|
Matthias Brugger |
8753b0 |
From: Will Deacon <will.deacon@arm.com>
|
|
Matthias Brugger |
8753b0 |
Date: Mon, 5 Feb 2018 15:34:20 +0000
|
|
Matthias Brugger |
8753b0 |
Subject: arm64: entry: Ensure branch through syscall table is bounded under
|
|
Matthias Brugger |
8753b0 |
speculation
|
|
Matthias Brugger |
8753b0 |
Git-commit: 6314d90e64936c584f300a52ef173603fb2461b5
|
|
Matthias Brugger |
8753b0 |
Patch-mainline: v4.16-rc1
|
|
Matthias Brugger |
8753b0 |
References: bsc#1068032
|
|
Matthias Brugger |
8753b0 |
|
|
Matthias Brugger |
8753b0 |
In a similar manner to array_index_mask_nospec, this patch introduces an
|
|
Matthias Brugger |
8753b0 |
assembly macro (mask_nospec64) which can be used to bound a value under
|
|
Matthias Brugger |
8753b0 |
speculation. This macro is then used to ensure that the indirect branch
|
|
Matthias Brugger |
8753b0 |
through the syscall table is bounded under speculation, with out-of-range
|
|
Matthias Brugger |
8753b0 |
addresses speculating as calls to sys_io_setup (0).
|
|
Matthias Brugger |
8753b0 |
|
|
Matthias Brugger |
8753b0 |
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
|
|
Matthias Brugger |
8753b0 |
Signed-off-by: Will Deacon <will.deacon@arm.com>
|
|
Matthias Brugger |
8753b0 |
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
|
|
Matthias Brugger |
8753b0 |
[mb: use scno and sc_nr instead of xscno and xsc_nr]
|
|
Matthias Brugger |
8753b0 |
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
|
|
Matthias Brugger |
8753b0 |
---
|
|
Matthias Brugger |
8753b0 |
arch/arm64/include/asm/assembler.h | 11 +++++++++++
|
|
Matthias Brugger |
8753b0 |
arch/arm64/kernel/entry.S | 1 +
|
|
Matthias Brugger |
8753b0 |
2 files changed, 12 insertions(+)
|
|
Matthias Brugger |
8753b0 |
|
|
Matthias Brugger |
8753b0 |
--- a/arch/arm64/include/asm/assembler.h
|
|
Matthias Brugger |
8753b0 |
+++ b/arch/arm64/include/asm/assembler.h
|
|
Matthias Brugger |
8753b0 |
@@ -115,6 +115,17 @@
|
|
Matthias Brugger |
8753b0 |
.endm
|
|
Matthias Brugger |
8753b0 |
|
|
Matthias Brugger |
8753b0 |
/*
|
|
Matthias Brugger |
8753b0 |
+ * Sanitise a 64-bit bounded index wrt speculation, returning zero if out
|
|
Matthias Brugger |
8753b0 |
+ * of bounds.
|
|
Matthias Brugger |
8753b0 |
+ */
|
|
Matthias Brugger |
8753b0 |
+ .macro mask_nospec64, idx, limit, tmp
|
|
Matthias Brugger |
8753b0 |
+ sub \tmp, \idx, \limit
|
|
Matthias Brugger |
8753b0 |
+ bic \tmp, \tmp, \idx
|
|
Matthias Brugger |
8753b0 |
+ and \idx, \idx, \tmp, asr #63
|
|
Matthias Brugger |
8753b0 |
+ csdb
|
|
Matthias Brugger |
8753b0 |
+ .endm
|
|
Matthias Brugger |
8753b0 |
+
|
|
Matthias Brugger |
8753b0 |
+/*
|
|
Matthias Brugger |
8753b0 |
* NOP sequence
|
|
Matthias Brugger |
8753b0 |
*/
|
|
Matthias Brugger |
8753b0 |
.macro nops, num
|
|
Matthias Brugger |
8753b0 |
--- a/arch/arm64/kernel/entry.S
|
|
Matthias Brugger |
8753b0 |
+++ b/arch/arm64/kernel/entry.S
|
|
Matthias Brugger |
8753b0 |
@@ -901,6 +901,7 @@ el0_svc_naked: // compat entry point
|
|
Matthias Brugger |
8753b0 |
b.ne __sys_trace
|
|
Matthias Brugger |
8753b0 |
cmp scno, sc_nr // check upper syscall limit
|
|
Matthias Brugger |
8753b0 |
b.hs ni_sys
|
|
Matthias Brugger |
8753b0 |
+ mask_nospec64 scno, sc_nr, x19 // enforce bounds for syscall number
|
|
Matthias Brugger |
8753b0 |
ldr x16, [stbl, scno, lsl #3] // address in the syscall table
|
|
Matthias Brugger |
8753b0 |
blr x16 // call sys_* routine
|
|
Matthias Brugger |
8753b0 |
b ret_fast_syscall
|