|
Message-ID: <151632011850.21271.10818623225693888975.stgit@dwillia2-desk3.amr.corp.intel.com> Date: Thu, 18 Jan 2018 16:01:58 -0800 From: Dan Williams <dan.j.williams@...el.com> To: linux-kernel@...r.kernel.org Cc: linux-arch@...r.kernel.org, Tom Lendacky <thomas.lendacky@....com>, Andi Kleen <ak@...ux.intel.com>, Kees Cook <keescook@...omium.org>, kernel-hardening@...ts.openwall.com, gregkh@...uxfoundation.org, x86@...nel.org, Ingo Molnar <mingo@...hat.com>, Al Viro <viro@...iv.linux.org.uk>, "H. Peter Anvin" <hpa@...or.com>, tglx@...utronix.de, torvalds@...ux-foundation.org, akpm@...ux-foundation.org, alan@...ux.intel.com Subject: [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence For '__get_user' paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection, an 'ifence' causes the 'access_ok' result to resolve in the pipeline before the cpu might take any speculative action on the pointer value. Since __get_user is a major kernel interface that deals with user controlled pointers, the '__uaccess_begin_nospec' mechanism will prevent speculative execution past an 'access_ok' permission check. While speculative execution past 'access_ok' is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, '__uaccess_begin_nospec' is addressing a class of potential problems near '__get_user' usages. Note, that while ifence is used to protect '__get_user', pointer masking will be used for 'get_user' since it incorporates a bounds check near the usage. There are no functional changes in this patch. Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org> Suggested-by: Andi Kleen <ak@...ux.intel.com> Cc: Tom Lendacky <thomas.lendacky@....com> Cc: Al Viro <viro@...iv.linux.org.uk> Cc: Kees Cook <keescook@...omium.org> Cc: Thomas Gleixner <tglx@...utronix.de> Cc: "H. Peter Anvin" <hpa@...or.com> Cc: Ingo Molnar <mingo@...hat.com> Cc: x86@...nel.org Signed-off-by: Dan Williams <dan.j.williams@...el.com> --- arch/x86/include/asm/barrier.h | 4 ++++ arch/x86/include/asm/msr.h | 3 +-- arch/x86/include/asm/uaccess.h | 9 +++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 67f6d4707a2c..0f48c832d1fb 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -48,6 +48,10 @@ static inline unsigned long array_ptr_mask(unsigned long idx, unsigned long sz) return mask; } +/* prevent speculative execution past this barrier */ +#define ifence() alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, \ + "lfence", X86_FEATURE_LFENCE_RDTSC) + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else diff --git a/arch/x86/include/asm/msr.h b/arch/x86/include/asm/msr.h index 07962f5f6fba..e426d2a33ff3 100644 --- a/arch/x86/include/asm/msr.h +++ b/arch/x86/include/asm/msr.h @@ -214,8 +214,7 @@ static __always_inline unsigned long long rdtsc_ordered(void) * that some other imaginary CPU is updating continuously with a * time stamp. */ - alternative_2("", "mfence", X86_FEATURE_MFENCE_RDTSC, - "lfence", X86_FEATURE_LFENCE_RDTSC); + ifence(); return rdtsc(); } diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 574dff4d2913..626caf58183a 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -124,6 +124,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + ifence(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -487,6 +492,10 @@ struct __large_struct { unsigned long buf[100]; }; __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.