Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Jan 2018 16:01:36 -0800
From: Dan Williams <dan.j.williams@...el.com>
To: linux-kernel@...r.kernel.org
Cc: Mark Rutland <mark.rutland@....com>, kernel-hardening@...ts.openwall.com,
 Peter Zijlstra <peterz@...radead.org>,
 Catalin Marinas <catalin.marinas@....com>, Will Deacon <will.deacon@....com>,
 "H. Peter Anvin" <hpa@...or.com>, Elena Reshetova <elena.reshetova@...el.com>,
 linux-arch@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>,
 Jonathan Corbet <corbet@....net>, x86@...nel.org,
 Russell King <linux@...linux.org.uk>, Ingo Molnar <mingo@...hat.com>,
 Andrew Honig <ahonig@...gle.com>, alan@...ux.intel.com,
 Tom Lendacky <thomas.lendacky@....com>, Kees Cook <keescook@...omium.org>,
 Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>,
 tglx@...utronix.de, akpm@...ux-foundation.org,
 Jim Mattson <jmattson@...gle.com>, Christian Lamparter <chunkeey@...il.com>,
 gregkh@...uxfoundation.org, linux-wireless@...r.kernel.org,
 stable@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
 Johannes Berg <johannes@...solutions.net>, torvalds@...ux-foundation.org,
 "David S. Miller" <davem@...emloft.net>
Subject: [PATCH v4 00/10] prevent bounds-check bypass via speculative
 execution

Changes since v3 [1]
* Drop 'ifence_array_ptr' and associated compile-time + run-time
  switching and just use the masking approach all the time.

* Convert 'get_user' to use pointer sanitization via masking rather than
  lfence. '__get_user' and associated paths still rely on
  lfence. (Linus)

      "Basically, the rule is trivial: find all 'stac' users, and use
       address masking if those users already integrate the limit
       check, and lfence they don't."

* At syscall entry sanitize the syscall number under speculation
  to remove a user controlled pointer de-reference in kernel
  space.  (Linus)

* Fix a raw lfence in the kvm code (added for v4.15-rc8) to use
  'array_ptr'.

* Propose 'array_idx' as a way to sanitize user input that is
  later used as an array index, but where the validation is
  happening in a different code block than the array reference.
  (Christian).

* Fix grammar in speculation.txt (Kees)

---

Quoting Mark's original RFC:

"Recently, Google Project Zero discovered several classes of attack
against speculative execution. One of these, known as variant-1, allows
explicit bounds checks to be bypassed under speculation, providing an
arbitrary read gadget. Further details can be found on the GPZ blog [2]
and the Documentation patch in this series."

A precondition of using this attack on the kernel is to get a user
controlled pointer de-referenced (under speculation) in privileged code.
The primary source of user controlled pointers in the kernel is the
arguments passed to 'get_user' and '__get_user'. An example of other
user controlled pointers are user-controlled array / pointer offsets.

Better tooling is needed to find more arrays / pointers with user
controlled indices / offsets that can be converted to use 'array_ptr' or
'array_idx'. A few are included in this set, and these are not expected
to be complete. That said, the 'get_user' protections raise the bar on
finding a vulnerable gadget in the kernel.

These patches are also available via the 'nospec-v4' git branch here:

    git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec-v4

Note that the BPF fix for Spectre variant1 is merged for 4.15-rc8.

[2]: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

---

Dan Williams (9):
      asm/nospec, array_ptr: sanitize speculative array de-references
      x86: implement array_ptr_mask()
      x86: introduce __uaccess_begin_nospec and ifence
      x86, __get_user: use __uaccess_begin_nospec
      x86, get_user: use pointer masking to limit speculation
      x86: narrow out of bounds syscalls to sys_read under speculation
      vfs, fdtable: prevent bounds-check bypass via speculative execution
      kvm, x86: fix spectre-v1 mitigation
      nl80211: sanitize array index in parse_txq_params

Mark Rutland (1):
      Documentation: document array_ptr


 Documentation/speculation.txt     |  143 +++++++++++++++++++++++++++++++++++++
 arch/x86/entry/entry_64.S         |    2 +
 arch/x86/include/asm/barrier.h    |   28 +++++++
 arch/x86/include/asm/msr.h        |    3 -
 arch/x86/include/asm/smap.h       |   24 ++++++
 arch/x86/include/asm/uaccess.h    |   15 +++-
 arch/x86/include/asm/uaccess_32.h |    6 +-
 arch/x86/include/asm/uaccess_64.h |   12 ++-
 arch/x86/kvm/vmx.c                |   19 ++---
 arch/x86/lib/getuser.S            |    5 +
 arch/x86/lib/usercopy_32.c        |    8 +-
 include/linux/fdtable.h           |    7 +-
 include/linux/nospec.h            |   65 +++++++++++++++++
 net/wireless/nl80211.c            |   10 ++-
 14 files changed, 312 insertions(+), 35 deletions(-)
 create mode 100644 Documentation/speculation.txt
 create mode 100644 include/linux/nospec.h

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.