lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Jun 2019 13:55:58 +0200 (CEST) From: Thomas Gleixner <tglx@...utronix.de> To: Dianzhang Chen <dianzhangchen0@...il.com> cc: mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] x86: tls: fix possible spectre-v1 in do_get_thread_area() On Tue, 11 Jun 2019, Dianzhang Chen wrote: Subject prefix is 'x86/tls:' please. > The idx in do_get_thread_area() is controlled by userspace The idx? Please to not variable names in the change log. The variable name is an implementation detail. The index to access the threads tls array is controlled .... Hmm? > via syscall: ptrace(defined in kernel/ptrace.c), hence sys_ptrace() again. > leading to a potential exploitation of the Spectre variant 1 vulnerability. > The idx can be controlled from: > ptrace -> arch_ptrace -> do_get_thread_area. > > Fix this by sanitizing idx before using it to index p->thread.tls_array. > > Signed-off-by: Dianzhang Chen <dianzhangchen0@...il.com> > --- > arch/x86/kernel/tls.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c > index a5b802a..4cd338c 100644 > --- a/arch/x86/kernel/tls.c > +++ b/arch/x86/kernel/tls.c > @@ -5,6 +5,7 @@ > #include <linux/user.h> > #include <linux/regset.h> > #include <linux/syscalls.h> > +#include <linux/nospec.h> > > #include <linux/uaccess.h> > #include <asm/desc.h> > @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx, > struct user_desc __user *u_info) > { > struct user_desc info; > + int index = idx - GDT_ENTRY_TLS_MIN; > > if (idx == -1 && get_user(idx, &u_info->entry_number)) > return -EFAULT; Broken in the same way as the other one. Thanks, tglx
Powered by blists - more mailing lists