From patchwork Fri Jul 12 05:27:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 168864 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp394434ilk; Thu, 11 Jul 2019 22:29:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqzo/IMVQIeBSK/BpEYbGF0zNvczHsNvZtAKlwBYv+YoAtZDjrU986DkTwO1ifct+XTkshem X-Received: by 2002:a63:4404:: with SMTP id r4mr8498985pga.245.1562909355128; Thu, 11 Jul 2019 22:29:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562909355; cv=none; d=google.com; s=arc-20160816; b=GGfx3qa5E1lGgxe2lCETf6pCuHOc1uUOqVMXb3KmAaCsZ3vEIeOd7wIiA96G1ieImf +/Kvb7lq6LSLSkCgJSR770rrKF2vh5WfSbOWZ8Ua40FUQ5J6qurx/EqqOn2H4cEdt6RL /i6LKgwQPCQg30A8p55TKGsVpPyDtav7UHTvpwtZaLyti7+g2W4px6x8STZlLJdUFRrd rbW6f03DcqHoA7pY13tkm+24u9XJOuJEuIcXi4AApH1gW+lNTZVJk6Mbp89vS62eoAQB QrVS4wrPgFBZtqSJK5Hafvv4H/yUP/umSKdMm2j0TmDZ0FMHyoKOXR6QufqgJpV3KSbe Z3Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=oplH30x1zLW/kw5XTQuFI7s72sVvdi1RahKBb4zAIVI=; b=oAZSjwfAcUU73UsoY+KyKPmlQLyYoitGBzP3baoXrPYnFff2+X56qt7dHt6J46hOAe yWrxS1EwQkp/OOmHOxgPTQEBnUFWF6oHOQR7eeJcDHtvFN9EwKN1GAc7PrImA+3jtIOd S+d5UBMaORpRPY4AGSeVIX/RytpA0yPDjgO+7D7TOgvs/uf2PgtqGcAswSW9l7J1JNcr 2j3gJuqi9swLwc95PqUiy3I8A5TnaX20ulRgAKBYYqMtkBUXEx2LqRRpaa5M23FzRjfy w4wwsLeCO4cid8/nNZ8UYpod6q8ufXT4+LBmtxp9X9Ez6+cDMiFLI35WIBAuo8HtothE r+0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eaes5zcg; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e36si5303191pgm.17.2019.07.11.22.29.14; Thu, 11 Jul 2019 22:29:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eaes5zcg; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726031AbfGLF3O (ORCPT + 13 others); Fri, 12 Jul 2019 01:29:14 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:42695 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725791AbfGLF3O (ORCPT ); Fri, 12 Jul 2019 01:29:14 -0400 Received: by mail-pg1-f193.google.com with SMTP id t132so3992189pgb.9 for ; Thu, 11 Jul 2019 22:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=oplH30x1zLW/kw5XTQuFI7s72sVvdi1RahKBb4zAIVI=; b=eaes5zcgp44lXt6A5g4+fUxCC1ls9h/X8hAy28QuZtZMD6AhLT94Fh11hOM2uLjsaT obGqKrqcKmP6ZW+32H2nZ7w2JwPPtS4yBtSNQMCAAQD8Pu+SGM2kfXPurwyUrM25/bX6 LvSH7O2WsNuUTX6AmZ2BWi4PlLRGTfdvNTmGZIyL6k4ZgbDqhRRrqbYaWBXOv+Df2pTn LMbeKC/td9b+cPHPvrv173y8fJ6gCLUUKudhxCo09n1btwp/ZFR1i7tQLMGpyqqs/6S8 2akxlq9oUecJlXcLc/wWJtAjUbaPZQpg+3BrBAHeQR/PGKy380/KeFy2yB/E2mvylW1o VlGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oplH30x1zLW/kw5XTQuFI7s72sVvdi1RahKBb4zAIVI=; b=YzWHSpQ0ssHnQ4C+xS2hgXm5y2loO3L52nwCdxKUiytqrWFOl3IaTcAwX0iY9TcLqt DixvwT9Ns+Jwt6pPbXrTVUY6sf+FrQ1saWHfHCNbzy69U0WkkipTY9kC1P1u3twtqYsS eEvg22QhSSCMXmcX4QsI4W6Of/36conBWaMJ3LHw3vsx+nvjNcB7d4B3Ux8z1HBxP+27 tgCpaMG2JNCfxzJt66VH2OvZ1c332bXUhIaChu0KL8dLhRzfRQwq3NmFBeGceJyp225Q KAoaFvWF5QoZojvbINlkTCGnL/qEhJ4lmCIu/sudgoegfDTG4FjzwgMNqzDYr/9YTRaF l4sA== X-Gm-Message-State: APjAAAVkdL0Ca0HO2t+FnjOsWD/ahkK6RMTNQiWnxOJB6598ztjQGuUX Oh69d0YMyUvWXRe5D59VTdPNyix1bDA= X-Received: by 2002:a17:90a:d151:: with SMTP id t17mr9328073pjw.60.1562909353263; Thu, 11 Jul 2019 22:29:13 -0700 (PDT) Received: from localhost ([122.172.28.117]) by smtp.gmail.com with ESMTPSA id r9sm10746373pjq.3.2019.07.11.22.29.