This is a note to let you know that I've just added the patch titled x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: x86-introduce-__uaccess_begin_nospec-and-uaccess_try_nospec.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Feb 8 03:32:24 CET 2018 From: Dan Williams <dan.j.williams@xxxxxxxxx> Date: Mon, 29 Jan 2018 17:02:39 -0800 Subject: x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec From: Dan Williams <dan.j.williams@xxxxxxxxx> (cherry picked from commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd) For __get_user() paths, do not allow the kernel to speculate on the value of a user controlled pointer. In addition to the 'stac' instruction for Supervisor Mode Access Protection (SMAP), a barrier_nospec() causes the access_ok() result to resolve in the pipeline before the CPU might take any speculative action on the pointer value. Given the cost of 'stac' the speculation barrier is placed after 'stac' to hopefully overlap the cost of disabling SMAP with the cost of flushing the instruction pipeline. Since __get_user is a major kernel interface that deals with user controlled pointers, the __uaccess_begin_nospec() mechanism will prevent speculative execution past an access_ok() permission check. While speculative execution past access_ok() is not enough to lead to a kernel memory leak, it is a necessary precondition. To be clear, __uaccess_begin_nospec() is addressing a class of potential problems near __get_user() usages. Note, that while the barrier_nospec() in __uaccess_begin_nospec() is used to protect __get_user(), pointer masking similar to array_index_nospec() will be used for get_user() since it incorporates a bounds check near the usage. uaccess_try_nospec provides the same mechanism for get_user_try. No functional changes. Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Suggested-by: Andi Kleen <ak@xxxxxxxxxxxxxxx> Suggested-by: Ingo Molnar <mingo@xxxxxxxxxx> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Cc: linux-arch@xxxxxxxxxxxxxxx Cc: Tom Lendacky <thomas.lendacky@xxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: kernel-hardening@xxxxxxxxxxxxxxxxxx Cc: gregkh@xxxxxxxxxxxxxxxxxxx Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: alan@xxxxxxxxxxxxxxx Link: https://lkml.kernel.org/r/151727415922.33451.5796614273104346583.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/include/asm/uaccess.h | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -123,6 +123,11 @@ extern int __get_user_bad(void); #define __uaccess_begin() stac() #define __uaccess_end() clac() +#define __uaccess_begin_nospec() \ +({ \ + stac(); \ + barrier_nospec(); \ +}) /* * This is a type: either unsigned long, if the argument fits into @@ -474,6 +479,10 @@ struct __large_struct { unsigned long bu __uaccess_begin(); \ barrier(); +#define uaccess_try_nospec do { \ + current->thread.uaccess_err = 0; \ + __uaccess_begin_nospec(); \ + #define uaccess_catch(err) \ __uaccess_end(); \ (err) |= (current->thread.uaccess_err ? -EFAULT : 0); \ Patches currently in stable-queue which might be from dan.j.williams@xxxxxxxxx are queue-4.9/kvm-vmx-allow-direct-access-to-msr_ia32_spec_ctrl.patch queue-4.9/kvm-x86-add-ibpb-support.patch queue-4.9/kvm-svm-allow-direct-access-to-msr_ia32_spec_ctrl.patch queue-4.9/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch queue-4.9/documentation-document-array_index_nospec.patch queue-4.9/x86-usercopy-replace-open-coded-stac-clac-with-__uaccess_-begin-end.patch queue-4.9/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch queue-4.9/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch queue-4.9/x86-uaccess-use-__uaccess_begin_nospec-and-uaccess_try_nospec.patch queue-4.9/x86-implement-array_index_mask_nospec.patch queue-4.9/array_index_nospec-sanitize-speculative-array-de-references.patch queue-4.9/kvm-vmx-make-indirect-call-speculation-safe.patch queue-4.9/x86-kvm-update-spectre-v1-mitigation.patch queue-4.9/x86-get_user-use-pointer-masking-to-limit-speculation.patch queue-4.9/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch queue-4.9/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch queue-4.9/x86-introduce-barrier_nospec.patch queue-4.9/kvm-vmx-emulate-msr_ia32_arch_capabilities.patch queue-4.9/x86-introduce-__uaccess_begin_nospec-and-uaccess_try_nospec.patch queue-4.9/nl80211-sanitize-array-index-in-parse_txq_params.patch