git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	Dan Williams <[email protected]>
	Tue, 30 Jan 2018 01:02:54 +0000 (17:02 -0800)
committer	Thomas Gleixner <[email protected]>
	Tue, 30 Jan 2018 20:54:31 +0000 (21:54 +0100)
commit	c7f631cb07e7da06ac1d231ca178452339e32a94
tree	216f74de319c368e9a32162c346c071eff3c38bb	tree \| snapshot
parent	304ec1b050310548db33063e567123fae8fd0301	commit \| diff

x86/get_user: Use pointer masking to limit speculation

Quoting Linus:

    I do think that it would be a good idea to very expressly document
    the fact that it's not that the user access itself is unsafe. I do
    agree that things like "get_user()" want to be protected, but not
    because of any direct bugs or problems with get_user() and friends,
    but simply because get_user() is an excellent source of a pointer
    that is obviously controlled from a potentially attacking user
    space. So it's a prime candidate for then finding _subsequent_
    accesses that can then be used to perturb the cache.

Unlike the __get_user() case get_user() includes the address limit check
near the pointer de-reference. With that locality the speculation can be
mitigated with pointer narrowing rather than a barrier, i.e.
array_index_nospec(). Where the narrowing is performed by:

cmp %limit, %ptr
sbb %mask, %mask
and %mask, %ptr

With respect to speculation the value of %ptr is either less than %limit
or NULL.

Co-developed-by: Linus Torvalds <[email protected]>
Signed-off-by: Dan Williams <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Cc: [email protected]
Cc: Kees Cook <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: Al Viro <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: [email protected]
Cc: [email protected]
Link: https://lkml.kernel.org/r/151727417469.33451.11804043010080838495.stgit@dwillia2-desk3.amr.corp.intel.com