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Jul 2019 22:29:12 -0700 (PDT) From: Viresh Kumar To: stable@vger.kernel.org, Julien Thierry Cc: Viresh Kumar , linux-arm-kernel@lists.infradead.org, Catalin Marinas , Marc Zyngier , Mark Rutland , Will Deacon , Russell King , Vincent Guittot , mark.brown@arm.com Subject: [PATCH v4.4 V2 05/43] arm64: Use pointer masking to limit uaccess speculation Date: Fri, 12 Jul 2019 10:57:53 +0530 Message-Id: <99d86496bf2e822479ec7f26faa6a6d31d4e5524.1562908075.git.viresh.kumar@linaro.org> X-Mailer: git-send-email 2.21.0.rc0.269.g1a574e7a288b In-Reply-To: References: MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Robin Murphy commit 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce upstream. Similarly to x86, mitigate speculation past an access_ok() check by masking the pointer against the address limit before use. Even if we don't expect speculative writes per se, it is plausible that a CPU may still speculate at least as far as fetching a cache line for writing, hence we also harden put_user() and clear_user() for peace of mind. Signed-off-by: Robin Murphy Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Viresh Kumar --- arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) -- 2.21.0.rc0.269.g1a574e7a288b diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index c625cc5531fc..75363d723262 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -121,6 +121,26 @@ static inline unsigned long __range_ok(unsigned long addr, unsigned long size) #define access_ok(type, addr, size) __range_ok((unsigned long)(addr), size) #define user_addr_max get_fs +/* + * Sanitise a uaccess pointer such that it becomes NULL if above the + * current addr_limit. + */ +#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) +static inline void __user *__uaccess_mask_ptr(const void __user *ptr) +{ + void __user *safe_ptr; + + asm volatile( + " bics xzr, %1, %2\n" + " csel %0, %1, xzr, eq\n" + : "=&r" (safe_ptr) + : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "cc"); + + csdb(); + return safe_ptr; +} + /* * The "__xxx" versions of the user access functions do not verify the address * space - it must have been done previously with a separate "access_ok()" @@ -193,7 +213,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ - __get_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \ ((x) = 0, -EFAULT); \ }) @@ -259,7 +279,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ - __put_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \ -EFAULT; \ }) @@ -297,7 +317,7 @@ static inline unsigned long __must_check copy_in_user(void __user *to, const voi static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) { if (access_ok(VERIFY_WRITE, to, n)) - n = __clear_user(to, n); + n = __clear_user(__uaccess_mask_ptr(to), n); return n; }