[PATCH] posix-timers: Protect posix clock array access against speculation

[PATCH] posix-timers: Protect posix clock array access against speculation

[Thomas Gleixner]

The (clock) id argument of clockid_to_kclock() comes straight from user
space via various syscalls and is used as index into the posix_clocks
array.

Protect it against spectre v1 array out of bounds speculation.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---
 kernel/time/posix-timers.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -50,6 +50,7 @@
 #include <linux/export.h>
 #include <linux/hashtable.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 
 #include "timekeeping.h"
 #include "posix-timers.h"
@@ -1346,11 +1347,14 @@ static const struct k_clock * const posi
 
 static const struct k_clock *clockid_to_kclock(const clockid_t id)
 {
+	clockid_t idx = id;
+
 	if (id < 0)
 		return (id & CLOCKFD_MASK) == CLOCKFD ?
 			&clock_posix_dynamic : &clock_posix_cpu;
 
 	if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
 		return NULL;
-	return posix_clocks[id];
+
+	return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
 }

Re: [PATCH] posix-timers: Protect posix clock array access against speculation

[Rasmus Villemoes]

On 2018-02-15 14:27, Thomas Gleixner wrote:
> The (clock) id argument of clockid_to_kclock() comes straight from user
> space via various syscalls and is used as index into the posix_clocks
> array.
> 
> Protect it against spectre v1 array out of bounds speculation.
> 
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: stable@vger.kernel.org
> ---
>  kernel/time/posix-timers.c |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> --- a/kernel/time/posix-timers.c
> +++ b/kernel/time/posix-timers.c
> @@ -50,6 +50,7 @@
>  #include <linux/export.h>
>  #include <linux/hashtable.h>
>  #include <linux/compat.h>
> +#include <linux/nospec.h>
>  
>  #include "timekeeping.h"
>  #include "posix-timers.h"
> @@ -1346,11 +1347,14 @@ static const struct k_clock * const posi
>  
>  static const struct k_clock *clockid_to_kclock(const clockid_t id)
>  {
> +	clockid_t idx = id;
> +
>  	if (id < 0)
>  		return (id & CLOCKFD_MASK) == CLOCKFD ?
>  			&clock_posix_dynamic : &clock_posix_cpu;
>  
>  	if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
>  		return NULL;
> -	return posix_clocks[id];
> +
> +	return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
>  }
> 

Stupid questions from someone trying to learn what the rules for when
and how to apply these _nospec macros:

(1) why introduce the idx var? There's no assignment to it other than
the initialization. Is it some magic in array_index_nospec that prevents
the use of a const-qualified expression?

(2) The line "if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])"
still seems to allow speculatively accessing posix_clocks[id]. Is that
ok, and even if so, wouldn't it be cleaner to elide the
!posix_clocks[id] check and just return the NULL safely fetched from the
array in the following line?

Rasmus

Re: [PATCH] posix-timers: Protect posix clock array access against speculation

[Dan Williams]

On Thu, Feb 15, 2018 at 6:05 AM, Rasmus Villemoes
<rasmus.villemoes@prevas.dk> wrote:
> On 2018-02-15 14:27, Thomas Gleixner wrote:
>> The (clock) id argument of clockid_to_kclock() comes straight from user
>> space via various syscalls and is used as index into the posix_clocks
>> array.
>>
>> Protect it against spectre v1 array out of bounds speculation.
>>
>> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
>> Cc: stable@vger.kernel.org
>> ---
>>  kernel/time/posix-timers.c |    6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> --- a/kernel/time/posix-timers.c
>> +++ b/kernel/time/posix-timers.c
>> @@ -50,6 +50,7 @@
>>  #include <linux/export.h>
>>  #include <linux/hashtable.h>
>>  #include <linux/compat.h>
>> +#include <linux/nospec.h>
>>
>>  #include "timekeeping.h"
>>  #include "posix-timers.h"
>> @@ -1346,11 +1347,14 @@ static const struct k_clock * const posi
>>
>>  static const struct k_clock *clockid_to_kclock(const clockid_t id)
>>  {
>> +     clockid_t idx = id;
>> +
>>       if (id < 0)
>>               return (id & CLOCKFD_MASK) == CLOCKFD ?
>>                       &clock_posix_dynamic : &clock_posix_cpu;
>>
>>       if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
>>               return NULL;
>> -     return posix_clocks[id];
>> +
>> +     return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
>>  }
>>
>
> Stupid questions from someone trying to learn what the rules for when
> and how to apply these _nospec macros:
>
> (1) why introduce the idx var? There's no assignment to it other than
> the initialization. Is it some magic in array_index_nospec that prevents
> the use of a const-qualified expression?

