From patchwork Wed Nov  7 16:44:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Long <dave.long@linaro.org>
X-Patchwork-Id: 150439
Delivered-To: patch@linaro.org
Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp5387667ljp;
 Wed, 7 Nov 2018 08:44:35 -0800 (PST)
X-Google-Smtp-Source: AJdET5diiygn5gOFhraWM+dsLvfvATgY2atz4CXvLTdWUfTmyWuIJNE83CW7MYbVnka5I15ipf+z
X-Received: by 2002:a63:990a:: with SMTP id d10mr774613pge.279.1541609075071; 
 Wed, 07 Nov 2018 08:44:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541609075; cv=none;
 d=google.com; s=arc-20160816;
 b=U7Jp7pK5+ApwYDPI0XhFi417/sualpZ/FIA2vKKNwBUxOWnQGge5KioAQjoqFAlI2s
 Hxys5t9tGOCxiySVJguU6aQq0cnzc5AmkJsP5SY0jneWo13zjogHUBszDy8+oyj4dEa8
 J7Sz7paPaGyfaFfaPX1lXDDVfTJtakn6+hLWCTM6YMG79NAWnGg5pz8onh2M/3ssi9OC
 Q5lUCE5qQOtIf5NOIZwrLBuZGzs6sQjZxfNBrllEHJYA0MtP8f+nuUV4Nns4GG+jOFIJ
 4dTgne3I9f1lizVJugOdTqGuf6WrAvooll674l/rP71rNb2ljCK7WVfe0Vfo8/aNEmpP
 Hjnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature;
 bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=;
 b=QF4S6JXERHQl9SA/atlnGMwB4KPFctiVGVJkIRIoghNFyha7u4qWO6Xct4Jvbl9NZE
 b7BxTeoYbw0pR26fgB9ckgqtV/xsAk9d6o7pLDiD2JfqFpT4GgPKc2cCAEgqManBjYeW
 8pgR1979jZODfhA2ZEA/0+Dx2qBlw0aV8OOdCF49RMs1r31oN8e7dziAwpkv2pYFZ0DB
 lHyIiDTFiQGrRy7Nt6W3A4H/UVRu75sIZKIjcKhD5IavhmHBq5Te6xUIm7ka9YWodbyR
 zWADgxC8PPZqVH2QkMYSOm74LlZzEtCHupZTtvuP+6uoWqK9oWyNZI4IReCO4orfhoWC
 qKJg==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=YTKx9GZN;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <stable-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 n6-v6si1066096pla.245.2018.11.07.08.44.34; 
 Wed, 07 Nov 2018 08:44:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=YTKx9GZN;
 spf=pass (google.com: best guess record for domain of
 stable-owner@vger.kernel.org designates 209.132.180.67 as
 permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1731274AbeKHCPm (ORCPT <rfc822;dave.long@linaro.org>
 + 15 others); Wed, 7 Nov 2018 21:15:42 -0500
Received: from mail-qt1-f195.google.com ([209.85.160.195]:37755 "EHLO
 mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1731007AbeKHCPm (ORCPT
 <rfc822;stable@vger.kernel.org>); Wed, 7 Nov 2018 21:15:42 -0500
Received: by mail-qt1-f195.google.com with SMTP id p35so6514781qtc.4
 for <stable@vger.kernel.org>; Wed, 07 Nov 2018 08:44:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=;
 b=YTKx9GZNReQK24nBTre8MZPnVyur9fHA4jPRe8IV8y2VfkGlx/Wsleq2CdonQpx+cD
 OxucRg/2YLvwYuCjY9d/KGRfgppIvmC5d3I8au8T+j9t3Hy4MU6oR4kvAOP7sQw4rQi5
 oOtARR3tbzdYepctCA9H8vSmTomDnVVBZk2M4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=;
 b=hsmLQBwaGe+hAgiD1ra+p/r+UPsxZ+/VqTjTQ9gKhAnUGFNvmF8hPYLgSNI2YEjFne
 ZuvaepaHhXOFEMr0x+XbUIzIdelhEd06z0x2D3q7I65rmr1/Z0YMx6Xz/w1SHybqMqKE
 BT6ODyksWK1PWVLcPkvufXPBLc5cxkGUqOIR8j4T7KHDkSfzOuAEovJMjE/HX8Uy90Db
 Fw/T1I//xTKvOVmrpsjmtmeLZiPu9m9+6GMuw6cV6IRllCgDE2yE5HAo0LAitDmtoSPj
 jyWpgZrifwz9ONFdEYzWMXpyymN4R0MwvFe3TekYzyg4Gik/wr1Dzgb5EhGTmyu1FULL
 svGg==
X-Gm-Message-State: AGRZ1gI0Y205ANd3vo8FXt9T/Af6cnBiq4Cu+yYw5bn42Ji8xz2LBs4x
 5n8OXZieEkl06fgAAWY7QVG97mCO4wg=
X-Received: by 2002:ac8:d86:: with SMTP id s6mr943477qti.324.1541609072911; 
 Wed, 07 Nov 2018 08:44:32 -0800 (PST)
Received: from localhost.localdomain
 (pool-72-71-243-63.cncdnh.fast00.myfairpoint.net. [72.71.243.63])
 by smtp.googlemail.com with ESMTPSA id
 96-v6sm681817qtc.56.2018.11.07.08.44.31
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 07 Nov 2018 08:44:32 -0800 (PST)
From: David Long <dave.long@linaro.org>
To: stable@vger.kernel.org, Russell King - ARM Linux <linux@armlinux.org.uk>, 
 Florian Fainelli <f.fainelli@gmail.com>,
 Tony Lindgren <tony@atomide.com>, Marc Zyngier <marc.zyngier@arm.com>,
 Mark Rutland <mark.rutland@arm.com>
Cc: Greg KH <gregkh@linuxfoundation.org>, Mark Brown <broonie@kernel.org>
Subject: [PATCH 4.9 V2 24/24] ARM: spectre-v1: mitigate user accesses
Date: Wed,  7 Nov 2018 11:44:02 -0500
Message-Id: <20181107164402.9380-25-dave.long@linaro.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181107164402.9380-1-dave.long@linaro.org>
References: <20181107164402.9380-1-dave.long@linaro.org>
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Russell King <rmk+kernel@armlinux.org.uk>

Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream.

Spectre variant 1 attacks are about this sequence of pseudo-code:

	index = load(user-manipulated pointer);
	access(base + index * stride);

In order for the cache side-channel to work, the access() must me made
to memory which userspace can detect whether cache lines have been
loaded.  On 32-bit ARM, this must be either user accessible memory, or
a kernel mapping of that same user accessible memory.

The problem occurs when the load() speculatively loads privileged data,
and the subsequent access() is made to user accessible memory.

Any load() which makes use of a user-maniplated pointer is a potential
problem if the data it has loaded is used in a subsequent access.  This
also applies for the access() if the data loaded by that access is used
by a subsequent access.

Harden the get_user() accessors against Spectre attacks by forcing out
of bounds addresses to a NULL pointer.  This prevents get_user() being
used as the load() step above.  As a side effect, put_user() will also
be affected even though it isn't implicated.

Also harden copy_from_user() by redoing the bounds check within the
arm_copy_from_user() code, and NULLing the pointer if out of bounds.

Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: David A. Long <dave.long@linaro.org>
---
 arch/arm/include/asm/assembler.h | 4 ++++
 arch/arm/lib/copy_from_user.S    | 9 +++++++++
 2 files changed, 13 insertions(+)

-- 
2.17.1

diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index 189f3b42baea..e616f61f859d 100644
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -458,6 +458,10 @@ THUMB(	orr	\reg , \reg , #PSR_T_BIT	)
 	adds	\tmp, \addr, #\size - 1
 	sbcccs	\tmp, \tmp, \limit
 	bcs	\bad
+#ifdef CONFIG_CPU_SPECTRE
+	movcs	\addr, #0
+	csdb
+#endif
 #endif
 	.endm
 
diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
index 7a4b06049001..a826df3d3814 100644
--- a/arch/arm/lib/copy_from_user.S
+++ b/arch/arm/lib/copy_from_user.S
@@ -90,6 +90,15 @@
 	.text
 
 ENTRY(arm_copy_from_user)
+#ifdef CONFIG_CPU_SPECTRE
+	get_thread_info r3
+	ldr	r3, [r3, #TI_ADDR_LIMIT]
+	adds	ip, r1, r2	@ ip=addr+size
+	sub	r3, r3, #1	@ addr_limit - 1
+	cmpcc	ip, r3		@ if (addr+size > addr_limit - 1)
+	movcs	r1, #0		@ addr = NULL
+	csdb
+#endif
 
 #include "copy_template.S"