Re: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation

From: Mark Rutland
Date: Wed May 05 2021 - 10:25:49 EST

Next message: Robert Foss: "Re: [PATCH] drm/bridge: fix LONTIUM_LT8912B dependencies"
Previous message: Florent Revest: "Re: [PATCH bpf-next v5 6/6] selftests/bpf: Add a series of tests for bpf_snprintf"
In reply to: David Laight: "RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation"
Next in thread: Josh Poimboeuf: "Re: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Josh, David,

On Tue, May 04, 2021 at 10:54:31PM -0500, Josh Poimboeuf wrote:
> The x86 uaccess code uses barrier_nospec() in various places to prevent
> speculative dereferencing of user-controlled pointers (which might be
> combined with further gadgets or CPU bugs to leak data).
>
> There are some issues with the current implementation:
>
> - The barrier_nospec() in copy_from_user() was inadvertently removed
> with: 4b842e4e25b1 ("x86: get rid of small constant size cases in
> raw_copy_{to,from}_user()")
>
> - copy_to_user() and friends should also have a speculation barrier,
> because a speculative write to a user-controlled address can still
> populate the cache line with the original data.
>
> - The LFENCE in barrier_nospec() is overkill, when more lightweight user
> pointer masking can be used instead.
>
> Remove existing barrier_nospec() usage, and instead do user pointer
> masking, throughout the x86 uaccess code. This is similar to what arm64
> is already doing with uaccess_mask_ptr().

> +/*
> + * Sanitize a user pointer such that it becomes NULL if it's not a valid user
> + * pointer. This prevents speculatively dereferencing a user-controlled
> + * pointer to kernel space if access_ok() speculatively returns true. This
> + * should be done *after* access_ok(), to avoid affecting error handling
> + * behavior.
> + */
> +#define mask_user_ptr(ptr) \
> +({ \
> + unsigned long _ptr = (__force unsigned long)ptr; \
> + unsigned long mask; \
> + \
> + asm volatile("cmp %[max], %[_ptr]\n\t" \
> + "sbb %[mask], %[mask]\n\t" \
> + : [mask] "=r" (mask) \
> + : [_ptr] "r" (_ptr), \
> + [max] "r" (TASK_SIZE_MAX) \
> + : "cc"); \
> + \
> + mask &= _ptr; \
> + ((typeof(ptr)) mask); \
> +})

On arm64 we needed to have a sequence here because the addr_limit used
to be variable, but now that we've removed set_fs() and split the
user/kernel access routines we could simplify that to an AND with an
immediate mask to force all pointers into the user half of the address
space. IIUC x86_64 could do the same, and I think that was roughly what
David was suggesting.

That does mean that you could still speculatively access user memory
erroneously other than to NULL, but that's also true for speculated
pointers below TASK_SIZE_MAX when using the more complex sequence.

Thanks,
Mark.

Next message: Robert Foss: "Re: [PATCH] drm/bridge: fix LONTIUM_LT8912B dependencies"
Previous message: Florent Revest: "Re: [PATCH bpf-next v5 6/6] selftests/bpf: Add a series of tests for bpf_snprintf"
In reply to: David Laight: "RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation"
Next in thread: Josh Poimboeuf: "Re: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]