From patchwork Mon Feb 26 08:19:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Shi X-Patchwork-Id: 129566 Delivered-To: patch@linaro.org Received: by 10.46.66.2 with SMTP id p2csp3356190lja; Mon, 26 Feb 2018 00:22:31 -0800 (PST) X-Google-Smtp-Source: AH8x2248pImNHeZr5HhKkJJgfB+zItBfZ2br2xHcnuD9QyJp+yvWB4OaaYpmkdTLXgwvFPAZyoXS X-Received: by 10.99.120.197 with SMTP id t188mr7788786pgc.358.1519633351028; Mon, 26 Feb 2018 00:22:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519633351; cv=none; d=google.com; s=arc-20160816; b=GndVuyBDcbWhI5N+PU3UDLTRgeVHgdm6w2G3BKPI6vsBZ+FI6ufVP4crQpdF4GcNeG dmNAPcH6FQ/dA9fRnxdeEehL8Q0QiD1BLb42HyDIRtu8JX1SLzGjzDMlF6V9sufBe7K7 J+FGdeYhbziAUt8Af+/vdNN7YZfsCjge4CnDddRuQ7kYXWgjpQBnqQTSxO0nZxN3A0BP lwSlihzO0PCjA3nTQVYjWjj+4uC3xVbccotKG0M5G79A+gIO9CNY2vosAEdgF/sR67T7 AWMabqgocqKwEjXycx97mS9UqBMlTYdDaeCAqIrfOQFyuDSvjFdG5Sl3dG8NTcDgWZot yh2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=i4j5LLlcJTrNi6a03osuM7FMBFfhyS0MAdksfWz86sU=; b=SgdfdeO1R4gRRAdxmZe8goPlFe/t0y7SeefQ//TQw9CHXHUUeUv5poU1kCZouA2Tgs G0G4s8dTablusZHpdxxATC+LpP2+JPHRH5P9rVy7ahMv5BJnju1ptUbU5BustEtk1ITF qndow0SbnthMWBTrCD65mJCC6VB+3yatC8DMZayk7W+CnY1T/4RoPb/p1V0Ml8o4nKFq R5ynLMc4P+ZqmzD5wuFQmSySR0A177/kztdII6Lvl4YDmFbin5Hu8a/at+1VZbUa6k5K RokPX/3ruGUEWzxe2eLG1NcYgTWyjWv1nwcPqfoO4YG7cEAMyvF7LwqGf7c/9GxMpxuS x8qA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JAXXbMCF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si5259730pgp.632.2018.02.26.00.22.30; Mon, 26 Feb 2018 00:22:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JAXXbMCF; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752418AbeBZIW1 (ORCPT + 28 others); Mon, 26 Feb 2018 03:22:27 -0500 Received: from mail-pg0-f66.google.com ([74.125.83.66]:34067 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752355AbeBZIWU (ORCPT ); Mon, 26 Feb 2018 03:22:20 -0500 Received: by mail-pg0-f66.google.com with SMTP id m19so5916951pgn.1 for ; Mon, 26 Feb 2018 00:22:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=i4j5LLlcJTrNi6a03osuM7FMBFfhyS0MAdksfWz86sU=; b=JAXXbMCFb1ywC7DpCbKF9Md+/6NZLBeBNU/5p9nQW44JJHgLVsijAuPprSsoWWT8r8 Iez3tDbLbtVRIlMjyyubTxKSFyo1KXxFHWg9bs9MiCS8MP60KANfh02NIvU40WIgXj3u u3o4rkybMjWSWGC0O3qTMC+AurxbDZkQL15Xs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=i4j5LLlcJTrNi6a03osuM7FMBFfhyS0MAdksfWz86sU=; b=EhrfEq6pWzIuiYOs6psakJT2vPhY6FtHP/9gZVCM0hGmD8+0ZfyBgJGEK3Nj5S/TP9 8aRl8k66HS0TBHy2iPgozlMNQjjjT/Nho2MFL4jbQqL0oJI0hwutIt3t4SulsgJ/EmDr P1YMrfiu12f2dlIn0N6VmW2I7LX0PThmrX8JXWSb06G2vBCIimlusaV48ag9upTT9Z0Q hAo9sEyWRGZYlgrXbWbLAeFfcnk01eqPJ4GzrqT/RCi6+UvsiiCtktR+o2jcvPHm1FiT RvVLcl45fnfQEeRYs64k1BbZBlcnI45omrhmSrlkL5qdI1DLd4lNmZR/xMPA/v+R71d8 u1uA== X-Gm-Message-State: APf1xPDsxeFFp+6ap3r7YaAC/vcJeq0u+KlON+ZkUh9FqbNrtgY1RHed I0kL/Y9acl3UbpCLEwIE617gOA== X-Received: by 10.101.99.205 with SMTP id n13mr7925896pgv.345.1519633339675; Mon, 26 Feb 2018 00:22:19 -0800 (PST) Received: from localhost.localdomain (176.122.172.82.16clouds.com. [176.122.172.82]) by smtp.gmail.com with ESMTPSA id o86sm1422706pfi.87.2018.02.26.00.22.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 26 Feb 2018 00:22:19 -0800 (PST) From: Alex Shi To: Marc Zyngier , Will Deacon , Ard Biesheuvel , Catalin Marinas , stable@vger.kernel.org, linux-arm-kernel@lists.infradead.org (moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)), linux-kernel@vger.kernel.org (open list) Cc: Robin Murphy Subject: [PATCH 10/52] arm64: Use pointer masking to limit uaccess speculation Date: Mon, 26 Feb 2018 16:19:44 +0800 Message-Id: <1519633227-29832-11-git-send-email-alex.shi@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> References: <1519633227-29832-1-git-send-email-alex.shi@linaro.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Robin Murphy commit 4d8efc2d5ee4 upstream. Similarly to x86, mitigate speculation past an access_ok() check by masking the pointer against the address limit before use. Even if we don't expect speculative writes per se, it is plausible that a CPU may still speculate at least as far as fetching a cache line for writing, hence we also harden put_user() and clear_user() for peace of mind. Signed-off-by: Robin Murphy Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas --- arch/arm64/include/asm/uaccess.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) -- 2.7.4 diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 7b1eb49..3531fec 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -170,6 +170,26 @@ static inline void uaccess_enable_not_uao(void) } /* + * Sanitise a uaccess pointer such that it becomes NULL if above the + * current addr_limit. + */ +#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) +static inline void __user *__uaccess_mask_ptr(const void __user *ptr) +{ + void __user *safe_ptr; + + asm volatile( + " bics xzr, %1, %2\n" + " csel %0, %1, xzr, eq\n" + : "=&r" (safe_ptr) + : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "cc"); + + csdb(); + return safe_ptr; +} + +/* * The "__xxx" versions of the user access functions do not verify the address * space - it must have been done previously with a separate "access_ok()" * call. @@ -241,7 +261,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_READ, __p, sizeof(*__p)) ? \ - __get_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __get_user((x), __p) : \ ((x) = 0, -EFAULT); \ }) @@ -307,7 +327,7 @@ do { \ __typeof__(*(ptr)) __user *__p = (ptr); \ might_fault(); \ access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ? \ - __put_user((x), __p) : \ + __p = uaccess_mask_ptr(__p), __put_user((x), __p) : \ -EFAULT; \ }) @@ -368,7 +388,7 @@ static inline unsigned long __must_check copy_in_user(void __user *to, const voi static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) { if (access_ok(VERIFY_WRITE, to, n)) - n = __clear_user(to, n); + n = __clear_user(__uaccess_mask_ptr(to), n); return n; }