From patchwork Fri Jun 19 14:30:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 191207 Delivered-To: patch@linaro.org Received: by 2002:a92:cf06:0:0:0:0:0 with SMTP id c6csp593981ilo; Fri, 19 Jun 2020 07:46:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyx4awCIMrJ+Li4cVRmqJF7cAoxO5gdzBtdqUoptwNHMUQVzr41kXcijL0HOdf01ld10ZjA X-Received: by 2002:a17:906:8699:: with SMTP id g25mr4147166ejx.217.1592577965606; Fri, 19 Jun 2020 07:46:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592577965; cv=none; d=google.com; s=arc-20160816; b=JXIK/EogA8I6U0IG9QWRmXIYCZOjyySkQq8KB/Twq35L8O5/KTworSf407Y02K251V uCz01ahTcwrJo0d3bF62m+mid67gcI4gRgwVrbxnOm8OQHNSz09eILewTzRBgBTv3yBy 5WxaU9h8wPNxsDo2TRBURIq5fQqfntbQ31gLi7MfugAl7De8gMObCo57kCjl4Inh426H B0R6rj725ezQt2eM/p9nSSaLB2zpv2UZuXYj/S1CMfGh5CJekx0h51d6WG5sGkesAAQc /lHQvNhqTzERtc0kYpxpcSEQV5uiuduCGQCF67PCYqZahrved6QPjSv18bRMg56wGZZb JaSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xRr1qqxMLApmF54lpVPL7kROHoUZQkiqbPhOesEs+UE=; b=y/rCGiiVnwSkv2mxxKyBEiLAnBCkua7fj6Gjtowww5riajLXy61COQRNH5bm1+PxFW dUX7EY35BLkT4DaqLOsTrHq9ujpJVMbBjHhX83FNTYm20Sek8/zoKBKX1R562Vs9ERsm ia+B5pRHZL/AzkQ5/k8bFdhopNSSfd7+Hw+LBCws/BysRRM50Lc7JkhhxYls9/lbfpWu 3+jk1GYHWmY0VqdLdFa8nOqGPw/I+tCk9jAPs+W0mOczS5uZE8CFb5dvkEeGR0aJPTLw 1yUtwgPePv4eHUW90m6Bc/IhBvTVEb3FWbPQHwowGI6WF/yl0SFpTVZP/I+FzSPSHvKp ereA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lzp+XAKH; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jw12si3899729ejb.392.2020.06.19.07.46.05; Fri, 19 Jun 2020 07:46:05 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lzp+XAKH; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388793AbgFSOqD (ORCPT + 15 others); Fri, 19 Jun 2020 10:46:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:37722 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388787AbgFSOqC (ORCPT ); Fri, 19 Jun 2020 10:46:02 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 924F92083B; Fri, 19 Jun 2020 14:46:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592577962; bh=97KhVImh3fMbPEhCdHz6ESrRxmRllU7uaOXxayOKOV8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lzp+XAKHH39Jp+HmviDVl8J2GtQEmQDk1bkQsmrcnkPc7hPTdP+VlZECbEaFF/49C lCPWtvMSiM27Ap+CRziGUJyFxBe9NmrwMFYyejw7tDj11lJtEbtc70yOv3ymMSsobr DXeaA5pw8Ralx3CWdkbnU6KTn48dPFF/TUYqVkOI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Julien Thierry , Will Deacon , Linus Torvalds , Miles Chen Subject: [PATCH 4.14 006/190] x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() Date: Fri, 19 Jun 2020 16:30:51 +0200 Message-Id: <20200619141633.788051361@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141633.446429600@linuxfoundation.org> References: <20200619141633.446429600@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Will Deacon commit 6e693b3ffecb0b478c7050b44a4842854154f715 upstream. Commit 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'") makes the access_ok() check part of the user_access_begin() preceding a series of 'unsafe' accesses. This has the desirable effect of ensuring that all 'unsafe' accesses have been range-checked, without having to pick through all of the callsites to verify whether the appropriate checking has been made. However, the consolidated range check does not inhibit speculation, so it is still up to the caller to ensure that they are not susceptible to any speculative side-channel attacks for user addresses that ultimately fail the access_ok() check. This is an oversight, so use __uaccess_begin_nospec() to ensure that speculation is inhibited until the access_ok() check has passed. Reported-by: Julien Thierry Signed-off-by: Will Deacon Signed-off-by: Linus Torvalds Cc: Miles Chen Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -717,7 +717,7 @@ static __must_check inline bool user_acc { if (unlikely(!access_ok(type, ptr, len))) return 0; - __uaccess_begin(); + __uaccess_begin_nospec(); return 1; }