From: linux@armlinux.org.uk (Russell King - ARM Linux)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 6/6] ARM: spectre-v1: mitigate user accesses
Date: Thu, 26 Jul 2018 14:20:06 +0100 [thread overview]
Message-ID: <20180726132006.GY17271@n2100.armlinux.org.uk> (raw)
In-Reply-To: <20180726124900.syqvsltidm4c2oud@lakrids.cambridge.arm.com>
On Thu, Jul 26, 2018 at 01:49:00PM +0100, Mark Rutland wrote:
> On Tue, Jul 10, 2018 at 03:14:12PM +0100, Russell King wrote:
> > Spectre variant 1 attacks are about this sequence of pseudo-code:
> >
> > index = load(user-manipulated pointer);
> > access(base + index * stride);
> >
> > In order for the cache side-channel to work, the access() must me made
> > to memory which userspace can detect whether cache lines have been
> > loaded. On 32-bit ARM, this must be either user accessible memory, or
> > a kernel mapping of that same user accessible memory.
> >
> > The problem occurs when the load() speculatively loads privileged data,
> > and the subsequent access() is made to user accessible memory.
> >
> > Any load() which makes use of a user-maniplated pointer is a potential
> > problem if the data it has loaded is used in a subsequent access. This
> > also applies for the access() if the data loaded by that access is used
> > by a subsequent access.
> >
> > Harden the get_user() accessors against Spectre attaacks by forcing out
> > of bounds addresses to a NULL pointer. This prevents get_user() being
> > used as the load() step above. As a side effect, put_user() will also
> > be affected even though it isn't implicated.
> >
> > Also harden copy_from_user() by redoing the bounds check within the
> > arm_copy_from_user() code, and NULLing the pointer if out of bounds.
> >
> > Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
> > ---
> > arch/arm/include/asm/assembler.h | 4 ++++
> > arch/arm/lib/copy_from_user.S | 7 +++++++
> > 2 files changed, 11 insertions(+)
> >
> > diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
> > index ef1386b1af9b..f0515f60cff5 100644
> > --- a/arch/arm/include/asm/assembler.h
> > +++ b/arch/arm/include/asm/assembler.h
> > @@ -460,6 +460,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
> > adds \tmp, \addr, #\size - 1
> > sbcccs \tmp, \tmp, \limit
> > bcs \bad
> > +#ifdef CONFIG_CPU_SPECTRE
> > + movcs \addr, #0
> > + csdb
> > +#endif
> > #endif
> > .endm
> >
> > diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
> > index 7a4b06049001..ebf292e9478f 100644
> > --- a/arch/arm/lib/copy_from_user.S
> > +++ b/arch/arm/lib/copy_from_user.S
> > @@ -90,6 +90,13 @@
> > .text
> >
> > ENTRY(arm_copy_from_user)
> > + get_thread_info r3
> > + ldr r3, [r3, #TI_ADDR_LIMIT]
> > + adds ip, r1, r2 @ ip=addr+size
> > + sub r3, r3, #1 @ addr_limit - 1
> > + cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
> > + movcs r1, #0 @ addr = NULL
> > + csdb
>
> Given spectre-v1.1, I believe we need to do the same for
> arm_copy_to_user().
Spectre v1.1 is not covered by this patch series and is a subject for
future work.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line in suburbia: sync at 13.8Mbps down 630kbps up
According to speedtest.net: 13Mbps down 490kbps up
next prev parent reply other threads:[~2018-07-26 13:20 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-10 14:13 [PATCH 0/6] Further spectre variant 1 mitigations Russell King - ARM Linux
2018-07-10 14:13 ` [PATCH 1/6] ARM: signal: copy registers using __copy_from_user() Russell King
2018-07-26 12:23 ` Mark Rutland
2018-07-26 13:56 ` Russell King - ARM Linux
2018-07-26 14:02 ` Mark Rutland
2018-07-10 14:13 ` [PATCH 2/6] ARM: vfp: use __copy_from_user() when restoring VFP state Russell King
2018-07-26 12:32 ` Mark Rutland
2018-07-26 14:02 ` Russell King - ARM Linux
2018-08-14 6:10 ` Kees Cook
2018-08-02 10:52 ` Julien Thierry
2018-07-10 14:13 ` [PATCH 3/6] ARM: oabi-compat: copy semops using __copy_from_user() Russell King
2018-07-26 12:35 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 4/6] ARM: use __inttype() in get_user() Russell King
2018-07-26 12:40 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 5/6] ARM: spectre-v1: use get_user() for __get_user() Russell King
2018-07-26 12:44 ` Mark Rutland
2018-07-26 13:19 ` Russell King - ARM Linux
2018-07-27 10:51 ` Mark Rutland
2018-07-10 14:14 ` [PATCH 6/6] ARM: spectre-v1: mitigate user accesses Russell King
2018-07-26 12:49 ` Mark Rutland
2018-07-26 13:20 ` Russell King - ARM Linux [this message]
2018-07-27 5:32 ` Robert Jarzmik
2018-07-26 14:12 ` Russell King - ARM Linux
2018-07-27 10:55 ` Mark Rutland
2018-07-19 10:19 ` [PATCH 0/6] Further spectre variant 1 mitigations Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180726132006.GY17271@n2100.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.