e293be
From 0a2d7d9b1e63dd28baf6c8e1416b64a33f89c900 Mon Sep 17 00:00:00 2001
e293be
From: Linus Torvalds <torvalds@linux-foundation.org>
e293be
Date: Tue, 23 Feb 2016 14:58:52 -0800
e293be
Subject: x86: fix SMAP in 32-bit environments
e293be
e293be
commit de9e478b9d49f3a0214310d921450cf5bb4a21e6 upstream.
e293be
e293be
In commit 11f1a4b9755f ("x86: reorganize SMAP handling in user space
e293be
accesses") I changed how the stac/clac instructions were generated
e293be
around the user space accesses, which then made it possible to do
e293be
batched accesses efficiently for user string copies etc.
e293be
e293be
However, in doing so, I completely spaced out, and didn't even think
e293be
about the 32-bit case.  And nobody really even seemed to notice, because
e293be
SMAP doesn't even exist until modern Skylake processors, and you'd have
e293be
to be crazy to run 32-bit kernels on a modern CPU.
e293be
e293be
Which brings us to Andy Lutomirski.
e293be
e293be
He actually tested the 32-bit kernel on new hardware, and noticed that
e293be
it doesn't work.  My bad.  The trivial fix is to add the required
e293be
uaccess begin/end markers around the raw accesses in <asm/uaccess_32.h>.
e293be
e293be
I feel a bit bad about this patch, just because that header file really
e293be
should be cleaned up to avoid all the duplicated code in it, and this
e293be
commit just expands on the problem.  But this just fixes the bug without
e293be
any bigger cleanup surgery.
e293be
e293be
Reported-and-tested-by: Andy Lutomirski <luto@kernel.org>
e293be
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
e293be
[bwh: Backported to 3.16: There's no 'case 8' in __copy_to_user_inatomic()]
e293be
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
e293be
---
e293be
 arch/x86/include/asm/uaccess_32.h | 24 ++++++++++++++++++++++++
e293be
 1 file changed, 24 insertions(+)
e293be
e293be
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
e293be
index 3c03a5de64d3..b25d109fb95a 100644
e293be
--- a/arch/x86/include/asm/uaccess_32.h
e293be
+++ b/arch/x86/include/asm/uaccess_32.h
e293be
@@ -48,16 +48,22 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
+			__uaccess_begin();
e293be
 			__put_user_size(*(u8 *)from, (u8 __user *)to,
e293be
 					1, ret, 1);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
+			__uaccess_begin();
e293be
 			__put_user_size(*(u16 *)from, (u16 __user *)to,
e293be
 					2, ret, 2);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
+			__uaccess_begin();
e293be
 			__put_user_size(*(u32 *)from, (u32 __user *)to,
e293be
 					4, ret, 4);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		}
e293be
 	}
e293be
@@ -98,13 +104,19 @@ __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		}
e293be
 	}
e293be
@@ -142,13 +154,19 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		}
e293be
 	}
e293be
@@ -164,13 +182,19 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
+			__uaccess_begin();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
+			__uaccess_end();
e293be
 			return ret;
e293be
 		}
e293be
 	}
e293be
-- 
e293be
cgit 1.2-0.3.lf.el7
e293be
e293be
From 98ce99aa23b43c3dc736cd0354537fca029d69cb Mon Sep 17 00:00:00 2001
e293be
From: Dan Williams <dan.j.williams@intel.com>
e293be
Date: Mon, 29 Jan 2018 17:02:49 -0800
e293be
Subject: x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
e293be
e293be
commit 304ec1b050310548db33063e567123fae8fd0301 upstream.
e293be
e293be
Quoting Linus:
e293be
e293be
    I do think that it would be a good idea to very expressly document
e293be
    the fact that it's not that the user access itself is unsafe. I do
e293be
    agree that things like "get_user()" want to be protected, but not
e293be
    because of any direct bugs or problems with get_user() and friends,
e293be
    but simply because get_user() is an excellent source of a pointer
e293be
    that is obviously controlled from a potentially attacking user
e293be
    space. So it's a prime candidate for then finding _subsequent_
e293be
    accesses that can then be used to perturb the cache.
