From: Dan Williams <dan.j.williams@intel.com>
To: linux-kernel@vger.kernel.org
Cc: Mark Rutland <mark.rutland@arm.com>,
kernel-hardening@lists.openwall.com,
Peter Zijlstra <peterz@infradead.org>,
Alan Cox <alan.cox@intel.com>, Will Deacon <will.deacon@arm.com>,
Alexei Starovoitov <ast@kernel.org>,
Solomon Peachy <pizza@shaftnet.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Christian Lamparter <chunkeey@googlemail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
linux-arch@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
linux-scsi@vger.kernel.org, Jonathan Corbet <corbet@lwn.net>,
x86@kernel.org, Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
linux-media@vger.kernel.org,
Tom Lendacky <thomas.lendacky@amd.com>,
Kees Cook <keescook@chromium.org>, Jan Kara <jack@suse.com>,
Al Viro <viro@zeniv.linux.org.uk>,
qla2xxx-upstream@qlogic.com, tglx@linutronix.de,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Kalle Valo <kvalo@codeaurora.org>,
alan@linux.intel.com,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Greg KH <gregkh@linuxfoundation.org>,
linux-wireless@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
netdev@vger.kernel.org, akpm@linux-foundation.org,
torvalds@linux-foundation.org,
"David S. Miller" <davem@davemloft.net>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Subject: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution
Date: Thu, 11 Jan 2018 16:46:24 -0800 [thread overview]
Message-ID: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> (raw)
Changes since v1 [1]:
* fixup the ifence definition to use alternative_2 per recent AMD
changes in tip/x86/pti (Tom)
* drop 'nospec_ptr' (Linus, Mark)
* rename 'nospec_array_ptr' to 'array_ptr' (Alexei)
* rename 'nospec_barrier' to 'ifence' (Peter, Ingo)
* clean up occasions of 'variable assignment in if()' (Sergei, Stephen)
* make 'array_ptr' use a mask instead of an architectural ifence by
default (Linus, Alexei)
* provide a command line and compile-time opt-in to the ifence
mechanism, if an architecture provides 'ifence_array_ptr'.
* provide an optimized mask generation helper, 'array_ptr_mask', for
x86 (Linus)
* move 'get_user' hardening from '__range_not_ok' to '__uaccess_begin'
(Linus)
* drop "Thermal/int340x: prevent bounds-check..." since userspace does
not have arbitrary control over the 'trip' index (Srinivas)
* update the changelog of "net: mpls: prevent bounds-check..." and keep
it in the series to continue the debate about Spectre hygiene patches.
(Eric).
* record a reviewed-by from Laurent on "[media] uvcvideo: prevent
bounds-check..."
* update the cover letter
[1]: https://lwn.net/Articles/743376/
---
Quoting Mark's original RFC:
"Recently, Google Project Zero discovered several classes of attack
against speculative execution. One of these, known as variant-1, allows
explicit bounds checks to be bypassed under speculation, providing an
arbitrary read gadget. Further details can be found on the GPZ blog [2]
and the Documentation patch in this series."
This series incorporates Mark Rutland's latest ARM changes and adds
the x86 specific implementation of 'ifence_array_ptr'. That ifence
based approach is provided as an opt-in fallback, but the default
mitigation, '__array_ptr', uses a 'mask' approach that removes
conditional branches instructions, and otherwise aims to redirect
speculation to use a NULL pointer rather than a user controlled value.
The mask is generated by the following from Alexei, and Linus:
mask = ~(long)(_i | (_s - 1 - _i)) >> (BITS_PER_LONG - 1);
...and Linus provided an optimized mask generation helper for x86:
asm ("cmpq %1,%2; sbbq %0,%0;"
:"=r" (mask)
:"r"(sz),"r" (idx)
:"cc");
The 'array_ptr' mechanism can be switched between 'mask' and 'ifence'
via the spectre_v1={mask,ifence} command line option, and the
compile-time default is set by selecting either CONFIG_SPECTRE1_MASK or
CONFIG_SPECTRE1_IFENCE.
The 'array_ptr' infrastructure is the primary focus this patch set. The
individual patches that perform 'array_ptr' conversions are a point in
time (i.e. earlier kernel, early analysis tooling, x86 only etc...)
start at finding some of these gadgets.
