mbox series

[SRU,Trusty,PULL] Prevent speculation on user controlled pointer (LP: #1775137)

Message ID 01c904cae0a339aeb07d383f9f46526f5467b096.1530196995.git.juergh@canonical.com
State New
Headers show
Series [SRU,Trusty,PULL] Prevent speculation on user controlled pointer (LP: #1775137) | expand

Pull-request

git://git.launchpad.net/~juergh/+git/trusty-linux lp1775137

Message

Juerg Haefliger June 28, 2018, 2:47 p.m. UTC
BugLink: https://bugs.launchpad.net/bugs/1775137

== SRU Justification ==
Upstream's Spectre v1 mitigation prevents speculation on a user controlled
pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for
unknown reasons) so Xenial/Trusty/Precise are lacking it as well. All the other
stable upstream kernels include it, so add it to our older kernels.

== Fix ==
Backport the following patches:
x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec

== Regression Potential ==
Low. Patches have been in upstream (and other distro kernels) for quite a while
now and the changes only introduce a barrier on copy_from_user operations.

== Test Case ==
TBD.

Compile-tested all supported architectures.

Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---

The following changes since commit 182dabb3ee807633a0a11e8bbac93a64d111fdd3:

  UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200)

are available in the Git repository at:

  git://git.launchpad.net/~juergh/+git/trusty-linux lp1775137

for you to fetch changes up to 01c904cae0a339aeb07d383f9f46526f5467b096:

  x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (2018-06-28 16:41:27 +0200)

----------------------------------------------------------------
Dan Williams (3):
      x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
      x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
      x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec

Linus Torvalds (2):
      x86: reorganize SMAP handling in user space accesses
      x86: fix SMAP in 32-bit environments

 arch/x86/include/asm/uaccess.h    | 47 +++++++++++++++-----
 arch/x86/include/asm/uaccess_32.h | 24 ++++++++++
 arch/x86/include/asm/uaccess_64.h | 94 +++++++++++++++++++++++++++------------
 arch/x86/lib/usercopy_32.c        | 20 ++++-----
 4 files changed, 136 insertions(+), 49 deletions(-)

Comments

Juerg Haefliger July 23, 2018, 2:06 p.m. UTC | #1
ping.

On 06/28/2018 04:47 PM, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1775137
> 
> == SRU Justification ==
> Upstream's Spectre v1 mitigation prevents speculation on a user controlled
> pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for
> unknown reasons) so Xenial/Trusty/Precise are lacking it as well. All the other
> stable upstream kernels include it, so add it to our older kernels.
> 
> == Fix ==
> Backport the following patches:
> x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
> x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
> x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
> 
> == Regression Potential ==
> Low. Patches have been in upstream (and other distro kernels) for quite a while
> now and the changes only introduce a barrier on copy_from_user operations.
> 
> == Test Case ==
> TBD.
> 
> Compile-tested all supported architectures.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> 
> The following changes since commit 182dabb3ee807633a0a11e8bbac93a64d111fdd3:
> 
>   UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/trusty-linux lp1775137
> 
> for you to fetch changes up to 01c904cae0a339aeb07d383f9f46526f5467b096:
> 
>   x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (2018-06-28 16:41:27 +0200)
> 
> ----------------------------------------------------------------
> Dan Williams (3):
>       x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
>       x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
>       x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
> 
> Linus Torvalds (2):
>       x86: reorganize SMAP handling in user space accesses
>       x86: fix SMAP in 32-bit environments
> 
>  arch/x86/include/asm/uaccess.h    | 47 +++++++++++++++-----
>  arch/x86/include/asm/uaccess_32.h | 24 ++++++++++
>  arch/x86/include/asm/uaccess_64.h | 94 +++++++++++++++++++++++++++------------
>  arch/x86/lib/usercopy_32.c        | 20 ++++-----
>  4 files changed, 136 insertions(+), 49 deletions(-)
>
Stefan Bader July 25, 2018, 2:04 p.m. UTC | #2
On 28.06.2018 16:47, Juerg Haefliger wrote:
> BugLink: https://bugs.launchpad.net/bugs/1775137
> 
> == SRU Justification ==
> Upstream's Spectre v1 mitigation prevents speculation on a user controlled
> pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for
> unknown reasons) so Xenial/Trusty/Precise are lacking it as well. All the other
> stable upstream kernels include it, so add it to our older kernels.
> 
> == Fix ==
> Backport the following patches:
> x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
> x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
> x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
> 
> == Regression Potential ==
> Low. Patches have been in upstream (and other distro kernels) for quite a while
> now and the changes only introduce a barrier on copy_from_user operations.
> 
> == Test Case ==
> TBD.
> 
> Compile-tested all supported architectures.
> 
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
> 
> The following changes since commit 182dabb3ee807633a0a11e8bbac93a64d111fdd3:
> 
>   UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~juergh/+git/trusty-linux lp1775137
> 
> for you to fetch changes up to 01c904cae0a339aeb07d383f9f46526f5467b096:
> 
>   x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (2018-06-28 16:41:27 +0200)
> 
> ----------------------------------------------------------------
> Dan Williams (3):
>       x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
>       x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
>       x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
> 
> Linus Torvalds (2):
>       x86: reorganize SMAP handling in user space accesses
>       x86: fix SMAP in 32-bit environments
> 
>  arch/x86/include/asm/uaccess.h    | 47 +++++++++++++++-----
>  arch/x86/include/asm/uaccess_32.h | 24 ++++++++++
>  arch/x86/include/asm/uaccess_64.h | 94 +++++++++++++++++++++++++++------------
>  arch/x86/lib/usercopy_32.c        | 20 ++++-----
>  4 files changed, 136 insertions(+), 49 deletions(-)
> 
Acked-by: Stefan Bader <stefan.bader@canonical.com>

Apart from not being able to always fully understand what is done things looked
to be according to was was said in the commit messages. Maybe the only thing I
was idly wondering was why half of it is backported from upstream and other
things taken from 3.16.y.

Of course this depends on the other pull request which I would hope gets re-sent
after cleaning up.

-Stefan
Juerg Haefliger July 25, 2018, 3:10 p.m. UTC | #3
On 07/25/2018 04:04 PM, Stefan Bader wrote:
> On 28.06.2018 16:47, Juerg Haefliger wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1775137
>>
>> == SRU Justification ==
>> Upstream's Spectre v1 mitigation prevents speculation on a user controlled
>> pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for
>> unknown reasons) so Xenial/Trusty/Precise are lacking it as well. All the other
>> stable upstream kernels include it, so add it to our older kernels.
>>
>> == Fix ==
>> Backport the following patches:
>> x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
>> x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
>> x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
>>
>> == Regression Potential ==
>> Low. Patches have been in upstream (and other distro kernels) for quite a while
>> now and the changes only introduce a barrier on copy_from_user operations.
>>
>> == Test Case ==
>> TBD.
>>
>> Compile-tested all supported architectures.
>>
>> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
>> ---
>>
>> The following changes since commit 182dabb3ee807633a0a11e8bbac93a64d111fdd3:
>>
>>   UBUNTU: SAUCE: filter: Use barrier_nospec() instead of osb() (2018-06-28 16:08:50 +0200)
>>
>> are available in the Git repository at:
>>
>>   git://git.launchpad.net/~juergh/+git/trusty-linux lp1775137
>>
>> for you to fetch changes up to 01c904cae0a339aeb07d383f9f46526f5467b096:
>>
>>   x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec (2018-06-28 16:41:27 +0200)
>>
>> ----------------------------------------------------------------
>> Dan Williams (3):
>>       x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
>>       x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
>>       x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
>>
>> Linus Torvalds (2):
>>       x86: reorganize SMAP handling in user space accesses
>>       x86: fix SMAP in 32-bit environments
>>
>>  arch/x86/include/asm/uaccess.h    | 47 +++++++++++++++-----
>>  arch/x86/include/asm/uaccess_32.h | 24 ++++++++++
>>  arch/x86/include/asm/uaccess_64.h | 94 +++++++++++++++++++++++++++------------
>>  arch/x86/lib/usercopy_32.c        | 20 ++++-----
>>  4 files changed, 136 insertions(+), 49 deletions(-)
>>
> Acked-by: Stefan Bader <stefan.bader@canonical.com>
> 
> Apart from not being able to always fully understand what is done things looked
> to be according to was was said in the commit messages. Maybe the only thing I
> was idly wondering was why half of it is backported from upstream and other
> things taken from 3.16.y.

I was cherry-picking from upstream if possible and only reverted to
stable patches if necessary. I'll fix it up and resend a new PR (should
be no code changes).

...Juerg


> Of course this depends on the other pull request which I would hope gets re-sent
> after cleaning up.
> 
> -Stefan
>