Re: [PATCH v2 07/19] x86: introduce __uaccess_begin_nospec and ASM_IFENCE
- Date: Fri, 12 Jan 2018 12:58:15 -0600
- From: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
- Subject: Re: [PATCH v2 07/19] x86: introduce __uaccess_begin_nospec and ASM_IFENCE
On Fri, Jan 12, 2018 at 10:21:43AM -0800, Dan Williams wrote:
> > That just sounds wrong. What if the speculation starts *after* the
> > access_ok() check? Then the barrier has no purpose.
> > Most access_ok/get_user/copy_from_user calls are like this:
> > if (copy_from_user(...uptr..)) /* or access_ok() or get_user() */
> > return -EFAULT;
> > So in other words, the usercopy function is called *before* the branch.
> > But to halt speculation, the lfence needs to come *after* the branch.
> > So putting lfences *before* the branch doesn't solve anything.
> > So what am I missing?
> We're trying to prevent a pointer under user control from being
> de-referenced inside the kernel, before we know it has been limited to
> something safe. In the following sequence the branch we are worried
> about speculating is the privilege check:
> if (access_ok(uptr)) /* <--- Privelege Check */
> if (copy_from_user_(uptr))
> The cpu can speculatively skip that access_ok() check and cause a read
> of kernel memory.
Converting your example code to assembly:
call access_ok # no speculation which started before this point is allowed to continue past this point
test %rax, %rax
(do nefarious things with the user pointer)
mov -EINVAL, %rax
So the CPU is still free to speculately execute the dereference_uptr
block because the lfence was before the 'jne error_path' branch.