Re: [PATCH v3] x86/uaccess: Use pointer masking to limit uaccess speculation

From: Dan Williams
Date: Mon Sep 14 2020 - 14:49:20 EST

Next message: Xi Wang: "Re: [PATCH] arm64: bpf: Fix branch offset in JIT"
Previous message: Anmol Karn: "Re: [Linux-kernel-mentees] [PATCH] idr: remove WARN_ON_ONCE() when trying to check id"
In reply to: Borislav Petkov: "Re: [PATCH v3] x86/uaccess: Use pointer masking to limit uaccess speculation"
Next in thread: Borislav Petkov: "Re: [PATCH v3] x86/uaccess: Use pointer masking to limit uaccess speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Sep 14, 2020 at 10:56 AM Borislav Petkov <bp@xxxxxxxxx> wrote:
>
> On Thu, Sep 10, 2020 at 12:22:53PM -0500, Josh Poimboeuf wrote:
> > +/*
> > + * Sanitize a user pointer such that it becomes NULL if it's not a valid user
> > + * pointer. This prevents speculative dereferences of user-controlled pointers
> > + * to kernel space when access_ok() speculatively returns true. This should be
> > + * done *after* access_ok(), to avoid affecting error handling behavior.
>
> Err, stupid question: can this macro then be folded into access_ok() so
> that you don't have to touch so many places and the check can happen
> automatically?

I think that ends up with more changes because it changes the flow of
access_ok() from returning a boolean to returning a modified user
address that can be used in the speculative path.

Next message: Xi Wang: "Re: [PATCH] arm64: bpf: Fix branch offset in JIT"
Previous message: Anmol Karn: "Re: [Linux-kernel-mentees] [PATCH] idr: remove WARN_ON_ONCE() when trying to check id"
In reply to: Borislav Petkov: "Re: [PATCH v3] x86/uaccess: Use pointer masking to limit uaccess speculation"
Next in thread: Borislav Petkov: "Re: [PATCH v3] x86/uaccess: Use pointer masking to limit uaccess speculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]