[ARM64,v4.4,V3,06/44] arm64: entry: Ensure branch through syscall table is bounded under speculation

Message ID 093a9777605bdd2ab2c33948a4e7a3fbb275de4d.1567077734.git.viresh.kumar@linaro.org
State New
Headers show
Series
  • V4.4 backport of arm64 Spectre patches
Related show

Commit Message

Viresh Kumar Aug. 29, 2019, 11:33 a.m.
From: Will Deacon <will.deacon@arm.com>


commit 6314d90e64936c584f300a52ef173603fb2461b5 upstream.

In a similar manner to array_index_mask_nospec, this patch introduces an
assembly macro (mask_nospec64) which can be used to bound a value under
speculation. This macro is then used to ensure that the indirect branch
through the syscall table is bounded under speculation, with out-of-range
addresses speculating as calls to sys_io_setup (0).

Reviewed-by: Mark Rutland <mark.rutland@arm.com>

Signed-off-by: Will Deacon <will.deacon@arm.com>

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

[ v4.4: use existing scno & sc_nr definitions ]
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>

---
 arch/arm64/include/asm/assembler.h | 11 +++++++++++
 arch/arm64/kernel/entry.S          |  1 +
 2 files changed, 12 insertions(+)

-- 
2.21.0.rc0.269.g1a574e7a288b

Comments

Mark Rutland Aug. 30, 2019, 9:40 a.m. | #1
On Thu, Aug 29, 2019 at 05:03:51PM +0530, Viresh Kumar wrote:
> From: Will Deacon <will.deacon@arm.com>

> 

> commit 6314d90e64936c584f300a52ef173603fb2461b5 upstream.

> 

> In a similar manner to array_index_mask_nospec, this patch introduces an

> assembly macro (mask_nospec64) which can be used to bound a value under

> speculation. This macro is then used to ensure that the indirect branch

> through the syscall table is bounded under speculation, with out-of-range

> addresses speculating as calls to sys_io_setup (0).

> 

> Reviewed-by: Mark Rutland <mark.rutland@arm.com>

> Signed-off-by: Will Deacon <will.deacon@arm.com>

> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

> [ v4.4: use existing scno & sc_nr definitions ]

> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>


Reviewed-by: Mark Rutland <mark.rutland@arm.com> [v4.4 backport]


Mark.

> ---

>  arch/arm64/include/asm/assembler.h | 11 +++++++++++

>  arch/arm64/kernel/entry.S          |  1 +

>  2 files changed, 12 insertions(+)

> 

> diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h

> index 683c2875278f..2b30363a3a89 100644

> --- a/arch/arm64/include/asm/assembler.h

> +++ b/arch/arm64/include/asm/assembler.h

> @@ -102,6 +102,17 @@

>  	hint	#20

>  	.endm

>  

> +/*

> + * Sanitise a 64-bit bounded index wrt speculation, returning zero if out

> + * of bounds.

> + */

> +	.macro	mask_nospec64, idx, limit, tmp

> +	sub	\tmp, \idx, \limit

> +	bic	\tmp, \tmp, \idx

> +	and	\idx, \idx, \tmp, asr #63

> +	csdb

> +	.endm

> +

>  #define USER(l, x...)				\

>  9999:	x;					\

>  	.section __ex_table,"a";		\

> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S

> index 4c5013b09dcb..e6aec982dea9 100644

> --- a/arch/arm64/kernel/entry.S

> +++ b/arch/arm64/kernel/entry.S

> @@ -697,6 +697,7 @@ el0_svc_naked:					// compat entry point

>  	b.ne	__sys_trace

>  	cmp     scno, sc_nr                     // check upper syscall limit

>  	b.hs	ni_sys

> +	mask_nospec64 scno, sc_nr, x19	// enforce bounds for syscall number

>  	ldr	x16, [stbl, scno, lsl #3]	// address in the syscall table

>  	blr	x16				// call sys_* routine

>  	b	ret_fast_syscall

> -- 

> 2.21.0.rc0.269.g1a574e7a288b

>

Patch

diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
index 683c2875278f..2b30363a3a89 100644
--- a/arch/arm64/include/asm/assembler.h
+++ b/arch/arm64/include/asm/assembler.h
@@ -102,6 +102,17 @@ 
 	hint	#20
 	.endm
 
+/*
+ * Sanitise a 64-bit bounded index wrt speculation, returning zero if out
+ * of bounds.
+ */
+	.macro	mask_nospec64, idx, limit, tmp
+	sub	\tmp, \idx, \limit
+	bic	\tmp, \tmp, \idx
+	and	\idx, \idx, \tmp, asr #63
+	csdb
+	.endm
+
 #define USER(l, x...)				\
 9999:	x;					\
 	.section __ex_table,"a";		\
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 4c5013b09dcb..e6aec982dea9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -697,6 +697,7 @@  el0_svc_naked:					// compat entry point
 	b.ne	__sys_trace
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
+	mask_nospec64 scno, sc_nr, x19	// enforce bounds for syscall number
 	ldr	x16, [stbl, scno, lsl #3]	// address in the syscall table
 	blr	x16				// call sys_* routine
 	b	ret_fast_syscall