Re: [PATCH] kernel: sys: fix potential Spectre v1
From: Thomas Gleixner
Date: Tue May 15 2018 - 18:29:41 EST
On Tue, 15 May 2018, Andrew Morton wrote:
> On Mon, 14 May 2018 22:00:38 -0500 "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> wrote:
>
> > resource can be controlled by user-space, hence leading to a
> > potential exploitation of the Spectre variant 1 vulnerability.
> >
> > This issue was detected with the help of Smatch:
> >
> > kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential
> > spectre issue 'get_current()->signal->rlim' (local cap)
> > kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue
> > 'get_current()->signal->rlim' (local cap)
> >
> > Fix this by sanitizing *resource* before using it to index
> > current->signal->rlim
> >
> > Notice that given that speculation windows are large, the policy is
> > to kill the speculation on the first load and not worry if it can be
> > completed with a dependent load/store [1].
>
> hm. Not my area, but I'm always willing to learn ;)
>
> > --- a/kernel/sys.c
> > +++ b/kernel/sys.c
> > @@ -69,6 +69,9 @@
> > #include <asm/io.h>
> > #include <asm/unistd.h>
> >
> > +/* Hardening for Spectre-v1 */
> > +#include <linux/nospec.h>
> > +
> > #include "uid16.h"
> >
> > #ifndef SET_UNALIGN_CTL
> > @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
> > if (resource >= RLIM_NLIMITS)
> > return -EINVAL;
> >
> > + resource = array_index_nospec(resource, RLIM_NLIMITS);
> > task_lock(current->group_leader);
> > x = current->signal->rlim[resource];
>
> Can the speculation proceed past the task_lock()? Or is the policy to
> ignore such happy happenstances even if they are available?
Locks are not in the way of speculation. Speculation has almost no limits
except serializing instructions. At least they respect the magic AND
limitation in array_index_nospec().
Thanks,
tglx