From patchwork Mon Oct 15 15:32:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Long X-Patchwork-Id: 148874 Delivered-To: patches@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp3934173lji; Mon, 15 Oct 2018 08:32:47 -0700 (PDT) X-Received: by 2002:ac8:362a:: with SMTP id m39-v6mr16419635qtb.210.1539617566948; Mon, 15 Oct 2018 08:32:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539617566; cv=none; d=google.com; s=arc-20160816; b=ZMfMbGSZWHDWVe6AM4Wz4nMVDN4uDqEWMYY7Rsxv1JT/HSM/tB8+BrX22oaQsWtpP5 /AiR822v3q2fuuPWDqLo+rblmkKe+DRnoIJrU9Um+AYPqSH+qGURBmE5zqls7hPDSUZO akxyl0TGamZ9XtRIhMQqX0LuNsasAR59zDhXm/YPhC69Hc8Bv/lXIBMQBIzqH/ztFde3 6zvPS+TvwmH08kd21yi3k6qXAnizUtXb+SE/9ANqtfRfhiyxIMsCZTcY48fRLz2e30E6 5lbbpzXlhlwzfmj6h+RboNXxyNTa78MGc+34F504vAKk1kAvqZkflLkw3kKtO++YaeG3 d+Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=mZMxc3sfnyTN9AzmzT7TYJkRGuQ0WgsBYynPwhKvf9A=; b=nbTPxqU2Jupo3A87TlNAWcnb64KNhh4XJVcVPrkzo6FwikTHPcKJKqkhuVtMtVbV7I KqdjmvVqRbLOXtNWV/zE4Cj7vAe1zejWR7Ro9pK2horsU/STrZSlUDi0TMm5NU1iTQXH bX5P7lx89U96CDwYpRZ8IuOwYgY4qMcfxkZR8XriCbb9WdJQL13E3MdicWOaYj+cSN70 AC+H+9hJhsWYQOyGAW8LZ/KDmDPkhQJ18WpoywQiWVwYpgLwMGqrbhi6MO9E/DT+rVX9 QjCMsXoSksOlLxMSkpuKWCUYPWh59stjBVN8sXqxU36iqeFCW6jqHwluj4MgjsuOiXDn RzaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=R8+Ztg0P; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id d24-v6sor12495911qtc.20.2018.10.15.08.32.46 for (Google Transport Security); Mon, 15 Oct 2018 08:32:46 -0700 (PDT) Received-SPF: pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=R8+Ztg0P; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mZMxc3sfnyTN9AzmzT7TYJkRGuQ0WgsBYynPwhKvf9A=; b=R8+Ztg0PkpXhT8Kgb8O567nuLk3D53HA4jqDUDmv6rAVkiWyuQRvKkf49WER0dBTJb taEJ2ViQH8NLpc1RT83XeBqDI21YDdZjhkxKaBMYCoFffEVMPB0N0iP8sqSSsi1G0uK5 udixeg1xcLhxZv3a91h34GHA4+GmDPX9QuRkE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mZMxc3sfnyTN9AzmzT7TYJkRGuQ0WgsBYynPwhKvf9A=; b=ZUOwNAU8lyIAipeKSQlPUKrbmd4kD7sOCS81xl8DLQpgAAH0kuV9bhZmV2FbM2TnoJ ggQ5YK+3eLhx/NH4hgX4TsLly7tye+Lw6zydB7tDnMmarph7RTtuoq3iajF5qjSUVUWa QGuIBjpHP6o1D/e4uzMD02MiskRNZvpAT0BDgdjwejcPt0qeweqzip7smXCdCkHv1Iln hm6qQAlKroO+k1gGrNMHHTQAFUl1m6eRMuwYoHdHfAVnpJmp9C1Hwdhmb+BPUCW6DJNe ljePdba8T02IB/3ZPdke2dT1qOSe0l6Rgk5J8gkpjmLcPdQPMGXHf2evWiyttvVn4D2O fXVQ== X-Gm-Message-State: ABuFfohiNoV1ORBRSDoMVYqhzAY+b7WrusO5V1V7wdXy+nkN0mCFuT+i sLUD+3UBhQS+8XsYV0GS13qjNsan X-Google-Smtp-Source: ACcGV60cz7vprpNZ0j04GmBozsTZ/2DB68jeD01MNcEVz+VeXfSHGHpjcPbM7bCsdCDUliJR7cRZRQ== X-Received: by 2002:ac8:3026:: with SMTP id f35-v6mr16330375qte.45.1539617566416; Mon, 15 Oct 2018 08:32:46 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([72.71.243.63]) by smtp.googlemail.com with ESMTPSA id g82-v6sm10087768qkh.24.2018.10.15.08.32.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 15 Oct 2018 08:32:46 -0700 (PDT) From: David Long To: , Russell King - ARM Linux , Florian Fainelli , Tony Lindgren , Marc Zyngier , Mark Rutland Cc: Greg KH , Mark Brown Subject: [PATCH 4.14 24/24] ARM: spectre-v1: mitigate user accesses Date: Mon, 15 Oct 2018 11:32:18 -0400 Message-Id: <1539617538-22328-25-git-send-email-dave.long@linaro.org> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1539617538-22328-1-git-send-email-dave.long@linaro.org> References: <1539617538-22328-1-git-send-email-dave.long@linaro.org> From: Russell King Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long --- arch/arm/include/asm/assembler.h | 4 ++++ arch/arm/lib/copy_from_user.S | 9 +++++++++ 2 files changed, 13 insertions(+) -- 2.5.0 diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index 0cd4dcc..b17ee03 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -460,6 +460,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) adds \tmp, \addr, #\size - 1 sbcccs \tmp, \tmp, \limit bcs \bad +#ifdef CONFIG_CPU_SPECTRE + movcs \addr, #0 + csdb +#endif #endif .endm diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S index 7a4b060..a826df3 100644 --- a/arch/arm/lib/copy_from_user.S +++ b/arch/arm/lib/copy_from_user.S @@ -90,6 +90,15 @@ .text ENTRY(arm_copy_from_user) +#ifdef CONFIG_CPU_SPECTRE + get_thread_info r3 + ldr r3, [r3, #TI_ADDR_LIMIT] + adds ip, r1, r2 @ ip=addr+size + sub r3, r3, #1 @ addr_limit - 1 + cmpcc ip, r3 @ if (addr+size > addr_limit - 1) + movcs r1, #0 @ addr = NULL + csdb +#endif #include "copy_template.S"