On Thu, Aug 29, 2019 at 05:03:52PM +0530, Viresh Kumar wrote:
> From: Will Deacon <will.deacon@xxxxxxx>
>
> commit c2f0ad4fc089cff81cef6a13d04b399980ecbfcc upstream.
>
> A mispredicted conditional call to set_fs could result in the wrong
> addr_limit being forwarded under speculation to a subsequent access_ok
> check, potentially forming part of a spectre-v1 attack using uaccess
> routines.
>
> This patch prevents this forwarding from taking place, but putting heavy
> barriers in set_fs after writing the addr_limit.
>
> Reviewed-by: Mark Rutland <mark.rutland@xxxxxxx>
> Signed-off-by: Will Deacon <will.deacon@xxxxxxx>
> Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
> Signed-off-by: Viresh Kumar <viresh.kumar@xxxxxxxxxx>
Reviewed-by: Mark Rutland <mark.rutland@xxxxxxx> [v4.4 backport]
Mark.
> ---
> arch/arm64/include/asm/uaccess.h | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index 75363d723262..fc11c50af558 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -62,6 +62,13 @@ extern int fixup_exception(struct pt_regs *regs);
> static inline void set_fs(mm_segment_t fs)
> {
> current_thread_info()->addr_limit = fs;
> +
> + /*
> + * Prevent a mispredicted conditional call to set_fs from forwarding
> + * the wrong address limit to access_ok under speculation.
> + */
> + dsb(nsh);
> + isb();
> }
>
> #define segment_eq(a, b) ((a) == (b))
> --
> 2.21.0.rc0.269.g1a574e7a288b
>