It does currently, but perhaps it can be fixed.

>
> (2) The line "if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])"
> still seems to allow speculatively accessing posix_clocks[id]. Is that
> ok, and even if so, wouldn't it be cleaner to elide the
> !posix_clocks[id] check and just return the NULL safely fetched from the
> array in the following line?

Right, this looks broken. I would expect:

        if (id >= ARRAY_SIZE(posix_clocks))
                return NULL;
        idx = array_index_nospec(idx, ARRAY_SIZE(posix_clocks));
        if (!posix_clocks[idx])
                return NULL;
        return posix_clocks[idx];

Re: [PATCH] posix-timers: Protect posix clock array access against speculation

[Thomas Gleixner]

On Thu, 15 Feb 2018, Dan Williams wrote:
> On Thu, Feb 15, 2018 at 6:05 AM, Rasmus Villemoes
> <rasmus.villemoes@prevas.dk> wrote:
> > (2) The line "if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])"
> > still seems to allow speculatively accessing posix_clocks[id]. Is that
> > ok, and even if so, wouldn't it be cleaner to elide the
> > !posix_clocks[id] check and just return the NULL safely fetched from the
> > array in the following line?
> 
> Right, this looks broken. I would expect:

Indeed. Missed that.

>         if (id >= ARRAY_SIZE(posix_clocks))
>                 return NULL;
>         idx = array_index_nospec(idx, ARRAY_SIZE(posix_clocks));
>         if (!posix_clocks[idx])
>                 return NULL;
>         return posix_clocks[idx];

The !posix_clocks[idx] check is pointless and always was.

	if (id >= ARRAY_SIZE(posix_clocks))
		return NULL;

	idx = array_index_nospec(idx, ARRAY_SIZE(posix_clocks));
	return posix_clocks[idx];

is sufficient. It returns NULL for !posix_clocks[idx] anyway.

Thanks,

	tglx

[PATCH V2] posix-timers: Protect posix clock array access against speculation

[Thomas Gleixner]

The clockid argument of clockid_to_kclock() comes straight from user space
via various syscalls and is used as index into the posix_clocks array.

Protect it against spectre v1 array out of bounds speculation. Remove the
redundant check for !posix_clock[id] as this is another source for
speculation and does not provide any advantage over the return
posix_clock[id] path which returns NULL in that case anyway.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---

V2: Remove the redundant !posix_clocks[id] check.

 kernel/time/posix-timers.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -50,6 +50,7 @@
 #include <linux/export.h>
 #include <linux/hashtable.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 
 #include "timekeeping.h"
 #include "posix-timers.h"
@@ -1346,11 +1347,15 @@ static const struct k_clock * const posi
 
 static const struct k_clock *clockid_to_kclock(const clockid_t id)
 {
-	if (id < 0)
+	clockid_t idx = id;
+
+	if (id < 0) {
 		return (id & CLOCKFD_MASK) == CLOCKFD ?
 			&clock_posix_dynamic : &clock_posix_cpu;
+	}
 
-	if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
+	if (id >= ARRAY_SIZE(posix_clocks))
 		return NULL;
-	return posix_clocks[id];
+
+	return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
 }

