From patchwork Thu Apr 20 20:10:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Machek X-Patchwork-Id: 13219143 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23979C77B73 for ; Thu, 20 Apr 2023 20:10:16 +0000 (UTC) Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by mx.groups.io with SMTP id smtpd.web11.1609.1682021407891058288 for ; Thu, 20 Apr 2023 13:10:08 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=neutral (domain: denx.de, ip: 46.255.230.98, mailfrom: pavel@denx.de) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 830FC1C0DED; Thu, 20 Apr 2023 22:10:04 +0200 (CEST) Date: Thu, 20 Apr 2023 22:10:04 +0200 From: Pavel Machek To: cip-dev@lists.cip-project.org Subject: CVE-2023-0459: Spectre-v1 Usercopy Hardening was Re: [cip-dev] New CVE entries this week Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Apr 2023 20:10:16 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/11264 Hi! > CVE-2023-0459: Spectre-v1 Usercopy Hardening > > CVSS v3 score is not provided. > > Missing speculation barriers causes a leaking kernel memory. > The 4.4 kernel _copy_from_user() implementation is different from > 4.19 and later. So this patch can not be applied. > It seems as if the 4.4 kernel needs some barrier to prevent > speculation bug in other ways. I have this, and it passes basic testing, but no good way to really test it or asses performance impact. Attempt to fix CVE-2023-0459. Inspiration from e0fbff18bbcee4f07d46bee172803fad63f6f4dd, but we simply add the check to access_ok, as it is used in about gazillion places. Best regards, Pavel diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 829fa6d3e5611..ce45b6dcb6293 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -101,6 +101,7 @@ static inline void set_fs(mm_segment_t fs) : "1" (__addr), "Ir" (size), \ "r" (current_thread_info()->addr_limit) \ : "cc"); \ + barrier_nospec(); \ flag; \ }) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index ac6932bf1a016..ea1e4ef4a4d8e 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -95,8 +95,11 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un */ #define access_ok(type, addr, size) \ ({ \ + bool ret; \ WARN_ON_IN_IRQ(); \ - likely(!__range_not_ok(addr, size, user_addr_max())); \ + ret = likely(!__range_not_ok(addr, size, user_addr_max())); \ + barrier_nospec(); \ + ret; \ }) /* diff --git a/include/linux/nospec.h b/include/linux/nospec.h index 0c5ef54fd4162..207ef2a20e485 100644 --- a/include/linux/nospec.h +++ b/include/linux/nospec.h @@ -9,6 +9,10 @@ struct task_struct; +#ifndef barrier_nospec +# define barrier_nospec() do { } while (0) +#endif + /** * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise * @index: array element index