Another consideration for reviewing these patches is the 'hygiene'
argument. When a patch refers to hygiene it is concerned with stopping
speculation on an unconstrained or insufficiently constrained pointer
value under userspace control. That by itself is not sufficient for
attack (per current understanding) [3], but it is a necessary
pre-condition. So 'hygiene' refers to cleaning up those suspect
pointers regardless of whether they are usable as a gadget.
These patches are also be available via the 'nospec-v2' git branch
here:
git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v2
Note that the BPF fix for Spectre variant1 is merged in the bpf.git
tree [4], and is not included in this branch.
[2]: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
[3]: https://spectreattack.com/spectre.pdf
[4]: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=b2157399cc98
---
Dan Williams (16):
x86: implement ifence()
x86: implement ifence_array_ptr() and array_ptr_mask()
asm-generic/barrier: mask speculative execution flows
x86: introduce __uaccess_begin_nospec and ASM_IFENCE
x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths
ipv6: prevent bounds-check bypass via speculative execution
ipv4: prevent bounds-check bypass via speculative execution
vfs, fdtable: prevent bounds-check bypass via speculative execution
userns: prevent bounds-check bypass via speculative execution
udf: prevent bounds-check bypass via speculative execution
[media] uvcvideo: prevent bounds-check bypass via speculative execution
carl9170: prevent bounds-check bypass via speculative execution
p54: prevent bounds-check bypass via speculative execution
qla2xxx: prevent bounds-check bypass via speculative execution
cw1200: prevent bounds-check bypass via speculative execution
net: mpls: prevent bounds-check bypass via speculative execution
Mark Rutland (3):
Documentation: document array_ptr
arm64: implement ifence_array_ptr()
arm: implement ifence_array_ptr()
Documentation/speculation.txt | 142 ++++++++++++++++++++++++++++++
arch/arm/Kconfig | 1
arch/arm/include/asm/barrier.h | 24 +++++
arch/arm64/Kconfig | 1
arch/arm64/include/asm/barrier.h | 24 +++++
arch/x86/Kconfig | 3 +
arch/x86/include/asm/barrier.h | 46 ++++++++++
arch/x86/include/asm/msr.h | 3 -
arch/x86/include/asm/smap.h | 4 +
arch/x86/include/asm/uaccess.h | 16 +++
arch/x86/include/asm/uaccess_32.h | 6 +
arch/x86/include/asm/uaccess_64.h | 12 +--
arch/x86/lib/copy_user_64.S | 3 +
arch/x86/lib/usercopy_32.c | 8 +-
drivers/media/usb/uvc/uvc_v4l2.c | 9 +-
drivers/net/wireless/ath/carl9170/main.c | 7 +
drivers/net/wireless/intersil/p54/main.c | 9 +-
drivers/net/wireless/st/cw1200/sta.c | 11 +-
drivers/net/wireless/st/cw1200/wsm.h | 4 -
drivers/scsi/qla2xxx/qla_mr.c | 17 ++--
fs/udf/misc.c | 40 +++++---
include/linux/fdtable.h | 7 +
include/linux/nospec.h | 71 +++++++++++++++
kernel/Kconfig.nospec | 31 +++++++
kernel/Makefile | 1
kernel/nospec.c | 52 +++++++++++
kernel/user_namespace.c | 11 +-
lib/Kconfig | 3 +
net/ipv4/raw.c | 10 +-
net/ipv6/raw.c | 10 +-
net/mpls/af_mpls.c | 12 +--
31 files changed, 521 insertions(+), 77 deletions(-)
create mode 100644 Documentation/speculation.txt
create mode 100644 include/linux/nospec.h
create mode 100644 kernel/Kconfig.nospec
create mode 100644 kernel/nospec.c
next reply other threads:[~2018-01-12 0:54 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-12 0:46 Dan Williams [this message]
