• Russell King's avatar
    ARM: spectre-v1: mitigate user accesses · a3c0f847
    Russell King authored
    Spectre variant 1 attacks are about this sequence of pseudo-code:
    
    	index = load(user-manipulated pointer);
    	access(base + index * stride);
    
    In order for the cache side-channel to work, the access() must me made
    to memory which userspace can detect whether cache lines have been
    loaded.  On 32-bit ARM, this must be either user accessible memory, or
    a kernel mapping of that same user accessible memory.
    
    The problem occurs when the load() speculatively loads privileged data,
    and the subsequent access() is made to user accessible memory.
    
    Any load() which makes use of a user-maniplated pointer is a potential
    problem if the data it has loaded is used in a subsequent access.  This
    also applies for the access() if the data loaded by that access is used
    by a subsequent access.
    
    Harden the get_user() accessors against Spectre attacks by forcing out
    of bounds addresses to a NULL pointer.  This prevents get_user() being
    used as the load() step above.  As a side effect, put_user() will also
    be affected even though it isn't implicated.
    
    Also harden copy_from_user() by redoing the bounds check within the
    arm_copy_from_user() code, and NULLing the pointer if out of bounds.
    Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
    a3c0f847
copy_from_user.S 2.25 KB