From patchwork Wed Oct 31 13:57:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Long X-Patchwork-Id: 149818 Delivered-To: patches@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp6826860ljp; Wed, 31 Oct 2018 06:57:48 -0700 (PDT) X-Received: by 2002:a67:43c7:: with SMTP id q190mr151353vsa.237.1540994268010; Wed, 31 Oct 2018 06:57:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540994268; cv=none; d=google.com; s=arc-20160816; b=VKOCLRFG+WwcavDg79gQa58oWsCdzK0EwhLuxl+RJdaidqH9l8d+JSptypokTrDCC/ +WcYVX920VCW8xloiFNF9g6p/9sKeQaSDhbR9orIZLCxjABBjIOk30dRcTWzvZ/hHDQn 77yqwNu9GXdTOWTwY1LrB8gY0BNE61VFvl8086Wc8qnhVr+MZAIfc8CJ3Q6EZyWdWh8m NqgkljGYj30RMqH4WQwVQEnnVF+4VyP6It1bV6866u/3laLb6oQ85bZqN1PDzstIP7GQ NF3unYWp7GeX9fGE5JZZrhcIAek/neAoN+6/PAJoqWCUo8Cdc56ZLcaJUtzCFooC4HTZ HGQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=; b=SlGA9qaNP+CEWMAiqMk23kYknx+g+XfYFvlqL6M495L/A9idqRgrIOD2/6+9JTVFVD ttSCqdGz7Ol13w4tr09YdDgLiIW2VK840Eo2w8z9r7wMDgQRhgaljeu9UvwJuH6C4g9u UGH0MXnom9rL3vjDgh+cgL3ck+ZJfgIWIj3jkWvHIcIGsiuW0aA0RRsWJhi6dErbENAX yBa8T1mOwwaMD6J9XQ7ltpnBvmXTLKyBWv7p5MdPQpzbFXNE7XqiY5Lgx/c8SpcM9M+B IElUO0UZLKe4NYikFAvny0NOKntg0AQzqma1HgronnsfonyCisi12XxRhOfdeiUxOsdD a1TA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=URubK+dN; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id c16sor10903537uaq.50.2018.10.31.06.57.47 for (Google Transport Security); Wed, 31 Oct 2018 06:57:48 -0700 (PDT) Received-SPF: pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=URubK+dN; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=; b=URubK+dNlNCNnCL+i4AG/Sfs4ifk488poj1bGjPrp/Ng7s4ouz0PbI7YavPFIc8FTo NWDejmymaxuPWQ+PImlBk48qhLFI00XJHocYC/YyxxGIwEbf8lKDOP8UfXlG3rsSWa3+ 6uirQV2+2bETU+2/ezk3LYhWYhxfs/zSYvzG0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Z/0wkH1hsYEzgg+PBAkbQLTxUd9uqe7uq7Vi/KXlqcU=; b=X6v9vv/VKBpH4/yf+rELo5m9YnDI9JJfY0MspQcx6b/rNfhcYnV32txl7p7MvlqfZe V/saTXfq9Vh1v/gsGSqT2XsKaGq31s9thAUeV5ONO8dD5th1A5c6w59FEfYDqfWGBr2j uKJAy+gkCNlhOelg2JRM2As4Ts9nZai1aRdRS3cYXyQaUfyCcLdSChG6F4pXhAlZdM71 uC7J3qWuvpye9POaW5EiQTaO3HyrGx7HlWg3aufpIALOCUjucB7YAE2IMY/JRgYKMTlG ykgCzawY5Ld06bpQ2UKBKOIO7V3H0dMp4uuicNcBlixZ4iP79Cbv+9ecjYk9Zpr4N9mv eowA== X-Gm-Message-State: AGRZ1gJWP4S40mTX2IfoF96q7YPVISn5XVnM/bgdzX5OC+m8GLIGwQlx 18C182jDvkoXMP9HmdMqS8bevRqn X-Google-Smtp-Source: AJdET5dj5ZxuirtDexm1xyv1EYc6ZPR/JmvuxLvTDCfaJgJffLcCvJb2aSu3hGz3WBhaId/V8VoeNQ== X-Received: by 2002:ab0:526:: with SMTP id 35mr1334109uax.84.1540994267444; Wed, 31 Oct 2018 06:57:47 -0700 (PDT) Return-Path: Received: from dave-Dell-System-XPS-L502X.hsd1.nh.comcast.net ([2603:3005:3403:7100:2c71:8680:34e1:a6aa]) by smtp.googlemail.com with ESMTPSA id s85-v6sm2275624vse.29.2018.10.31.06.57.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 06:57:47 -0700 (PDT) From: David Long To: stable@vger.kernel.org, Russell King - ARM Linux , Florian Fainelli , Tony Lindgren , Marc Zyngier , Mark Rutland Cc: Greg KH , Mark Brown Subject: [PATCH 4.9 24/24] ARM: spectre-v1: mitigate user accesses Date: Wed, 31 Oct 2018 09:57:13 -0400 Message-Id: <20181031135713.2873-25-dave.long@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031135713.2873-1-dave.long@linaro.org> References: <20181031135713.2873-1-dave.long@linaro.org> From: Russell King Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long --- arch/arm/include/asm/assembler.h | 4 ++++ arch/arm/lib/copy_from_user.S | 9 +++++++++ 2 files changed, 13 insertions(+) -- 2.17.1 diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index 189f3b42baea..e616f61f859d 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -458,6 +458,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) adds \tmp, \addr, #\size - 1 sbcccs \tmp, \tmp, \limit bcs \bad +#ifdef CONFIG_CPU_SPECTRE + movcs \addr, #0 + csdb +#endif #endif .endm diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S index 7a4b06049001..a826df3d3814 100644 --- a/arch/arm/lib/copy_from_user.S +++ b/arch/arm/lib/copy_from_user.S @@ -90,6 +90,15 @@ .text ENTRY(arm_copy_from_user) +#ifdef CONFIG_CPU_SPECTRE + get_thread_info r3 + ldr r3, [r3, #TI_ADDR_LIMIT] + adds ip, r1, r2 @ ip=addr+size + sub r3, r3, #1 @ addr_limit - 1 + cmpcc ip, r3 @ if (addr+size > addr_limit - 1) + movcs r1, #0 @ addr = NULL + csdb +#endif #include "copy_template.S"