Re: [PATCH ARM64 v4.4 V3 06/44] arm64: entry: Ensure branch through syscall table is bounded under speculation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Aug 29, 2019 at 05:03:51PM +0530, Viresh Kumar wrote:
> From: Will Deacon <will.deacon@xxxxxxx>
> 
> commit 6314d90e64936c584f300a52ef173603fb2461b5 upstream.
> 
> In a similar manner to array_index_mask_nospec, this patch introduces an
> assembly macro (mask_nospec64) which can be used to bound a value under
> speculation. This macro is then used to ensure that the indirect branch
> through the syscall table is bounded under speculation, with out-of-range
> addresses speculating as calls to sys_io_setup (0).
> 
> Reviewed-by: Mark Rutland <mark.rutland@xxxxxxx>
> Signed-off-by: Will Deacon <will.deacon@xxxxxxx>
> Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
> [ v4.4: use existing scno & sc_nr definitions ]
> Signed-off-by: Viresh Kumar <viresh.kumar@xxxxxxxxxx>

Reviewed-by: Mark Rutland <mark.rutland@xxxxxxx> [v4.4 backport]

Mark.

> ---
>  arch/arm64/include/asm/assembler.h | 11 +++++++++++
>  arch/arm64/kernel/entry.S          |  1 +
>  2 files changed, 12 insertions(+)
> 
> diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h
> index 683c2875278f..2b30363a3a89 100644
> --- a/arch/arm64/include/asm/assembler.h
> +++ b/arch/arm64/include/asm/assembler.h
> @@ -102,6 +102,17 @@
>  	hint	#20
>  	.endm
>  
> +/*
> + * Sanitise a 64-bit bounded index wrt speculation, returning zero if out
> + * of bounds.
> + */
> +	.macro	mask_nospec64, idx, limit, tmp
> +	sub	\tmp, \idx, \limit
> +	bic	\tmp, \tmp, \idx
> +	and	\idx, \idx, \tmp, asr #63
> +	csdb
> +	.endm
> +
>  #define USER(l, x...)				\
>  9999:	x;					\
>  	.section __ex_table,"a";		\
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 4c5013b09dcb..e6aec982dea9 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -697,6 +697,7 @@ el0_svc_naked:					// compat entry point
>  	b.ne	__sys_trace
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> +	mask_nospec64 scno, sc_nr, x19	// enforce bounds for syscall number
>  	ldr	x16, [stbl, scno, lsl #3]	// address in the syscall table
>  	blr	x16				// call sys_* routine
>  	b	ret_fast_syscall
> -- 
> 2.21.0.rc0.269.g1a574e7a288b
>
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux