LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Thomas Gleixner <tglx@linutronix.de>
To: Dianzhang Chen <dianzhangchen0@gmail.com>
Cc: mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: fix possible spectre-v1 in do_get_thread_area()
Date: Sun, 23 Jun 2019 13:47:59 +0200 (CEST)	[thread overview]
Message-ID: <alpine.DEB.2.21.1906231343260.32342@nanos.tec.linutronix.de> (raw)
In-Reply-To: <1558698312-5716-1-git-send-email-dianzhangchen0@gmail.com>

On Fri, 24 May 2019, Dianzhang Chen wrote:

> The idx in do_get_thread_area() is controlled by userspace via syscall: ptrace(defined in kernel/ptrace.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from: ptrace -> arch_ptrace -> do_get_thread_area.
> 
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
> 
> Signed-off-by: Dianzhang Chen <dianzhangchen0@gmail.com>
> ---
>  arch/x86/kernel/tls.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..e3dc05b 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
>  #include <linux/user.h>
>  #include <linux/regset.h>
>  #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>  
>  #include <linux/uaccess.h>
>  #include <asm/desc.h>
> @@ -220,15 +221,19 @@ int do_get_thread_area(struct task_struct *p, int idx,
>  		       struct user_desc __user *u_info)
>  {
>  	struct user_desc info;
> +	int index = idx - GDT_ENTRY_TLS_MIN;
>  
>  	if (idx == -1 && get_user(idx, &u_info->entry_number))
>  		return -EFAULT;

This is broken in case of idx == -1 because index is not reevaluated after
idx is copied from u_info. You have to calculate index _AFTER_ that.
  
> -	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
> +	if (index < 0 || index > GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN)
>  		return -EINVAL;
>  
> +	index = array_index_nospec(index,
> +				GDT_ENTRY_TLS_MAX - GDT_ENTRY_TLS_MIN + 1);

What about defining the array size and using it here and in the sanity
check above?

> +
>  	fill_user_desc(&info, idx,
> -		       &p->thread.tls_array[idx - GDT_ENTRY_TLS_MIN]);
> +		       &p->thread.tls_array[index]);

Please get rid of the line break. The line now fits into 80 char.

Thanks,

	tglx

      reply	other threads:[~2019-06-23 11:48 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-24 11:45 Dianzhang Chen
2019-06-23 11:47 ` Thomas Gleixner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.21.1906231343260.32342@nanos.tec.linutronix.de \
    --to=tglx@linutronix.de \
    --cc=bp@alien8.de \
    --cc=dianzhangchen0@gmail.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=x86@kernel.org \
    --subject='Re: [PATCH] x86: fix possible spectre-v1 in do_get_thread_area()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).