Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti

From: Dan Williams
Date: Sat Jan 27 2018 - 14:26:48 EST


[ adding lkml ]

I had inadvertently dropped lkml when sending this to Thomas. Archive here:

https://marc.info/?l=linux-wireless&m=151704026325010&w=2
https://marc.info/?l=linux-arch&m=151704027225013&w=2
https://marc.info/?l=linux-arch&m=151704027225014&w=2
https://marc.info/?l=linux-arch&m=151704027625015&w=2
https://marc.info/?l=linux-arch&m=151704028225016&w=2
https://marc.info/?l=linux-arch&m=151704028725019&w=2
https://marc.info/?l=linux-arch&m=151704086725186&w=2
https://marc.info/?l=linux-arch&m=151704030025025&w=2
https://marc.info/?l=linux-arch&m=151704030525028&w=2
https://marc.info/?l=linux-arch&m=151704031125029&w=2
https://marc.info/?l=linux-arch&m=151704032225034&w=2
https://marc.info/?l=linux-arch&m=151704032625035&w=2
https://marc.info/?l=linux-arch&m=151704032725037&w=2


On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote:
> Hi Thomas,
>
> Here's another spin of the spectre-v1 mitigations for 4.16.
>
> Changes since v4.1: [1]
> * Tweak the sanitization scheme yet again to make it even simpler. Now,
> instead of 'array_ptr' to get a sanitized pointer to an array element,
> just provide an array index sanitization helper 'array_idx' to be called
> after successfully validating the index is in bounds. I.e. in the
> exact same location one would otherwise put an lfence, place this
> sanitizer:
>
> if (idx < sz) {
> idx = array_idx(idx, sz);
> val = array[idx];
> }
>
> This lets the implementation include more sanity checking that the
> compiler can usually compile out. It otherwise appears to produce
> better assembly. This also cleans up the concern about comparing the
> value returned from array_ptr to create another speculation point.
> (Russell, Linus, Cyril)
>
> * Drop the syscall_64_fastpath. This is the straightforward patch from
> Linus that might also be in flight from Andy, but I went ahead and
> included it since I did not see it on LKML yet.
>
> * Kill the MASK_NOSPEC macro and just open code it. (Andy)
>
> * Add system-call-number sanitization to the slow path syscall table
> lookups.
>
> * Redo the array_ptr conversions with array_idx.
>
> * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
> the new protections. It now reports "Vulnerable: Minimal user pointer
> sanitization". (Jiri)
>
> ---
>
> Dan Williams (11):
> array_idx: sanitize speculative array de-references
> x86: implement array_idx_mask
> x86: introduce __uaccess_begin_nospec and ifence
> x86, __get_user: use __uaccess_begin_nospec
> x86, get_user: use pointer masking to limit speculation
> x86: remove the syscall_64 fast-path
> x86: sanitize sycall table de-references under speculation
> vfs, fdtable: prevent bounds-check bypass via speculative execution
> kvm, x86: update spectre-v1 mitigation
> nl80211: sanitize array index in parse_txq_params
> x86/spectre: report get_user mitigation for spectre_v1
>
> Mark Rutland (1):
> Documentation: document array_idx
>
>
> Documentation/speculation.txt | 87 ++++++++++++++++++++++++++++
> arch/x86/entry/common.c | 3 +
> arch/x86/entry/entry_64.S | 116 -------------------------------------
> arch/x86/entry/syscall_64.c | 7 +-
> arch/x86/include/asm/barrier.h | 26 ++++++++
> arch/x86/include/asm/msr.h | 3 -
> arch/x86/include/asm/uaccess.h | 15 ++++-
> arch/x86/include/asm/uaccess_32.h | 6 +-
> arch/x86/include/asm/uaccess_64.h | 12 ++--
> arch/x86/kernel/cpu/bugs.c | 2 -
> arch/x86/kvm/vmx.c | 14 +++-
> arch/x86/lib/getuser.S | 10 +++
> arch/x86/lib/usercopy_32.c | 8 +--
> include/linux/fdtable.h | 5 +-
> include/linux/nospec.h | 64 ++++++++++++++++++++
> net/wireless/nl80211.c | 9 ++-
> 16 files changed, 239 insertions(+), 148 deletions(-)
> create mode 100644 Documentation/speculation.txt
> create mode 100644 include/linux/nospec.h