From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Florian Fainelli <f.fainelli@gmail.com>,
Julien Thierry <julien.thierry@arm.com>,
Tony Lindgren <tony@atomide.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Greg KH <gregkh@linuxfoundation.org>,
Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>,
Mark Brown <broonie@kernel.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH 4.19 09/17] ARM: 8797/1: spectre-v1.1: harden __copy_to_user
Date: Wed, 13 Feb 2019 16:32:15 -0500 [thread overview]
Message-ID: <20190213213223.916-10-dave.long@linaro.org> (raw)
In-Reply-To: <20190213213223.916-1-dave.long@linaro.org>
From: Julien Thierry <julien.thierry@arm.com>
Commit a1d09e074250fad24f1b993f327b18cc6812eb7a upstream.
Sanitize user pointer given to __copy_to_user, both for standard version
and memcopy version of the user accessor.
Signed-off-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
arch/arm/lib/copy_to_user.S | 6 +++++-
arch/arm/lib/uaccess_with_memcpy.c | 3 ++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
index caf5019d8161..970abe521197 100644
--- a/arch/arm/lib/copy_to_user.S
+++ b/arch/arm/lib/copy_to_user.S
@@ -94,6 +94,11 @@
ENTRY(__copy_to_user_std)
WEAK(arm_copy_to_user)
+#ifdef CONFIG_CPU_SPECTRE
+ get_thread_info r3
+ ldr r3, [r3, #TI_ADDR_LIMIT]
+ uaccess_mask_range_ptr r0, r2, r3, ip
+#endif
#include "copy_template.S"
@@ -108,4 +113,3 @@ ENDPROC(__copy_to_user_std)
rsb r0, r0, r2
copy_abort_end
.popsection
-
diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
index 9b4ed1728616..73dc7360cbdd 100644
--- a/arch/arm/lib/uaccess_with_memcpy.c
+++ b/arch/arm/lib/uaccess_with_memcpy.c
@@ -152,7 +152,8 @@ arm_copy_to_user(void __user *to, const void *from, unsigned long n)
n = __copy_to_user_std(to, from, n);
uaccess_restore(ua_flags);
} else {
- n = __copy_to_user_memcpy(to, from, n);
+ n = __copy_to_user_memcpy(uaccess_mask_range_ptr(to, n),
+ from, n);
}
return n;
}
--
2.17.1
next prev parent reply other threads:[~2019-02-13 21:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 21:32 [PATCH 4.19 00/17] V4.19 backport of more 32-bit arm spectre patches David Long
2019-02-13 21:32 ` [PATCH 4.19 01/17] ARM: 8789/1: signal: copy registers using __copy_to_user() David Long
2019-02-13 21:32 ` [PATCH 4.19 02/17] ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context David Long
2019-02-13 21:32 ` [PATCH 4.19 03/17] ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state David Long
2019-02-13 21:32 ` [PATCH 4.19 04/17] ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user() David Long
2019-02-13 21:32 ` [PATCH 4.19 05/17] ARM: 8793/1: signal: replace __put_user_error with __put_user David Long
2019-02-13 21:32 ` [PATCH 4.19 06/17] ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit David Long
2019-02-13 21:32 ` [PATCH 4.19 07/17] ARM: 8795/1: spectre-v1.1: use put_user() for __put_user() David Long
2019-02-13 21:32 ` [PATCH 4.19 08/17] ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization David Long
2019-02-13 21:32 ` David Long [this message]
2019-02-13 21:32 ` [PATCH 4.19 10/17] ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc David Long
2019-02-13 21:32 ` [PATCH 4.19 11/17] ARM: make lookup_processor_type() non-__init David Long
2019-02-13 21:32 ` [PATCH 4.19 12/17] ARM: split out processor lookup David Long
2019-02-13 21:32 ` [PATCH 4.19 13/17] ARM: clean up per-processor check_bugs method call David Long
2019-02-13 21:32 ` [PATCH 4.19 14/17] ARM: add PROC_VTABLE and PROC_TABLE macros David Long
2019-02-13 21:32 ` [PATCH 4.19 15/17] ARM: spectre-v2: per-CPU vtables to work around big.Little systems David Long
2019-02-13 21:32 ` [PATCH 4.19 16/17] ARM: ensure that processor vtables is not lost after boot David Long
2019-02-13 21:32 ` [PATCH 4.19 17/17] ARM: fix the cockup in the previous patch David Long
2019-02-14 8:50 ` [PATCH 4.19 00/17] V4.19 backport of more 32-bit arm spectre patches Julien Thierry
2019-02-17 19:20 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213213223.916-10-dave.long@linaro.org \
--to=dave.long@linaro.org \
--cc=broonie@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=julien.thierry@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.