From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-2387526-1519634265-2-15828447204037624598 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.001, RCVD_IN_DNSWL_HI -5, T_RP_MATCHES_RCVD -0.01, LANGUAGES en, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='CN', FromHeader='org', MailFrom='org' X-Spam-charsets: X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=arctest; t=1519634264; b=sC8F+Ij8RW6Vx5p22xHxBDjjulMdZgqGdFxEFxzYyPhuXVA ifeECFCznTRX0owR7bC8kTV7RzPyEWZhsUF2/SXwxNsXqA7aMsCtn+umutVqq4Ev wzsw47GsVt2S0pbhKz0hXiakHniJ/m0pRsnm76+cbNlkH4XMj5CuMTjPhUCBT73F 2wGa8EENphS8dzGMJ7QzzflJTzPEZaQB5t7aloTH+6DIzqwciNqAdBGMdmK/mhbV I6ynisbe+61qG62Ft5SoBaU6a89iKKkdsMG11W9WCPsfb96UDMfHSNP/Iacfx1ME 0M/fEckGEAQ2u9yKqVMNjDzfCnDBdRQXsNZVgNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:subject:date:message-id :in-reply-to:references:sender:list-id; s=arctest; t=1519634264; bh=XoltgftvsVb6cg5EoqmIT2rqheB1dI0xAlZ6dp7AzjE=; b=HcgfOGKfqTVk Wf0UUfHR8vJN47DBYtGcRTR8XX4JJ33V0ghkIHW1i5/xrVzrBP0q22KoVPCGJ57e 8Plz5Ivp6GsmdM0lQGF7TqG2ahhUUKCxR5j9drvUk4Z0AfhGlCjYds/ZUlrkypLY 7Lagle9ojGLHj7X61a4AGYr7IzR1DiwnjfPalMK1dEf/tg5QM6eGmz3rWlM64eO1 Exn8U6Oi44yUoeziU3M7nwEvcH3G1ciLr0yWFxj8+XYUCmw+m05dIf0KU+YdmRy3 3H0RDmsRe9vcA4+mUQlqcALkKBTrfF3gMAHJVBzGnyj3BCmJsqeAcvNAa/xHaKmb uTanDBzVzg== ARC-Authentication-Results: i=1; mx1.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=linaro.org header.i=@linaro.org header.b=Gwp5XxQ5 x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=google; dmarc=pass (p=none,has-list-id=yes,d=none) header.from=linaro.org; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=b+1rDX0V; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linaro.org header.result=pass header_is_org_domain=yes Authentication-Results: mx1.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=linaro.org header.i=@linaro.org header.b=Gwp5XxQ5 x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=google; dmarc=pass (p=none,has-list-id=yes,d=none) header.from=linaro.org; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-google-dkim=pass (2048-bit rsa key) header.d=1e100.net header.i=@1e100.net header.b=b+1rDX0V; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linaro.org header.result=pass header_is_org_domain=yes Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751022AbeBZIWr (ORCPT ); Mon, 26 Feb 2018 03:22:47 -0500 Received: from mail-pg0-f66.google.com ([74.125.83.66]:46067 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752450AbeBZIWn (ORCPT ); Mon, 26 Feb 2018 03:22:43 -0500 X-Google-Smtp-Source: AH8x226Utj9n1mLXHehVHWNBZG1NM5teBxS6V+bChGMzrv/h27rDqDGc3zBZI1lGIGoX+K7jElHNUQ== From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org (moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 13/52] arm64: uaccess: Prevent speculative use of the current addr_limit Date: Mon, 26 Feb 2018 16:19:47 +0800 Message-Id: <1519633227-29832-14-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> References: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: From: Will Deacon commit c2f0ad4fc089 upstream. A mispredicted conditional call to set_fs could result in the wrong addr_limit being forwarded under speculation to a subsequent access_ok check, potentially forming part of a spectre-v1 attack using uaccess routines. This patch prevents this forwarding from taking place, but putting heavy barriers in set_fs after writing the addr_limit. Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi Conflicts: no set_thread_flag(TIF_FSCHECK) in arch/arm64/include/asm/uaccess.h --- arch/arm64/include/asm/uaccess.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 3531fec..00025c5 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -71,6 +71,13 @@ static inline void set_fs(mm_segment_t fs) current_thread_info()->addr_limit = fs; /* + * Prevent a mispredicted conditional call to set_fs from forwarding + * the wrong address limit to access_ok under speculation. + */ + dsb(nsh); + isb(); + + /* * Enable/disable UAO so that copy_to_user() etc can access * kernel memory with the unprivileged instructions. */ -- 2.7.4