Re: [PATCH V2] posix-timers: Protect posix clock array access against speculation

[Peter Zijlstra]

On Thu, Feb 15, 2018 at 05:21:55PM +0100, Thomas Gleixner wrote:
> The clockid argument of clockid_to_kclock() comes straight from user space
> via various syscalls and is used as index into the posix_clocks array.
> 
> Protect it against spectre v1 array out of bounds speculation. Remove the
> redundant check for !posix_clock[id] as this is another source for
> speculation and does not provide any advantage over the return
> posix_clock[id] path which returns NULL in that case anyway.
> 
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: stable@vger.kernel.org

Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>

It might also be useful to figure out why the automation didn't flag
this one, its about as trivial as it gets.

[PATCH] linux/nospec.h: allow index argument to have const-qualified type

[Rasmus Villemoes]

The last expression in a statement expression need not be a bare
variable, quoting gcc docs

  The last thing in the compound statement should be an expression
  followed by a semicolon; the value of this subexpression serves as the
  value of the entire construct.

and we already use that in e.g. the min/max macros which end with a
ternary expression.

This way, we can allow index to have const-qualified type, which will in
some cases avoid the need for introducing a local copy of index of
non-const qualified type. That, in turn, can prevent readers not
familiar with the internals of array_index_nospec from wondering about
the seemingly redundant extra variable, and I think that's worthwhile
considering how confusing the whole _nospec business is.

The expression _i&_mask has type unsigned long (since that is the type
of _mask, and the BUILD_BUG_ONs guarantee that _i will get promoted to
that), so in order not to change the type of the whole expression, add
a cast back to typeof(_i).

Cc: stable@vger.kernel.org
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
---
cc stable because if this is ok, there will probably be future users
relying on this which also get cc'ed to -stable.

include/linux/nospec.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index fbc98e2c8228..132e3f5a2e0d 100644
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -72,7 +72,6 @@ static inline unsigned long array_index_mask_nospec(unsigned long index,
 	BUILD_BUG_ON(sizeof(_i) > sizeof(long));			\
 	BUILD_BUG_ON(sizeof(_s) > sizeof(long));			\
 									\
-	_i &= _mask;							\
-	_i;								\
+	(typeof(_i)) (_i & _mask);					\
 })
 #endif /* _LINUX_NOSPEC_H */
-- 
2.15.1

Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type

[Linus Torvalds]

On Thu, Feb 15, 2018 at 11:52 AM, Rasmus Villemoes
<linux@rasmusvillemoes.dk> wrote:
>
> This way, we can allow index to have const-qualified type, which will in
> some cases avoid the need for introducing a local copy of index of
> non-const qualified type.

Ack.

That said, looking at this header file, I find a couple of of other issues..

 (a) we should just remove the array_index_mask_nospec_check() thing.

 (b) once fixed, there's no reason for that extra "_s" variable in
array_index_nospec()

That (a) thing causes horrible code generation, and is pointless and wrong.

The "wrong" part is because it wants about "index" being larger than
LONG_MAX, and that's really stupid and wrong, because by *definition*
we don't trust index and it came from user space. The whole point was
that array_index_nospec() would limit those things!

Yes, it's true that the compiler may optimize that warning away if the
type of 'index' is such that it cannot happen, but that doesn't make
the warning any more valid.

It is only the sign of *size* that can matter and be an issue.
HOWEVER, even then it's wrong, because if "size" is of a signed type,
the check in WARN_ONCE is pure garbage.

To make matters worse, that warning means that
array_index_mask_nospec_check() currently uses it's arguments twice.
It so happens that the only current use of that macro is ok with that,
because it's being extra careful, but it's *WRONG*. Macros that look
like functions should not use arguments twice.

So (a) is just wrong right now. It's better to just remove it.

