From patchwork Thu Aug 1 08:16:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 170334 Delivered-To: patch@linaro.org Received: by 2002:a92:512:0:0:0:0:0 with SMTP id q18csp5086318ile; Thu, 1 Aug 2019 01:20:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqyGY1DEKdszt4qhCseEze2dJumoO8wBQFMX4VToVApz8RZbzQy51wQ0w5gOciCfwGPboUKF X-Received: by 2002:a63:2026:: with SMTP id g38mr111765916pgg.172.1564647647891; Thu, 01 Aug 2019 01:20:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564647647; cv=none; d=google.com; s=arc-20160816; b=zxeJB3XiiJ439iY3k0Um7M6WBEhczBFcWWa/LEWg6BfI+RmRg4HQYUIfbUvOMs4mk8 OjCXatmKwtw7ZD4+mZQ0YBcY5n7bOnV1PQ0q5sbqN+CWtlCizUbCSuOQLjs/5plafAVr 2c8S/I7HlMFxtS0HSHaN8xEE1zcpYepeZO+wx/7yumimC/KPX/iRM3Rzgpbzt4TpCR7A QAA3SssUi/ATmfYucGbz4W5OfxMKSMYVlHp+hPWNCWb+GNmILOibbbNS+HU/BlvGIbpK /BdLRIrTAFiRHea1m2M1RCJv8JYAbyimlSZaS7ZCbWtuuZNUDmBEtCLDgxGpexUfS/Id Z1zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=q3Hwoo9R0gf8T8wycN6BweSX3iAbrjmdi48iA1QA7vM=; b=aUusKpfsfuzv21TRDiAfM0FQmZ8EuyhU3IF5Qg/Uw4LR3V5P0KbRlrQRwwqiMzHMCr qIC7YWDmWTsD3ZTSmHE2CtjKBaO8P8BmgTcUCCuZmXl9o/d3NEo1i/sRsLSWIoDcLiep /E6asqisjEcJAVwSKp+v9oTXcD+in/cvxvVqvIQtGGLleRmVCDrYenhS+NEx6MwSeA+Y 0oGkWFz4Bz6LPQllX4XO/taNQKo832qVfNsqAr4RXvumUncSp04DOtVWYAXAhMV6ATJG kHaomsrTzjgDNTNVB+uadaF1EPeckQaM7HnkjhL/rXc9dObftIlXNDo5nczmkeZnX0tA yNrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=v8tPuBm6; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v63si6543334pgd.111.2019.08.01.01.20.47; Thu, 01 Aug 2019 01:20:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=v8tPuBm6; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730592AbfHAIUr (ORCPT + 14 others); Thu, 1 Aug 2019 04:20:47 -0400 Received: from mail-pf1-f194.google.com ([209.85.210.194]:44941 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729672AbfHAIUq (ORCPT ); Thu, 1 Aug 2019 04:20:46 -0400 Received: by mail-pf1-f194.google.com with SMTP id t16so33575299pfe.11 for ; Thu, 01 Aug 2019 01:20:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=q3Hwoo9R0gf8T8wycN6BweSX3iAbrjmdi48iA1QA7vM=; b=v8tPuBm6a8N9wJvJ6WAtxxYn28Qs2iZZ+IRbRYjgYx4IpcRLyS8mfcmqz0ytzoCpos jv/ffuYFA83lpwHniP5fhlZ/kXp4M11tAuygaRg5myeIMrI0qD/rxAxB27MRhzupZe+M ztLh+JDQ8NvxiNwGo4nApbsJ7fy4V8q8kKKPaKdaoGsGu/zjSHMfybem2XwIWx7RPEKg 54NjDRDdLSpZw1taU2sXbgFmkRC/GEk0bCDtAIIXIb4BUwKjQYprsIXx9A6faIcBhh01 LX4ZbPwaUAG4xSFQoW/swck/IwVK0wLaGDiUB0fZN0idxlNoOdpYJqsxB8SjDJV4oO5t QY4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=q3Hwoo9R0gf8T8wycN6BweSX3iAbrjmdi48iA1QA7vM=; b=p6BBciPvd5ziBVL6/EHVtYzN1LijhyPElvcNjNua25ytM2yDiQbLtXaK9mHmtLc0EE XOnAm8NZa0LYEcI5gJSvK/KRsq0GkR2mk8EqVMa82dYItFpVPQGdxXoV1ThNmp4/llQv pFhjO/kWnasFU+Jol0aO8lPHozCr7EAcSviL+9uEasZ809RFSmfg6PAF6df0GrGXGFdU 5HBsAcMg3CrR/1mbsCeFTQ+WalOPjhthU6xInP1gPEkS772RKYMsrtiiNfh6EhaaaHzA iGx0V5WbXfNdO8rZAzSlMWIcV1LeaZEonoeBcwdvkKLAAMc1MSnzjaGyoP2BPq6LiGUh H1Aw== X-Gm-Message-State: APjAAAUhzBs5ZYyPMpxW6BtGxylhHeM6cLDat+uwsedOfzHCG/D6cWxn qwVdLtQvkS0rfobdQ1VS1kmpqvwwP7w= X-Received: by 2002:a62:f20b:: with SMTP id m11mr52253396pfh.125.1564647645675; Thu, 01 Aug 2019 01:20:45 -0700 (PDT) Received: from localhost ([122.172.28.117]) by smtp.gmail.com with ESMTPSA id n98sm4013483pjc.26.2019.08.01.01.20.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Aug 2019 01:20:45 -0700 (PDT) From: Viresh Kumar To: stable@vger.kernel.org Cc: Viresh Kumar , Julien Thierry , linux-arm-kernel@lists.infradead.org, Catalin Marinas , Marc Zyngier , Mark Rutland , Will Deacon , Russell King , Vincent Guittot , mark.brown@arm.com, guohanjun@huawei.com Subject: [PATCH ARM32 v4.4 V2 27/47] ARM: spectre-v1: mitigate user accesses Date: Thu, 1 Aug 2019 13:46:11 +0530 Message-Id: <86231c8cbaacc44285a235db704e1029ae8ec64a.1564646727.git.viresh.kumar@linaro.org> X-Mailer: git-send-email 2.21.0.rc0.269.g1a574e7a288b In-Reply-To: References: MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Russell King Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long Signed-off-by: Viresh Kumar --- arch/arm/include/asm/assembler.h | 4 ++++ arch/arm/lib/copy_from_user.S | 9 +++++++++ 2 files changed, 13 insertions(+) -- 2.21.0.rc0.269.g1a574e7a288b diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index 307901f88a1e..483481c6937e 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -454,6 +454,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) adds \tmp, \addr, #\size - 1 sbcccs \tmp, \tmp, \limit bcs \bad +#ifdef CONFIG_CPU_SPECTRE + movcs \addr, #0 + csdb +#endif #endif .endm diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S index 1512bebfbf1b..d36329cefedc 100644 --- a/arch/arm/lib/copy_from_user.S +++ b/arch/arm/lib/copy_from_user.S @@ -90,6 +90,15 @@ .text ENTRY(arm_copy_from_user) +#ifdef CONFIG_CPU_SPECTRE + get_thread_info r3 + ldr r3, [r3, #TI_ADDR_LIMIT] + adds ip, r1, r2 @ ip=addr+size + sub r3, r3, #1 @ addr_limit - 1 + cmpcc ip, r3 @ if (addr+size > addr_limit - 1) + movcs r1, #0 @ addr = NULL + csdb +#endif #include "copy_template.S"