2018-01-12 0:46 ` [PATCH v2 01/19] Documentation: document array_ptr Dan Williams
2018-01-12 10:38 ` Geert Uytterhoeven
2018-01-16 21:01 ` Kees Cook
2018-01-12 0:46 ` [PATCH v2 02/19] arm64: implement ifence_array_ptr() Dan Williams
2018-01-12 0:46 ` [PATCH v2 03/19] arm: " Dan Williams
2018-01-12 0:46 ` [PATCH v2 04/19] x86: implement ifence() Dan Williams
2018-01-12 2:27 ` Eric W. Biederman
2018-01-12 3:39 ` Dan Williams
2018-01-12 0:46 ` [PATCH v2 05/19] x86: implement ifence_array_ptr() and array_ptr_mask() Dan Williams
2018-01-12 0:46 ` [PATCH v2 06/19] asm-generic/barrier: mask speculative execution flows Dan Williams
2018-01-12 2:42 ` Eric W. Biederman
2018-01-12 9:12 ` Peter Zijlstra
2018-01-13 0:41 ` Dan Williams
2018-01-15 8:46 ` Peter Zijlstra
2018-01-12 0:47 ` [PATCH v2 07/19] x86: introduce __uaccess_begin_nospec and ASM_IFENCE Dan Williams
2018-01-12 17:51 ` Josh Poimboeuf
2018-01-12 18:21 ` Dan Williams
2018-01-12 18:58 ` Josh Poimboeuf
2018-01-12 19:26 ` Dan Williams
2018-01-12 20:01 ` Linus Torvalds
2018-01-12 20:41 ` Josh Poimboeuf
2018-01-12 0:47 ` [PATCH v2 08/19] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths Dan Williams
2018-01-12 1:11 ` Linus Torvalds
2018-01-12 1:14 ` Dan Williams
2018-01-12 0:47 ` [PATCH v2 09/19] ipv6: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-12 0:47 ` [PATCH v2 10/19] ipv4: " Dan Williams
2018-01-12 7:59 ` Greg KH
2018-01-12 18:47 ` Dan Williams
2018-01-13 8:56 ` Greg KH
2018-01-12 0:47 ` [PATCH v2 11/19] vfs, fdtable: " Dan Williams
2018-01-12 0:47 ` [PATCH v2 12/19] userns: " Dan Williams
2018-01-12 0:47 ` [PATCH v2 13/19] udf: " Dan Williams
2018-01-15 10:32 ` Jan Kara
2018-01-15 17:49 ` Dan Williams
2018-01-12 0:47 ` [PATCH v2 14/19] [media] uvcvideo: " Dan Williams
2018-08-06 21:40 ` Laurent Pinchart
2018-01-12 0:47 ` [PATCH v2 15/19] carl9170: " Dan Williams
2018-01-12 14:42 ` Christian Lamparter
2018-01-12 18:39 ` Dan Williams
2018-01-12 20:01 ` Christian Lamparter
2018-01-12 23:05 ` Dan Williams
2018-01-12 0:47 ` [PATCH v2 16/19] p54: " Dan Williams
2018-01-12 0:47 ` [PATCH v2 17/19] qla2xxx: " Dan Williams
2018-01-12 1:19 ` James Bottomley
2018-01-12 5:38 ` Dan Williams
2018-01-12 6:05 ` James Bottomley
2018-01-12 0:48 ` [PATCH v2 18/19] cw1200: " Dan Williams
2018-01-12 0:48 ` [PATCH v2 19/19] net: mpls: " Dan Williams
2018-01-12 1:19 ` [PATCH v2 00/19] " Linus Torvalds
2018-01-12 1:41 ` Dan Williams
2018-01-18 13:18 ` Will Deacon
2018-01-18 16:58 ` Dan Williams
2018-01-18 17:05 ` Will Deacon
2018-01-18 21:41 ` Laurent Pinchart
2018-01-13 0:15 ` Tony Luck
2018-01-13 18:51 ` Linus Torvalds
2018-01-16 19:21 ` Tony Luck
2018-01-12 10:02 ` Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com \
--to=dan.j.williams@intel.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan.cox@intel.com \
--cc=alan@linux.intel.com \
--cc=ast@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chunkeey@googlemail.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jack@suse.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=kvalo@codeaurora.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mark.rutland@arm.com \
--cc=martin.petersen@oracle.com \
--cc=mchehab@kernel.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=pizza@shaftnet.org \
--cc=qla2xxx-upstream@qlogic.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).