From patchwork Wed Oct 31 14:04:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Long X-Patchwork-Id: 149837 Delivered-To: patches@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp6836597ljp; Wed, 31 Oct 2018 07:05:09 -0700 (PDT) X-Received: by 2002:a9f:3829:: with SMTP id p38mr1453350uad.25.1540994709788; Wed, 31 Oct 2018 07:05:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540994709; cv=none; d=google.com; s=arc-20160816; b=CNmohGHXc+pF1ocaNMpzqtWJH/NfN6+VoBkNetoPXq0fti3nTLV7b7WWvD45IilGSI +7Ymb0Eg18joq5ePX2uN4TaauC1k1N+DCffGvqdHxxX7aL1aBYcCFfhSQ81Nck4RDVfL LsXDjudZjtRMHZec4ZO3dzm16Hfjvj4eSgiFyIfYBsWwf8QWYExm+nHaUKT+46jkclmy 3ihOnU0X6+ogU1j13PfFFS5orb944+o9/EhOIA840wBdwC8g07ifRF0mE0dUA/TkLYs8 G0afL75f0vjWi6TWjc3ZV7qHWmS4Syws/Llcs6B1KE8LLYyUT5Q3SJYgYg+9GECABJNA 85vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=DU5sjZ6mkqAN5cgzmGt1AH+VCJ6Ym643zDXIwVYAfpI=; b=rvYN7IePP0okrHYZ3V7PaBRXDJEEMA8iJ9RYmVmU0sejp1JUu6uoZDl1EmdGAtidD0 rbKM3QGKoMWX8cVSuVWZK9hSD8wNMV/FR1sJeP0O0iHYWrY4ds8vngmQQFRAaS/NE4FV SHdeRnsufkfbvXsFSFWk98jNo2E3tpW4yLFgRdDN2ntTsE+lnEwaW6XDUvkMXfaG/ynh L8/msEq0fvwTy0i6r7mWOmV2iN6ch0EKsUobJtq2Ds8QXoupT9eBNs/5zI8mfOxGhB41 JZJhRLIEsSnv9M57AMssGV9hfAB1SpuKBI7KmfxT2jzPvuXX62f1lM115OEs1tuGgX76 XEhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SIFFliQu; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id w82-v6sor13357899vkd.25.2018.10.31.07.05.09 for (Google Transport Security); Wed, 31 Oct 2018 07:05:09 -0700 (PDT) Received-SPF: pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=SIFFliQu; spf=pass (google.com: domain of dave.long@linaro.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=dave.long@linaro.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=DU5sjZ6mkqAN5cgzmGt1AH+VCJ6Ym643zDXIwVYAfpI=; b=SIFFliQuWZC4t/9fmYOVzYBmeOh5ByuRpk9PK7xEPVWstapuL6+EBUz5qcUCC1rOgS rlonve91wAEn5ekgK63rWFZ+YER7OTxla97TsrBWW2ZWxL7R9mtP/JnRkwy8ySQlBJM1 Wi0wAadnAIYJJ/fHBi2Dj5z5n4TcyYvyNKCMM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=DU5sjZ6mkqAN5cgzmGt1AH+VCJ6Ym643zDXIwVYAfpI=; b=CjERy7gumKfwWF9jtvYZ2bZo+e8v37GwE/6vAStxep7TxV1Qapn6qjxhoJGFEQo3ps 4Tq7RqQeybL+vYc5jCpy08tb/XCaWCmx+T0i+HSmTDVy86SVWi/C3uKhwGaDZrXGCQvW kCxPLf3nQMVL3CDBZG0+NRIlV3Jp7ZO+dv1YbqjKUFyVAn0ouAFRP0ik6l4+4AePNarm 88TAL6tEjQch8GzSHqUWXVLYECiK7V5EaRjLbVU1WPZ6o4YFZPKJ/AzU6gcaP1nWhvzy RfB5+CYEWy7kDtiynIXYi1u7G+fanSrSYnVOcA/Dv1NranCJRBit6GP7gshceIlObmpk 6czQ== X-Gm-Message-State: AGRZ1gJWqQle/PnO+dwY7fCYcd/F5bjqpzZ9PM6h+t9RA0DQ0Ld5OPt9 TCbtS3zcE0U2RdCiZ1SffH1AGadi X-Google-Smtp-Source: AJdET5cfROhGGmoQJE1F/fN5XUzKf7RUDlhOjdPqDPqV4yJftsN8fYAvBTZmbiMFvE0vXlgcgTnzaQ== X-Received: by 2002:a1f:490:: with SMTP id 138mr158365vke.48.1540994709099; Wed, 31 Oct 2018 07:05:09 -0700 (PDT) Return-Path: Received: from dave-Dell-System-XPS-L502X.hsd1.nh.comcast.net ([2603:3005:3403:7100:2c71:8680:34e1:a6aa]) by smtp.googlemail.com with ESMTPSA id 6sm6795632vsy.25.2018.10.31.07.05.