All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mark Rutland <mark.rutland@arm.com>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>, Will Deacon <will@kernel.org>,
	Dan Williams <dan.j.williams@intel.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Waiman Long <longman@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Andy Lutomirski <luto@kernel.org>, Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH] x86/uaccess: Use pointer masking to limit uaccess speculation
Date: Tue, 1 Sep 2020 15:02:08 +0100	[thread overview]
Message-ID: <20200901140208.GA95447@C02TD0UTHF1T.local> (raw)
In-Reply-To: <f12e7d3cecf41b2c29734ea45a393be21d4a8058.1597848273.git.jpoimboe@redhat.com>

On Wed, Aug 19, 2020 at 09:50:06AM -0500, Josh Poimboeuf wrote:
> The x86 uaccess code uses barrier_nospec() in various places to prevent
> speculative dereferencing of user-controlled pointers (which might be
> combined with further gadgets or CPU bugs to leak data).
> 
> There are some issues with the current implementation:
> 
> - The barrier_nospec() in copy_from_user() was inadvertently removed
>   with: 4b842e4e25b1 ("x86: get rid of small constant size cases in
>   raw_copy_{to,from}_user()")
> 
> - copy_to_user() and friends should also have a speculation barrier,
>   because a speculative write to a user-controlled address can still
>   populate the cache line with the original data.
> 
> - The LFENCE in barrier_nospec() is overkill, when more lightweight user
>   pointer masking can be used instead.
> 
> Remove all existing barrier_nospec() usage, and instead do user pointer
> masking, throughout the x86 uaccess code.  This is similar to what arm64
> is already doing.
> 
> barrier_nospec() is now unused, and can be removed.

One thing to consider is whether you need a speculation barrier after
set_fs(). Otherwise for code like:

| fs = get_fs();
| if (cond)
|	set_fs(KERNEL_DS);
| copy_to_user(...)
| set_fs(fs)

... the set_fs() can occur speculatively, and may be able to satisfy
the masking logic if forwarded within the cpu.

See arm64 commit:

  c2f0ad4fc089cff8 ("arm64: uaccess: Prevent speculative use of the current addr_limit")

Thanks,
Mark.

  parent reply	other threads:[~2020-09-01 14:05 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-19 14:50 [PATCH] x86/uaccess: Use pointer masking to limit uaccess speculation Josh Poimboeuf
2020-08-19 16:39 ` Andy Lutomirski
2020-08-19 17:02   ` Josh Poimboeuf
2020-08-19 21:30     ` David Laight
2020-08-20  0:18     ` Andy Lutomirski
2020-08-28 19:29 ` Josh Poimboeuf
2020-08-29 13:21   ` David Laight
2020-08-29 19:31     ` David Laight
2020-08-31 17:31       ` Josh Poimboeuf
2020-09-01  8:32         ` David Laight
2020-09-01 14:26           ` Josh Poimboeuf
2020-09-01 15:00             ` David Laight
2020-09-01 15:24               ` Josh Poimboeuf
2020-09-01 14:02 ` Mark Rutland [this message]
2020-09-01 14:21   ` Josh Poimboeuf
2020-09-01 14:52     ` Mark Rutland
2020-09-01 14:46   ` Christoph Hellwig
2020-09-01 14:54     ` Mark Rutland
2020-09-01 15:05       ` Christoph Hellwig
2020-09-01 15:46         ` Christoph Hellwig
2020-09-02 11:43           ` Mark Rutland
2020-09-02 13:32             ` Christoph Hellwig
2020-09-02 17:23               ` Mark Rutland
2020-09-03  6:56                 ` Christoph Hellwig
2020-09-04 16:00                   ` Mark Rutland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200901140208.GA95447@C02TD0UTHF1T.local \
    --to=mark.rutland@arm.com \
    --cc=aarcange@redhat.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=dan.j.williams@intel.com \
    --cc=hch@lst.de \
    --cc=jpoimboe@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=longman@redhat.com \
    --cc=luto@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=will@kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.