e293be
e293be
__uaccess_begin_nospec() covers __get_user() and copy_from_iter() where the
e293be
limit check is far away from the user pointer de-reference. In those cases
e293be
a barrier_nospec() prevents speculation with a potential pointer to
e293be
privileged memory. uaccess_try_nospec covers get_user_try.
e293be
e293be
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
e293be
Suggested-by: Andi Kleen <ak@linux.intel.com>
e293be
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
e293be
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
e293be
Cc: linux-arch@vger.kernel.org
e293be
Cc: Kees Cook <keescook@chromium.org>
e293be
Cc: kernel-hardening@lists.openwall.com
e293be
Cc: gregkh@linuxfoundation.org
e293be
Cc: Al Viro <viro@zeniv.linux.org.uk>
e293be
Cc: alan@linux.intel.com
e293be
Link: https://lkml.kernel.org/r/151727416953.33451.10508284228526170604.stgit@dwillia2-desk3.amr.corp.intel.com
e293be
[bwh: Backported to 3.16:
e293be
 - Convert several more functions to use __uaccess_begin_nospec(), that
e293be
   are just wrappers in mainline
e293be
 - There's no 'case 8' in __copy_to_user_inatomic()
e293be
 - Adjust context]
e293be
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
e293be
---
e293be
 arch/x86/include/asm/uaccess.h    |  6 +++---
e293be
 arch/x86/include/asm/uaccess_32.h | 24 ++++++++++++------------
e293be
 arch/x86/include/asm/uaccess_64.h | 20 ++++++++++----------
e293be
 arch/x86/lib/usercopy_32.c        | 10 +++++-----
e293be
 4 files changed, 30 insertions(+), 30 deletions(-)
e293be
e293be
diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
e293be
index b25d109fb95a..c803818cedfb 100644
e293be
--- a/arch/x86/include/asm/uaccess_32.h
e293be
+++ b/arch/x86/include/asm/uaccess_32.h
e293be
@@ -48,19 +48,19 @@ __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__put_user_size(*(u8 *)from, (u8 __user *)to,
e293be
 					1, ret, 1);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__put_user_size(*(u16 *)from, (u16 __user *)to,
e293be
 					2, ret, 2);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__put_user_size(*(u32 *)from, (u32 __user *)to,
e293be
 					4, ret, 4);
e293be
 			__uaccess_end();
e293be
@@ -104,17 +104,17 @@ __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
@@ -154,17 +154,17 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
@@ -182,17 +182,17 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
e293be
 
e293be
 		switch (n) {
e293be
 		case 1:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u8 *)to, from, 1, ret, 1);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 2:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u16 *)to, from, 2, ret, 2);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
 		case 4:
e293be
-			__uaccess_begin();
e293be
+			__uaccess_begin_nospec();
e293be
 			__get_user_size(*(u32 *)to, from, 4, ret, 4);
e293be
 			__uaccess_end();
e293be
 			return ret;
e293be
diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
e293be
index 7f6e7dd46215..de848bc95a9f 100644
e293be
--- a/arch/x86/lib/usercopy_32.c
e293be
+++ b/arch/x86/lib/usercopy_32.c
e293be
@@ -570,7 +570,7 @@ do {									\
e293be
 unsigned long __copy_to_user_ll(void __user *to, const void *from,
e293be
 				unsigned long n)
e293be
 {
e293be
-	__uaccess_begin();
e293be
+	__uaccess_begin_nospec();
e293be
 	if (movsl_is_ok(to, from, n))
e293be
 		__copy_user(to, from, n);
e293be
 	else
e293be
-- 
e293be
cgit 1.2-0.3.lf.el7
e293be