From: Josh Poimboeuf <jpoimboe@redhat.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
"x86@kernel.org" <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Will Deacon <will@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Waiman Long <longman@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Andy Lutomirski <luto@kernel.org>, Christoph Hellwig <hch@lst.de>,
Mark Rutland <mark.rutland@arm.com>,
Borislav Petkov <bp@alien8.de>
Subject: Re: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation
Date: Wed, 5 May 2021 08:19:43 -0500 [thread overview]
Message-ID: <20210505131943.ci2svd6fmb22y7ac@treble> (raw)
In-Reply-To: <2f75c496ac774444b75ff808854b8e5f@AcuMS.aculab.com>
On Wed, May 05, 2021 at 08:48:48AM +0000, David Laight wrote:
> From: Josh Poimboeuf
> > Sent: 05 May 2021 04:55
> >
> > The x86 uaccess code uses barrier_nospec() in various places to prevent
> > speculative dereferencing of user-controlled pointers (which might be
> > combined with further gadgets or CPU bugs to leak data).
> ...
> > Remove existing barrier_nospec() usage, and instead do user pointer
> > masking, throughout the x86 uaccess code. This is similar to what arm64
> > is already doing with uaccess_mask_ptr().
> ...
> > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> > index fb75657b5e56..ebe9ab46b183 100644
> > --- a/arch/x86/include/asm/uaccess.h
> > +++ b/arch/x86/include/asm/uaccess.h
> > @@ -66,12 +66,35 @@ static inline bool pagefault_disabled(void);
> > * Return: true (nonzero) if the memory block may be valid, false (zero)
> > * if it is definitely invalid.
> > */
> > -#define access_ok(addr, size) \
> > +#define access_ok(addr, size) \
> > ({ \
> > WARN_ON_IN_IRQ(); \
> > likely(!__range_not_ok(addr, size, TASK_SIZE_MAX)); \
> > })
> >
> > +/*
> > + * Sanitize a user pointer such that it becomes NULL if it's not a valid user
> > + * pointer. This prevents speculatively dereferencing a user-controlled
> > + * pointer to kernel space if access_ok() speculatively returns true. This
> > + * should be done *after* access_ok(), to avoid affecting error handling
> > + * behavior.
> > + */
> > +#define mask_user_ptr(ptr) \
> > +({ \
> > + unsigned long _ptr = (__force unsigned long)ptr; \
> > + unsigned long mask; \
> > + \
> > + asm volatile("cmp %[max], %[_ptr]\n\t" \
> > + "sbb %[mask], %[mask]\n\t" \
> > + : [mask] "=r" (mask) \
> > + : [_ptr] "r" (_ptr), \
> > + [max] "r" (TASK_SIZE_MAX) \
> > + : "cc"); \
> > + \
> > + mask &= _ptr; \
> > + ((typeof(ptr)) mask); \
> > +})
> > +
>
> access_ok() and mask_user_ptr() are doing much the same check.
> Is there scope for making access_ok() return the masked pointer?
>
> So the canonical calling code would be:
> uptr = access_ok(uptr, size);
> if (!uptr)
> return -EFAULT;
>
> This would error requests for address 0 earlier - but I don't
> believe they are ever valid in Linux.
> (Some historic x86 a.out formats did load to address 0.)
>
> Clearly for a follow up patch.
Yeah. I mentioned a similar idea in the cover letter.
But I'm thinking we should still rename it to access_ok_mask(), or
otherwise change the API to avoid the masked value getting ignored.
But that'll be a much bigger patch.
--
Josh
next prev parent reply other threads:[~2021-05-05 13:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 3:54 [PATCH v4 0/4] x86/uaccess: Use pointer masking to limit uaccess speculation Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 1/4] uaccess: Always inline strn*_user() helper functions Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 2/4] uaccess: Fix __user annotations for copy_mc_to_user() Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation Josh Poimboeuf
2021-05-05 8:48 ` David Laight
2021-05-05 13:19 ` Josh Poimboeuf [this message]
2021-05-05 13:51 ` David Laight
2021-05-05 18:32 ` Linus Torvalds
2021-05-06 7:57 ` David Laight
2021-05-05 14:25 ` Mark Rutland
2021-05-05 14:48 ` Josh Poimboeuf
2021-05-05 14:49 ` David Laight
2021-05-05 15:45 ` Mark Rutland
2021-05-05 16:55 ` Andy Lutomirski
2021-05-06 8:36 ` David Laight
2021-05-06 12:05 ` Christoph Hellwig
2021-06-02 17:11 ` Sean Christopherson
2021-06-02 20:11 ` Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 4/4] x86/nospec: Remove barrier_nospec() Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505131943.ci2svd6fmb22y7ac@treble \
--to=jpoimboe@redhat.com \
--cc=David.Laight@ACULAB.COM \
--cc=aarcange@redhat.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).