From: Will Deacon Date: Mon, 5 Feb 2018 15:34:21 +0000 (+0000) Subject: arm64: uaccess: Prevent speculative use of the current addr_limit X-Git-Tag: C0P2-H0.0--20200415~114 X-Git-Url: https://git.somdevices.com/?a=commitdiff_plain;h=f46d204859360f3a94a68574f7ae7ea753959493;p=linux.git arm64: uaccess: Prevent speculative use of the current addr_limit commit c2f0ad4fc089 upstream. A mispredicted conditional call to set_fs could result in the wrong addr_limit being forwarded under speculation to a subsequent access_ok check, potentially forming part of a spectre-v1 attack using uaccess routines. This patch prevents this forwarding from taking place, but putting heavy barriers in set_fs after writing the addr_limit. Reviewed-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Alex Shi Conflicts: no set_thread_flag(TIF_FSCHECK) in arch/arm64/include/asm/uaccess.h --- diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 3531fec798f7..00025c5da432 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -70,6 +70,13 @@ static inline void set_fs(mm_segment_t fs) { current_thread_info()->addr_limit = fs; + /* + * Prevent a mispredicted conditional call to set_fs from forwarding + * the wrong address limit to access_ok under speculation. + */ + dsb(nsh); + isb(); + /* * Enable/disable UAO so that copy_to_user() etc can access * kernel memory with the unprivileged instructions.