A valid warning *might* be

    WARN_ONCE((long)(size) < 0, "array_index_mask only works for sizes
that fit in a positive long");

but honestly, it's just not worth the code generation pain.

             Linus

Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type

[Dan Williams]

On Thu, Feb 15, 2018 at 12:59 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Feb 15, 2018 at 11:52 AM, Rasmus Villemoes
> <linux@rasmusvillemoes.dk> wrote:
>>
>> This way, we can allow index to have const-qualified type, which will in
>> some cases avoid the need for introducing a local copy of index of
>> non-const qualified type.
>
> Ack.
>
> That said, looking at this header file, I find a couple of of other issues..
>
>  (a) we should just remove the array_index_mask_nospec_check() thing.
>
>  (b) once fixed, there's no reason for that extra "_s" variable in
> array_index_nospec()
>
> That (a) thing causes horrible code generation, and is pointless and wrong.
>
> The "wrong" part is because it wants about "index" being larger than
> LONG_MAX, and that's really stupid and wrong, because by *definition*
> we don't trust index and it came from user space. The whole point was
> that array_index_nospec() would limit those things!
>
> Yes, it's true that the compiler may optimize that warning away if the
> type of 'index' is such that it cannot happen, but that doesn't make
> the warning any more valid.
>
> It is only the sign of *size* that can matter and be an issue.
> HOWEVER, even then it's wrong, because if "size" is of a signed type,
> the check in WARN_ONCE is pure garbage.
>
> To make matters worse, that warning means that
> array_index_mask_nospec_check() currently uses it's arguments twice.
> It so happens that the only current use of that macro is ok with that,
> because it's being extra careful, but it's *WRONG*. Macros that look
> like functions should not use arguments twice.

Yes, that piece is new and I should have noticed that breakage when I
reviewed that patch from Will.

>
> So (a) is just wrong right now. It's better to just remove it.
>
> A valid warning *might* be
>
>     WARN_ONCE((long)(size) < 0, "array_index_mask only works for sizes
> that fit in a positive long");
>
> but honestly, it's just not worth the code generation pain.

So I don't mind removing it, but I don't think it is garbage. It's
there purely as a notification to the odd kernel developer that wants
to pass "insane" index values, It compiles away in most cases because
all current users are sane and have indexes that are right sized. It
also used to be the case that it was only used when the arch did not
provide a custom array_index_mask_nospec(), but now that it is "on all
the time" I do think it is in the way.

Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type

[Linus Torvalds]

On Thu, Feb 15, 2018 at 1:56 PM, Dan Williams <dan.j.williams@intel.com> wrote:
>
> So I don't mind removing it, but I don't think it is garbage. It's
> there purely as a notification to the odd kernel developer that wants
> to pass "insane" index values,

But the thing is, the "index" value isn't even kernel-supplied.

Here's a test:  run a 32-bit kernel, and then do an ioctl() or
something with a negative fd.

What I think will happen is:

 - the negative fd will be seen as a big 'unsigned int' here:

        fcheck_files(struct files_struct *files, unsigned int fd)

which then does

                fd = array_index_nospec(fd, fdt->max_fds);

and that existing *STUPID* and *WRONG* WARN_ON() will trigger.

Sure, you can't trigger it on 64-bit kernels because there the
"unsigned int" will be small compared to LONG_MAX, but..

It is simply is *wrong* to check the "index".  It really fundamentally
is complete garbage.

Because the whole - and ONLY - *point* of this is that you have an
untrusted index. So checking it and giving a warning when it's out of
range is pure garbage.

Really. That warning must go away. Stop arguing for it, it's stupid and wrong.

Checking _size_ is one thing, but honestly, that's questionable too.

