| Message ID | 20180710180607.56624-1-mark.rutland@arm.com |
|---|---|
| State | New |
| Headers | show |
| Series | perf/core: fix possible spectre-v1 write | expand |
Hi Mark,
I love your patch! Yet something to improve:
[auto build test ERROR on tip/perf/core]
[also build test ERROR on v4.18-rc4 next-20180710]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Mark-Rutland/perf-core-fix-possible-spectre-v1-write/20180711-023735
config: i386-randconfig-x009-201827 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
kernel/events/core.c: In function 'sw_perf_event_destroy':
>> kernel/events/core.c:8158:13: error: implicit declaration of function 'array_index_nospec'; did you mean 'array_index_mask_nospec'? [-Werror=implicit-function-declaration]
event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
^~~~~~~~~~~~~~~~~~
array_index_mask_nospec
cc1: some warnings being treated as errors
vim +8158 kernel/events/core.c
8154
8155 static void sw_perf_event_destroy(struct perf_event *event)
8156 {
8157 u64 event_id = event->attr.config;
> 8158 event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
8159
8160 WARN_ON(event->parent);
8161
8162 static_key_slow_dec(&perf_swevent_enabled[event_id]);
8163 swevent_hlist_put();
8164 }
8165
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi Mark,
I love your patch! Yet something to improve:
[auto build test ERROR on tip/perf/core]
[also build test ERROR on v4.18-rc4 next-20180710]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Mark-Rutland/perf-core-fix-possible-spectre-v1-write/20180711-023735
config: i386-randconfig-s0-201827 (attached as .config)
compiler: gcc-6 (Debian 6.4.0-9) 6.4.0 20171026
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
kernel/events/core.c: In function 'sw_perf_event_destroy':
>> kernel/events/core.c:8158:13: error: implicit declaration of function 'array_index_nospec' [-Werror=implicit-function-declaration]
event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
^~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/array_index_nospec +8158 kernel/events/core.c
8154
8155 static void sw_perf_event_destroy(struct perf_event *event)
8156 {
8157 u64 event_id = event->attr.config;
> 8158 event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
8159
8160 WARN_ON(event->parent);
8161
8162 static_key_slow_dec(&perf_swevent_enabled[event_id]);
8163 swevent_hlist_put();
8164 }
8165
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
On Tue, Jul 10, 2018 at 07:06:07PM +0100, Mark Rutland wrote: > It's possible for userspace to control event_id. Sanitize event_id when > using it as an array index, to inhibit the potential spectre-v1 write > gadget. > > This class of issue is also known as CVE-2018-3693, or "bounds check bypass > store". > > Found by smatch. > > Signed-off-by: Mark Rutland <mark.rutland@arm.com> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Ingo Molnar <mingo@redhat.com> > --- > kernel/events/core.c | 2 ++ > 1 file changed, 2 insertions(+) > > For Arm CPUs, more details can be found in the Arm Cache Speculation > Side-channels whitepaper, available from the Arm security updates site [1]. > > Mark. > > [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability > > diff --git a/kernel/events/core.c b/kernel/events/core.c > index 8f0434a9951a..eece719bd18e 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -8155,6 +8155,7 @@ struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX]; > static void sw_perf_event_destroy(struct perf_event *event) > { > u64 event_id = event->attr.config; > + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); As the kbuild test robot has pointed out, I've failed to include <linux/nospec.h> for this to compile. I'll spin a v2 with that added, and the result tested. Thanks, Mark.
diff --git a/kernel/events/core.c b/kernel/events/core.c index 8f0434a9951a..eece719bd18e 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -8155,6 +8155,7 @@ struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX]; static void sw_perf_event_destroy(struct perf_event *event) { u64 event_id = event->attr.config; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); WARN_ON(event->parent); @@ -8186,6 +8187,7 @@ static int perf_swevent_init(struct perf_event *event) if (event_id >= PERF_COUNT_SW_MAX) return -ENOENT; + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX); if (!event->parent) { int err;
It's possible for userspace to control event_id. Sanitize event_id when using it as an array index, to inhibit the potential spectre-v1 write gadget. This class of issue is also known as CVE-2018-3693, or "bounds check bypass store". Found by smatch. Signed-off-by: Mark Rutland <mark.rutland@arm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ingo Molnar <mingo@redhat.com> --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) For Arm CPUs, more details can be found in the Arm Cache Speculation Side-channels whitepaper, available from the Arm security updates site [1]. Mark. [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability -- 2.11.0