[V2] powerpc/ptrace: Mitigate potential Spectre v1

Michael Ellerman patch-notifications at ellerman.id.au
Sat Feb 9 00:02:40 AEDT 2019


On Wed, 2019-01-30 at 12:46:00 UTC, Breno Leitao wrote:
> 'regno' is directly controlled by user space, hence leading to a potential
> exploitation of the Spectre variant 1 vulnerability.
> 
> On PTRACE_SETREGS and PTRACE_GETREGS requests, user space passes the
> register number that would be read or written. This register number is
> called 'regno' which is part of the 'addr' syscall parameter.
> 
> This 'regno' value is checked against the maximum pt_regs structure size,
> and then used to dereference it, which matches the initial part of a
> Spectre v1 (and Spectre v1.1) attack. The dereferenced value, then,
> is returned to userspace in the GETREGS case.
> 
> This patch sanitizes 'regno' before using it to dereference pt_reg.
> 
> Notice that given that speculation windows are large, the policy is
> to kill the speculation on the first load and not worry if it can be
> completed with a dependent load/store [1].
> 
> [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
> 
> Signed-off-by: Breno Leitao <leitao at debian.org>
> Acked-by: Gustavo A. R. Silva <gustavo at embeddedor.com>

Applied to powerpc next, thanks.

https://git.kernel.org/powerpc/c/ebb0e13ead2ddc186a80b1b0235deeef

cheers


More information about the Linuxppc-dev mailing list