                  Linus

Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type

[Dan Williams]

On Thu, Feb 15, 2018 at 2:03 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Feb 15, 2018 at 1:56 PM, Dan Williams <dan.j.williams@intel.com> wrote:
>>
>> So I don't mind removing it, but I don't think it is garbage. It's
>> there purely as a notification to the odd kernel developer that wants
>> to pass "insane" index values,
>
> But the thing is, the "index" value isn't even kernel-supplied.
>
> Here's a test:  run a 32-bit kernel, and then do an ioctl() or
> something with a negative fd.
>
> What I think will happen is:
>
>  - the negative fd will be seen as a big 'unsigned int' here:
>
>         fcheck_files(struct files_struct *files, unsigned int fd)
>
> which then does
>
>                 fd = array_index_nospec(fd, fdt->max_fds);
>
> and that existing *STUPID* and *WRONG* WARN_ON() will trigger.
>
> Sure, you can't trigger it on 64-bit kernels because there the
> "unsigned int" will be small compared to LONG_MAX, but..
>
> It is simply is *wrong* to check the "index".  It really fundamentally
> is complete garbage.
>
> Because the whole - and ONLY - *point* of this is that you have an
> untrusted index. So checking it and giving a warning when it's out of
> range is pure garbage.
>
> Really. That warning must go away. Stop arguing for it, it's stupid and wrong.

True, I had been myopically focused on the 64-bit case.

> Checking _size_ is one thing, but honestly, that's questionable too.

Nah, I'm not going to argue for that.

Re: [PATCH V2] posix-timers: Protect posix clock array access against speculation

[Dan Williams]

On Thu, Feb 15, 2018 at 9:01 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> On Thu, Feb 15, 2018 at 05:21:55PM +0100, Thomas Gleixner wrote:
>> The clockid argument of clockid_to_kclock() comes straight from user space
>> via various syscalls and is used as index into the posix_clocks array.
>>
>> Protect it against spectre v1 array out of bounds speculation. Remove the
>> redundant check for !posix_clock[id] as this is another source for
>> speculation and does not provide any advantage over the return
>> posix_clock[id] path which returns NULL in that case anyway.
>>
>> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
>> Cc: stable@vger.kernel.org
>
> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>

Curious where this ended up, I don't see it on tip/master. In any event:

Acked-by: Dan Williams <dan.j.williams@intel.com>

[tip:timers/urgent] posix-timers: Protect posix clock array access against speculation

[tip-bot for Thomas Gleixner]

Commit-ID:  19b558db12f9f4e45a22012bae7b4783e62224da
Gitweb:     https://git.kernel.org/tip/19b558db12f9f4e45a22012bae7b4783e62224da
Author:     Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Thu, 15 Feb 2018 17:21:55 +0100
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Thu, 22 Mar 2018 12:29:27 +0100

posix-timers: Protect posix clock array access against speculation

The clockid argument of clockid_to_kclock() comes straight from user space
via various syscalls and is used as index into the posix_clocks array.

Protect it against spectre v1 array out of bounds speculation. Remove the
redundant check for !posix_clock[id] as this is another source for
speculation and does not provide any advantage over the return
posix_clock[id] path which returns NULL in that case anyway.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802151718320.1296@nanos.tec.linutronix.de

---
 kernel/time/posix-timers.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index 75043046914e..10b7186d0638 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -50,6 +50,7 @@
 #include <linux/export.h>
 #include <linux/hashtable.h>
 #include <linux/compat.h>
+#include <linux/nospec.h>
 
 #include "timekeeping.h"
 #include "posix-timers.h"
@@ -1346,11 +1347,15 @@ static const struct k_clock * const posix_clocks[] = {
 
 static const struct k_clock *clockid_to_kclock(const clockid_t id)
 {
-	if (id < 0)
+	clockid_t idx = id;
+
+	if (id < 0) {
 		return (id & CLOCKFD_MASK) == CLOCKFD ?
 			&clock_posix_dynamic : &clock_posix_cpu;
+	}
 
-	if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])
+	if (id >= ARRAY_SIZE(posix_clocks))
 		return NULL;
-	return posix_clocks[id];
+
+	return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
 }