linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andrew Morton <akpm@linux-foundation.org>
To: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: linux-kernel@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
	Dan Williams <dan.j.williams@intel.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH] kernel: sys: fix potential Spectre v1
Date: Tue, 15 May 2018 15:08:59 -0700	[thread overview]
Message-ID: <20180515150859.1bccbd8d4543848b30fea859@linux-foundation.org> (raw)
In-Reply-To: <20180515030038.GA11822@embeddedor.com>

On Mon, 14 May 2018 22:00:38 -0500 "Gustavo A. R. Silva" <gustavo@embeddedor.com> wrote:

> resource can be controlled by user-space, hence leading to a
> potential exploitation of the Spectre variant 1 vulnerability.
> 
> This issue was detected with the help of Smatch:
> 
> kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential
> spectre issue 'get_current()->signal->rlim' (local cap)
> kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue
> 'get_current()->signal->rlim' (local cap)
> 
> Fix this by sanitizing *resource* before using it to index
> current->signal->rlim
> 
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].

hm.  Not my area, but I'm always willing to learn ;)

> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -69,6 +69,9 @@
>  #include <asm/io.h>
>  #include <asm/unistd.h>
>  
> +/* Hardening for Spectre-v1 */
> +#include <linux/nospec.h>
> +
>  #include "uid16.h"
>  
>  #ifndef SET_UNALIGN_CTL
> @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
>  	if (resource >= RLIM_NLIMITS)
>  		return -EINVAL;
>  
> +	resource = array_index_nospec(resource, RLIM_NLIMITS);
>  	task_lock(current->group_leader);
>  	x = current->signal->rlim[resource];

Can the speculation proceed past the task_lock()?  Or is the policy to
ignore such happy happenstances even if they are available?

>  	task_unlock(current->group_leader);
> @@ -1470,6 +1474,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
>  	if (resource >= RLIM_NLIMITS)
>  		return -EINVAL;
>  
> +	resource = array_index_nospec(resource, RLIM_NLIMITS);
>  	task_lock(current->group_leader);
>  	r = current->signal->rlim[resource];
>  	task_unlock(current->group_leader);

  reply	other threads:[~2018-05-15 22:09 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-15  3:00 [PATCH] kernel: sys: fix potential Spectre v1 Gustavo A. R. Silva
2018-05-15 22:08 ` Andrew Morton [this message]
2018-05-15 22:29   ` Thomas Gleixner
2018-05-15 22:57     ` Dan Williams
2018-05-18 19:04       ` Gustavo A. R. Silva
2018-05-18 19:21         ` Gustavo A. R. Silva
2018-05-18 20:38           ` Dan Williams
2018-05-18 20:44             ` Gustavo A. R. Silva
2018-05-18 21:27               ` Gustavo A. R. Silva
2018-05-18 21:45                 ` Dan Williams
2018-05-18 22:01                   ` Gustavo A. R. Silva
2018-05-18 22:08                     ` Dan Williams
2018-05-18 22:11                       ` Gustavo A. R. Silva
2018-05-21  0:50               ` Gustavo A. R. Silva
2018-05-21  2:00                 ` Gustavo A. R. Silva
2018-05-22 20:50                   ` Dan Williams
2018-05-23  5:03                     ` Gustavo A. R. Silva
2018-05-23  5:15                       ` Dan Williams
2018-05-23  5:22                         ` Gustavo A. R. Silva
2018-05-23  9:08                       ` Peter Zijlstra
2018-05-23 13:55                         ` Dan Williams
2018-05-23 15:07                         ` Mark Rutland
2018-05-23 15:57                           ` Dan Williams
2018-05-23 16:27                           ` Peter Zijlstra
2018-05-23 16:31                           ` Mark Rutland
2018-05-25 18:11                             ` Gustavo A. R. Silva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180515150859.1bccbd8d4543848b30fea859@linux-foundation.org \
    --to=akpm@linux-foundation.org \
    --cc=ast@kernel.org \
    --cc=dan.j.williams@intel.com \
    --cc=gustavo@embeddedor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).