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Oct 2018 07:05:07 -0700 (PDT) From: David Long To: stable@vger.kernel.org, Russell King - ARM Linux , Florian Fainelli , Tony Lindgren , Marc Zyngier , Mark Rutland Cc: Greg KH , Mark Brown Subject: [PATCH 4.4 18/18] ARM: spectre-v1: mitigate user accesses Date: Wed, 31 Oct 2018 10:04:36 -0400 Message-Id: <20181031140436.2964-19-dave.long@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031140436.2964-1-dave.long@linaro.org> References: <20181031140436.2964-1-dave.long@linaro.org> From: Russell King Commit a3c0f84765bb429ba0fd23de1c57b5e1591c9389 upstream. Spectre variant 1 attacks are about this sequence of pseudo-code: index = load(user-manipulated pointer); access(base + index * stride); In order for the cache side-channel to work, the access() must me made to memory which userspace can detect whether cache lines have been loaded. On 32-bit ARM, this must be either user accessible memory, or a kernel mapping of that same user accessible memory. The problem occurs when the load() speculatively loads privileged data, and the subsequent access() is made to user accessible memory. Any load() which makes use of a user-maniplated pointer is a potential problem if the data it has loaded is used in a subsequent access. This also applies for the access() if the data loaded by that access is used by a subsequent access. Harden the get_user() accessors against Spectre attacks by forcing out of bounds addresses to a NULL pointer. This prevents get_user() being used as the load() step above. As a side effect, put_user() will also be affected even though it isn't implicated. Also harden copy_from_user() by redoing the bounds check within the arm_copy_from_user() code, and NULLing the pointer if out of bounds. Acked-by: Mark Rutland Signed-off-by: Russell King Signed-off-by: David A. Long --- arch/arm/include/asm/assembler.h | 4 ++++ arch/arm/lib/copy_from_user.S | 9 +++++++++ 2 files changed, 13 insertions(+) -- 2.17.1 diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h index 307901f88a1e..483481c6937e 100644 --- a/arch/arm/include/asm/assembler.h +++ b/arch/arm/include/asm/assembler.h @@ -454,6 +454,10 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) adds \tmp, \addr, #\size - 1 sbcccs \tmp, \tmp, \limit bcs \bad +#ifdef CONFIG_CPU_SPECTRE + movcs \addr, #0 + csdb +#endif #endif .endm diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S index 1512bebfbf1b..d36329cefedc 100644 --- a/arch/arm/lib/copy_from_user.S +++ b/arch/arm/lib/copy_from_user.S @@ -90,6 +90,15 @@ .text ENTRY(arm_copy_from_user) +#ifdef CONFIG_CPU_SPECTRE + get_thread_info r3 + ldr r3, [r3, #TI_ADDR_LIMIT] + adds ip, r1, r2 @ ip=addr+size + sub r3, r3, #1 @ addr_limit - 1 + cmpcc ip, r3 @ if (addr+size > addr_limit - 1) + movcs r1, #0 @ addr = NULL + csdb +#endif #include "copy_template.S"