This is a note to let you know that I've just added the patch titled x86/get_user: Use pointer masking to limit speculation to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: x86-get_user-use-pointer-masking-to-limit-speculation.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Fri Feb 23 17:23:58 CET 2018 From: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Date: Fri, 23 Feb 2018 11:42:03 +0100 Subject: x86/get_user: Use pointer masking to limit speculation To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx Cc: Dan Williams <dan.j.williams@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, linux-arch@xxxxxxxxxxxxxxx, Kees Cook <keescook@xxxxxxxxxxxx>, kernel-hardening@xxxxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, torvalds@xxxxxxxxxxxxxxxxxxxx, alan@xxxxxxxxxxxxxxx, David Woodhouse <dwmw@xxxxxxxxxxxx>, Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Message-ID: <1519382538-15143-15-git-send-email-jinpu.wangl@xxxxxxxxxxxxxxxx> From: Dan Williams <dan.j.williams@xxxxxxxxx> (cherry picked from commit c7f631cb07e7da06ac1d231ca178452339e32a94) Quoting Linus: I do think that it would be a good idea to very expressly document the fact that it's not that the user access itself is unsafe. I do agree that things like "get_user()" want to be protected, but not because of any direct bugs or problems with get_user() and friends, but simply because get_user() is an excellent source of a pointer that is obviously controlled from a potentially attacking user space. So it's a prime candidate for then finding _subsequent_ accesses that can then be used to perturb the cache. Unlike the __get_user() case get_user() includes the address limit check near the pointer de-reference. With that locality the speculation can be mitigated with pointer narrowing rather than a barrier, i.e. array_index_nospec(). Where the narrowing is performed by: cmp %limit, %ptr sbb %mask, %mask and %mask, %ptr With respect to speculation the value of %ptr is either less than %limit or NULL. Co-developed-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Cc: linux-arch@xxxxxxxxxxxxxxx Cc: Kees Cook <keescook@xxxxxxxxxxxx> Cc: kernel-hardening@xxxxxxxxxxxxxxxxxx Cc: gregkh@xxxxxxxxxxxxxxxxxxx Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: torvalds@xxxxxxxxxxxxxxxxxxxx Cc: alan@xxxxxxxxxxxxxxx Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx> [jwang: port to 4.4] Signed-off-by: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/lib/getuser.S | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -38,6 +38,8 @@ ENTRY(__get_user_1) GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 1: movzbl (%_ASM_AX),%edx xor %eax,%eax @@ -51,6 +53,8 @@ ENTRY(__get_user_2) GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 2: movzwl -1(%_ASM_AX),%edx xor %eax,%eax @@ -64,6 +68,8 @@ ENTRY(__get_user_4) GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 3: movl -3(%_ASM_AX),%edx xor %eax,%eax @@ -78,6 +84,8 @@ ENTRY(__get_user_8) GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movq -7(%_ASM_AX),%rdx xor %eax,%eax @@ -89,6 +97,8 @@ ENTRY(__get_user_8) GET_THREAD_INFO(%_ASM_DX) cmp TI_addr_limit(%_ASM_DX),%_ASM_AX jae bad_get_user_8 + sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ + and %_ASM_DX, %_ASM_AX ASM_STAC 4: movl -7(%_ASM_AX),%edx 5: movl -3(%_ASM_AX),%ecx Patches currently in stable-queue which might be from jinpu.wang@xxxxxxxxxxxxxxxx are queue-4.4/x86-paravirt-remove-noreplace-paravirt-cmdline-option.patch queue-4.4/documentation-document-array_index_nospec.patch queue-4.4/kvm-x86-make-indirect-calls-in-emulator-speculation-safe.patch queue-4.4/x86-nospec-fix-header-guards-names.patch queue-4.4/x86-retpoline-avoid-retpolines-for-built-in-__init-functions.patch queue-4.4/vfs-fdtable-prevent-bounds-check-bypass-via-speculative-execution.patch queue-4.4/kvm-nvmx-invvpid-handling-improvements.patch queue-4.4/x86-cpu-bugs-make-retpoline-module-warning-conditional.patch queue-4.4/x86-spectre-check-config_retpoline-in-command-line-parser.patch queue-4.4/x86-implement-array_index_mask_nospec.patch queue-4.4/array_index_nospec-sanitize-speculative-array-de-references.patch queue-4.4/kvm-vmx-make-indirect-call-speculation-safe.patch queue-4.4/x86-spectre-fix-spelling-mistake-vunerable-vulnerable.patch queue-4.4/kvm-nvmx-fix-kernel-panics-induced-by-illegal-invept-invvpid-types.patch queue-4.4/module-retpoline-warn-about-missing-retpoline-in-module.patch queue-4.4/x86-kvm-update-spectre-v1-mitigation.patch queue-4.4/x86-get_user-use-pointer-masking-to-limit-speculation.patch queue-4.4/x86-syscall-sanitize-syscall-table-de-references-under-speculation.patch queue-4.4/kvm-nvmx-vmx_complete_nested_posted_interrupt-can-t-fail.patch queue-4.4/x86-spectre-simplify-spectre_v2-command-line-parsing.patch queue-4.4/x86-speculation-fix-typo-ibrs_att-which-should-be-ibrs_all.patch queue-4.4/x86-spectre-report-get_user-mitigation-for-spectre_v1.patch queue-4.4/x86-introduce-barrier_nospec.patch queue-4.4/kvm-async_pf-fix-df-due-to-inject-page-not-present-and-page-ready-exceptions-simultaneously.patch queue-4.4/kvm-vmx-clean-up-declaration-of-vpid-ept-invalidation-types.patch queue-4.4/x86-bugs-drop-one-mitigation-from-dmesg.patch queue-4.4/x86-retpoline-remove-the-esp-rsp-thunk.patch queue-4.4/nl80211-sanitize-array-index-in-parse_txq_params.patch queue-4.4/kvm-nvmx-kmap-can-t-fail.patch