Re: [PATCH] kernel: sys: fix potential Spectre v1

From: Andrew Morton
Date: Tue May 15 2018 - 18:09:07 EST


On Mon, 14 May 2018 22:00:38 -0500 "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> wrote:

> resource can be controlled by user-space, hence leading to a
> potential exploitation of the Spectre variant 1 vulnerability.
>
> This issue was detected with the help of Smatch:
>
> kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential
> spectre issue 'get_current()->signal->rlim' (local cap)
> kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue
> 'get_current()->signal->rlim' (local cap)
>
> Fix this by sanitizing *resource* before using it to index
> current->signal->rlim
>
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].

hm. Not my area, but I'm always willing to learn ;)

> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -69,6 +69,9 @@
> #include <asm/io.h>
> #include <asm/unistd.h>
>
> +/* Hardening for Spectre-v1 */
> +#include <linux/nospec.h>
> +
> #include "uid16.h"
>
> #ifndef SET_UNALIGN_CTL
> @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
> if (resource >= RLIM_NLIMITS)
> return -EINVAL;
>
> + resource = array_index_nospec(resource, RLIM_NLIMITS);
> task_lock(current->group_leader);
> x = current->signal->rlim[resource];

Can the speculation proceed past the task_lock()? Or is the policy to
ignore such happy happenstances even if they are available?

> task_unlock(current->group_leader);
> @@ -1470,6 +1474,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
> if (resource >= RLIM_NLIMITS)
> return -EINVAL;
>
> + resource = array_index_nospec(resource, RLIM_NLIMITS);
> task_lock(current->group_leader);
> r = current->signal->rlim[resource];
> task_unlock(current->group_leader);