Re: [PATCH ARM64 v4.4 V3 06/44] arm64: entry: Ensure branch through syscall table is bounded under speculation
From: Mark Rutland <mark.rutland@arm.com>
Date: 2019-08-30 09:40:42
Also in:
stable
On Thu, Aug 29, 2019 at 05:03:51PM +0530, Viresh Kumar wrote:
From: Will Deacon <redacted> commit 6314d90e64936c584f300a52ef173603fb2461b5 upstream. In a similar manner to array_index_mask_nospec, this patch introduces an assembly macro (mask_nospec64) which can be used to bound a value under speculation. This macro is then used to ensure that the indirect branch through the syscall table is bounded under speculation, with out-of-range addresses speculating as calls to sys_io_setup (0). Reviewed-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Will Deacon <redacted> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> [ v4.4: use existing scno & sc_nr definitions ] Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com> [v4.4 backport] Mark.
quoted hunk ↗ jump to hunk
--- arch/arm64/include/asm/assembler.h | 11 +++++++++++ arch/arm64/kernel/entry.S | 1 + 2 files changed, 12 insertions(+)diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h index 683c2875278f..2b30363a3a89 100644 --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h@@ -102,6 +102,17 @@ hint #20 .endm +/* + * Sanitise a 64-bit bounded index wrt speculation, returning zero if out + * of bounds. + */ + .macro mask_nospec64, idx, limit, tmp + sub \tmp, \idx, \limit + bic \tmp, \tmp, \idx + and \idx, \idx, \tmp, asr #63 + csdb + .endm + #define USER(l, x...) \ 9999: x; \ .section __ex_table,"a"; \diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 4c5013b09dcb..e6aec982dea9 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S@@ -697,6 +697,7 @@ el0_svc_naked: // compat entry point b.ne __sys_trace cmp scno, sc_nr // check upper syscall limit b.hs ni_sys + mask_nospec64 scno, sc_nr, x19 // enforce bounds for syscall number ldr x16, [stbl, scno, lsl #3] // address in the syscall table blr x16 // call sys_* routine b ret_fast_syscall-- 2.21.0.rc0.269.g1a574e7a288b
_______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel