releases/3.16.60/kernel-sys.c-fix-potential-spectre-v1-issue.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
 Date: Fri, 25 May 2018 14:47:57 -0700
 Subject: kernel/sys.c: fix potential Spectre v1 issue

 commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream.

 `resource' can be controlled by user-space, hence leading to a potential
 exploitation of the Spectre variant 1 vulnerability.

 This issue was detected with the help of Smatch:

   kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
   kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)

 Fix this by sanitizing *resource* before using it to index
 current->signal->rlim

 Notice that given that speculation windows are large, the policy is to
 kill the speculation on the first load and not worry if it can be
 completed with a dependent load/store [1].

 [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

 Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com
 Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
 Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
 Cc: Alexei Starovoitov <ast@kernel.org>
 Cc: Dan Williams <dan.j.williams@intel.com>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 [bwh: Backported to 3.16:
  - Drop changes to compat implementation, which is a wrapper for the
    regular implementation here
  - Adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
 --- a/kernel/sys.c
 +++ b/kernel/sys.c
 @@ -63,6 +63,9 @@
  #include <asm/io.h>
  #include <asm/unistd.h>

 +/* Hardening for Spectre-v1 */
 +#include <linux/nospec.h>
 +
  #ifndef SET_UNALIGN_CTL
  # define SET_UNALIGN_CTL(a,b)	(-EINVAL)
  #endif
 @@ -1294,6 +1297,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned
  	if (resource >= RLIM_NLIMITS)
  		return -EINVAL;

 +	resource = array_index_nospec(resource, RLIM_NLIMITS);
  	task_lock(current->group_leader);
  	x = current->signal->rlim[resource];
  	task_unlock(current->group_leader);
	From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
	Date: Fri, 25 May 2018 14:47:57 -0700
	Subject: kernel/sys.c: fix potential Spectre v1 issue

	commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream.

	`resource' can be controlled by user-space, hence leading to a potential
	exploitation of the Spectre variant 1 vulnerability.

	This issue was detected with the help of Smatch:

	kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
	kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)

	Fix this by sanitizing resource before using it to index
	current->signal->rlim

	Notice that given that speculation windows are large, the policy is to
	kill the speculation on the first load and not worry if it can be
	completed with a dependent load/store [1].

	[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

	Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com
	Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
	Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
	Cc: Alexei Starovoitov <ast@kernel.org>
	Cc: Dan Williams <dan.j.williams@intel.com>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	[bwh: Backported to 3.16:
	- Drop changes to compat implementation, which is a wrapper for the
	regular implementation here
	- Adjust context]
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	--- a/kernel/sys.c
	+++ b/kernel/sys.c
	@@ -63,6 +63,9 @@
	#include <asm/io.h>
	#include <asm/unistd.h>

	+/* Hardening for Spectre-v1 */
	+#include <linux/nospec.h>
	+
	#ifndef SET_UNALIGN_CTL
	# define SET_UNALIGN_CTL(a,b) (-EINVAL)
	#endif
	@@ -1294,6 +1297,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned
	if (resource >= RLIM_NLIMITS)
	return -EINVAL;

	+ resource = array_index_nospec(resource, RLIM_NLIMITS);
	task_lock(current->group_leader);
	x = current->signal->rlim[resource];
	task_unlock(current->group_leader);