[PATCH v2 0/6] x86/uaccess: Avoid barrier_nospec()
Josh Poimboeuf
jpoimboe at kernel.org
Fri Oct 18 09:42:46 AEDT 2024
On Thu, Oct 17, 2024 at 11:31:30PM +0100, Andrew Cooper wrote:
> Even if you can get Intel and AMD to agree that STAC/CLAC are really
> LFENCEs (and I think you'll struggle), they'd only confer the safety you
> want between a real conditional that excludes the non-canonical range,
> and the pointer deference.
>
> Any path that genuinely deferences a non-canonical pointer is not safe,
> whatever serialisation you put in the way. The attacker wins the moment
> the load uop executes.
>
> The final hunk of patch 1 is safe (iff STAC is given extra guarantees)
> because it is between the conditional and the deference. Patch 4 is not
> safe (if the comment is correct) because it removes the conditional.
So the naming is confusing:
- put_user() implementation is __put_user_*()
- __put_user() implementation is __put_user_nocheck_*()
Patch 4 only affects __put_user(), for which the user is expected to
call access_ok() beforehand.
The current implementations of get_user(), put_user() and
masked_user_access_begin() avoid the conditional. Those are the ones it
sounds like you're worried about?
None of my patches remove conditional checks.
--
Josh
More information about the Linuxppc-dev
mailing list