addr_limit, %ptr' + * In the syscall entry path it is possible to speculate past the + * validation of the system call number. Use MASK_NOSPEC to sanitize the + * syscall array index to zero (sys_read) rather than an arbitrary + * target. + * + * assumes CF is set from a previous 'cmp' i.e.: + * cmp TASK_addr_limit, %ptr + * cmp __NR_syscall_max, %idx */ .macro MASK_NOSPEC mask val sbb \mask, \mask From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Williams Date: Thu, 18 Jan 2018 16:02:21 -0800 Message-ID: <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, gregkh@linuxfoundation.org, x86@kernel.org, Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , tglx@linutronix.de, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@linux.intel.com List-ID: The syscall table base is a user controlled function pointer in kernel space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds speculation. While retpoline prevents speculating into the user controlled target it does not stop the pointer de-reference, the concern is leaking memory relative to the syscall table base. Reported-by: Linus Torvalds Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Andy Lutomirski Signed-off-by: Dan Williams --- arch/x86/entry/entry_64.S | 2 ++ arch/x86/include/asm/smap.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 4f8e1d35a97c..2320017077d4 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -264,6 +265,7 @@ entry_SYSCALL_64_fastpath: cmpl $__NR_syscall_max, %eax #endif ja 1f /* return -ENOSYS (already in pt_regs->ax) */ + MASK_NOSPEC %r11 %rax /* sanitize syscall_nr wrt speculation */ movq %r10, %rcx /* diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h index 2b4ad4c6a226..3b5b2cf58dc6 100644 --- a/arch/x86/include/asm/smap.h +++ b/arch/x86/include/asm/smap.h @@ -35,7 +35,14 @@ * this directs the cpu to speculate with a NULL ptr rather than * something targeting kernel memory. * - * assumes CF is set from a previous 'cmp TASK_addr_limit, %ptr' + * In the syscall entry path it is possible to speculate past the + * validation of the system call number. Use MASK_NOSPEC to sanitize the + * syscall array index to zero (sys_read) rather than an arbitrary + * target. + * + * assumes CF is set from a previous 'cmp' i.e.: + * cmp TASK_addr_limit, %ptr + * cmp __NR_syscall_max, %idx */ .macro MASK_NOSPEC mask val sbb \mask, \mask