Re: [PATCH] x86: tls: fix possible spectre-v1 in do_get_thread_area()

From: Thomas Gleixner
Date: Sun Jun 23 2019 - 07:56:08 EST


On Tue, 11 Jun 2019, Dianzhang Chen wrote:

Subject prefix is 'x86/tls:' please.

> The idx in do_get_thread_area() is controlled by userspace

The idx? Please to not variable names in the change log. The variable name
is an implementation detail.

The index to access the threads tls array is controlled ....

Hmm?

> via syscall: ptrace(defined in kernel/ptrace.c), hence

sys_ptrace() again.

> leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from:
> ptrace -> arch_ptrace -> do_get_thread_area.
>
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
>
> Signed-off-by: Dianzhang Chen <dianzhangchen0@xxxxxxxxx>
> ---
> arch/x86/kernel/tls.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..4cd338c 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
> #include <linux/user.h>
> #include <linux/regset.h>
> #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>
> #include <linux/uaccess.h>
> #include <asm/desc.h>
> @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
> struct user_desc __user *u_info)
> {
> struct user_desc info;
> + int index = idx - GDT_ENTRY_TLS_MIN;
>
> if (idx == -1 && get_user(idx, &u_info->entry_number))
> return -EFAULT;

Broken in the same way as the other one.

Thanks,

tglx