[PATCH] x86/uaccess: Avoid barrier_nospec() in copy_from_user()
Kirill A. Shutemov
kirill at shutemov.name
Thu Oct 17 09:13:39 AEDT 2024
On Wed, Oct 16, 2024 at 11:02:56PM +0100, Andrew Cooper wrote:
> On 16/10/2024 5:10 pm, Linus Torvalds wrote:
> > --- a/arch/x86/lib/getuser.S
> > +++ b/arch/x86/lib/getuser.S
> > @@ -37,11 +37,14 @@
> >
> > #define ASM_BARRIER_NOSPEC ALTERNATIVE "", "lfence", X86_FEATURE_LFENCE_RDTSC
> >
> > +#define X86_CANONICAL_MASK ALTERNATIVE \
> > + "movq $0x80007fffffffffff,%rdx", \
> > + "movq $0x80ffffffffffffff,%rdx", X86_FEATURE_LA57
> > +
> > .macro check_range size:req
> > .if IS_ENABLED(CONFIG_X86_64)
> > - mov %rax, %rdx
> > - sar $63, %rdx
> > - or %rdx, %rax
> > + X86_CANONICAL_MASK /* mask into %rdx */
> > + and %rdx,%rax
>
> That doesn't have the same semantics, does it?
>
> Consider userspace passing an otherwise-good pointer with bit 60 set.
> Previously that would have resulted in a failure, whereas now it will
> succeed.
It is worse than that. If we get LAM_SUP enabled (there's KASAN patchset
in works) this check will allow arbitrary kernel addresses.
--
Kiryl Shutsemau / Kirill A. Shutemov
More information about the Linuxppc-dev
mailing list