From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org,
Russell King - ARM Linux <linux@armlinux.org.uk>,
Florian Fainelli <f.fainelli@gmail.com>,
Julien Thierry <julien.thierry@arm.com>,
Tony Lindgren <tony@atomide.com>,
Marc Zyngier <marc.zyngier@arm.com>,
Greg KH <gregkh@linuxfoundation.org>,
Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will.deacon@arm.com>,
Mark Brown <broonie@kernel.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH 4.19 08/17] ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization
Date: Wed, 13 Feb 2019 16:32:14 -0500 [thread overview]
Message-ID: <20190213213223.916-9-dave.long@linaro.org> (raw)
In-Reply-To: <20190213213223.916-1-dave.long@linaro.org>
From: Julien Thierry <julien.thierry@arm.com>
Commit afaf6838f4bc896a711180b702b388b8cfa638fc upstream.
Introduce C and asm helpers to sanitize user address, taking the
address range they target into account.
Use asm helper for existing sanitization in __copy_from_user().
Signed-off-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
arch/arm/include/asm/assembler.h | 11 +++++++++++
arch/arm/include/asm/uaccess.h | 26 ++++++++++++++++++++++++++
arch/arm/lib/copy_from_user.S | 6 +-----
3 files changed, 38 insertions(+), 5 deletions(-)
diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index b17ee03d280b..88286dd483ff 100644
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -467,6 +467,17 @@ THUMB( orr \reg , \reg , #PSR_T_BIT )
#endif
.endm
+ .macro uaccess_mask_range_ptr, addr:req, size:req, limit:req, tmp:req
+#ifdef CONFIG_CPU_SPECTRE
+ sub \tmp, \limit, #1
+ subs \tmp, \tmp, \addr @ tmp = limit - 1 - addr
+ addhs \tmp, \tmp, #1 @ if (tmp >= 0) {
+ subhss \tmp, \tmp, \size @ tmp = limit - (addr + size) }
+ movlo \addr, #0 @ if (tmp < 0) addr = NULL
+ csdb
+#endif
+ .endm
+
.macro uaccess_disable, tmp, isb=1
#ifdef CONFIG_CPU_SW_DOMAIN_PAN
/*
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 1191e7da8fab..c136eef8f690 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -99,6 +99,32 @@ static inline void set_fs(mm_segment_t fs)
#define __inttype(x) \
__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
+/*
+ * Sanitise a uaccess pointer such that it becomes NULL if addr+size
+ * is above the current addr_limit.
+ */
+#define uaccess_mask_range_ptr(ptr, size) \
+ ((__typeof__(ptr))__uaccess_mask_range_ptr(ptr, size))
+static inline void __user *__uaccess_mask_range_ptr(const void __user *ptr,
+ size_t size)
+{
+ void __user *safe_ptr = (void __user *)ptr;
+ unsigned long tmp;
+
+ asm volatile(
+ " sub %1, %3, #1\n"
+ " subs %1, %1, %0\n"
+ " addhs %1, %1, #1\n"
+ " subhss %1, %1, %2\n"
+ " movlo %0, #0\n"
+ : "+r" (safe_ptr), "=&r" (tmp)
+ : "r" (size), "r" (current_thread_info()->addr_limit)
+ : "cc");
+
+ csdb();
+ return safe_ptr;
+}
+
/*
* Single-value transfer routines. They automatically use the right
* size if we just have the right pointer type. Note that the functions
diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
index a826df3d3814..6709a8d33963 100644
--- a/arch/arm/lib/copy_from_user.S
+++ b/arch/arm/lib/copy_from_user.S
@@ -93,11 +93,7 @@ ENTRY(arm_copy_from_user)
#ifdef CONFIG_CPU_SPECTRE
get_thread_info r3
ldr r3, [r3, #TI_ADDR_LIMIT]
- adds ip, r1, r2 @ ip=addr+size
- sub r3, r3, #1 @ addr_limit - 1
- cmpcc ip, r3 @ if (addr+size > addr_limit - 1)
- movcs r1, #0 @ addr = NULL
- csdb
+ uaccess_mask_range_ptr r1, r2, r3, ip
#endif
#include "copy_template.S"
--
2.17.1
next prev parent reply other threads:[~2019-02-13 21:32 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 21:32 [PATCH 4.19 00/17] V4.19 backport of more 32-bit arm spectre patches David Long
2019-02-13 21:32 ` [PATCH 4.19 01/17] ARM: 8789/1: signal: copy registers using __copy_to_user() David Long
2019-02-13 21:32 ` [PATCH 4.19 02/17] ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context David Long
2019-02-13 21:32 ` [PATCH 4.19 03/17] ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state David Long
2019-02-13 21:32 ` [PATCH 4.19 04/17] ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user() David Long
2019-02-13 21:32 ` [PATCH 4.19 05/17] ARM: 8793/1: signal: replace __put_user_error with __put_user David Long
2019-02-13 21:32 ` [PATCH 4.19 06/17] ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit David Long
2019-02-13 21:32 ` [PATCH 4.19 07/17] ARM: 8795/1: spectre-v1.1: use put_user() for __put_user() David Long
2019-02-13 21:32 ` David Long [this message]
2019-02-13 21:32 ` [PATCH 4.19 09/17] ARM: 8797/1: spectre-v1.1: harden __copy_to_user David Long
2019-02-13 21:32 ` [PATCH 4.19 10/17] ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc David Long
2019-02-13 21:32 ` [PATCH 4.19 11/17] ARM: make lookup_processor_type() non-__init David Long
2019-02-13 21:32 ` [PATCH 4.19 12/17] ARM: split out processor lookup David Long
2019-02-13 21:32 ` [PATCH 4.19 13/17] ARM: clean up per-processor check_bugs method call David Long
2019-02-13 21:32 ` [PATCH 4.19 14/17] ARM: add PROC_VTABLE and PROC_TABLE macros David Long
2019-02-13 21:32 ` [PATCH 4.19 15/17] ARM: spectre-v2: per-CPU vtables to work around big.Little systems David Long
2019-02-13 21:32 ` [PATCH 4.19 16/17] ARM: ensure that processor vtables is not lost after boot David Long
2019-02-13 21:32 ` [PATCH 4.19 17/17] ARM: fix the cockup in the previous patch David Long
2019-02-14 8:50 ` [PATCH 4.19 00/17] V4.19 backport of more 32-bit arm spectre patches Julien Thierry
2019-02-17 19:20 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213213223.916-9-dave.long@linaro.org \
--to=dave.long@linaro.org \
--cc=broonie@kernel.org \
--cc=f.fainelli@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=julien.thierry@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=stable@vger.kernel.org \
--cc=tony@atomide.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.