From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C29A3C3A5A4 for ; Fri, 30 Aug 2019 09:40:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9EDC621670 for ; Fri, 30 Aug 2019 09:40:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727434AbfH3Jkd (ORCPT ); Fri, 30 Aug 2019 05:40:33 -0400 Received: from foss.arm.com ([217.140.110.172]:57286 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726480AbfH3Jkd (ORCPT ); Fri, 30 Aug 2019 05:40:33 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 37BA3344; Fri, 30 Aug 2019 02:40:32 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id D2DCD3F718; Fri, 30 Aug 2019 02:40:30 -0700 (PDT) Date: Fri, 30 Aug 2019 10:40:28 +0100 From: Mark Rutland To: Viresh Kumar Cc: stable@vger.kernel.org, Julien Thierry , linux-arm-kernel@lists.infradead.org, Catalin Marinas , Marc Zyngier , Will Deacon , Russell King , Vincent Guittot , mark.brown@arm.com Subject: Re: [PATCH ARM64 v4.4 V3 05/44] arm64: Use pointer masking to limit uaccess speculation Message-ID: <20190830094028.GE46475@lakrids.cambridge.arm.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.1+11 (2f07cb52) (2018-12-01) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Thu, Aug 29, 2019 at 05:03:50PM +0530, Viresh Kumar wrote: > From: Robin Murphy > > commit 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce upstream. > > Similarly to x86, mitigate speculation past an access_ok() check by > masking the pointer against the address limit before use. > > Even if we don't expect speculative writes per se, it is plausible that > a CPU may still speculate at least as far as fetching a cache line for > writing, hence we also harden put_user() and clear_user() for peace of > mind. > > Signed-off-by: Robin Murphy > Signed-off-by: Will Deacon > Signed-off-by: Catalin Marinas > Signed-off-by: Viresh Kumar Reviewed-by: Mark Rutland [v4.4 backport] Mark. > --- > arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++--- > 1 file changed, 23 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h > index c625cc5531fc..75363d723262 100644 > --- a/arch/arm64/include/asm/uaccess.h > +++ b/arch/arm64/include/asm/uaccess.h > @@ -121,6 +121,26 @@ static inline unsigned long __range_ok(unsigned long addr, unsigned long size) > #define access_ok(type, addr, size) __range_ok((unsigned long)(addr), size) > #define user_addr_max get_fs > > +/* > + * Sanitise a uaccess pointer such that it becomes NULL if above the > + * current addr_limit. > + */ > +#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) > +static inline void __user *__uaccess_mask_ptr(const void __user *ptr) > +{ > + void __user *safe_ptr; > + > + asm volatile( > + " bics xzr, %1, %2\n" > + " csel %0, %1, xzr, eq\n" > + : "=&r" (safe_ptr) > + : "r" (ptr), "r" (current_thread_info()->addr_limit) > + : "cc"); > + > + csdb(); > + return safe_ptr; > +} > + > /* > * The "__xxx" versions of the user access functions do not verify the address > * space - it must have been done previously with a separate "access_ok()" > @@ -193,7 +213,7 @@ do { \ > __typeof__(*(ptr)) __user *__p = (ptr); \ > might_fault(); \ > access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ > - __get_user((x), __p) : \ > + __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \ > ((x) = 0, -EFAULT); \ > }) > > @@ -259,7 +279,7 @@ do { \ > __typeof__(*(ptr)) __user *__p = (ptr); \ > might_fault(); \ > access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ > - __put_user((x), __p) : \ > + __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \ > -EFAULT; \ > }) > > @@ -297,7 +317,7 @@ static inline unsigned long __must_check copy_in_user(void __user *to, const voi > static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) > { > if (access_ok(VERIFY_WRITE, to, n)) > - n = __clear_user(to, n); > + n = __clear_user(__uaccess_mask_ptr(to), n); > return n; > } > > -- > 2.21.0.rc0.269.g1a574e7a288b >