[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.1906231353120.32342@nanos.tec.linutronix.de>
Date: Sun, 23 Jun 2019 13:55:58 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: Dianzhang Chen <dianzhangchen0@...il.com>
cc: mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86: tls: fix possible spectre-v1 in
do_get_thread_area()
On Tue, 11 Jun 2019, Dianzhang Chen wrote:
Subject prefix is 'x86/tls:' please.
> The idx in do_get_thread_area() is controlled by userspace
The idx? Please to not variable names in the change log. The variable name
is an implementation detail.
The index to access the threads tls array is controlled ....
Hmm?
> via syscall: ptrace(defined in kernel/ptrace.c), hence
sys_ptrace() again.
> leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from:
> ptrace -> arch_ptrace -> do_get_thread_area.
>
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
>
> Signed-off-by: Dianzhang Chen <dianzhangchen0@...il.com>
> ---
> arch/x86/kernel/tls.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..4cd338c 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
> #include <linux/user.h>
> #include <linux/regset.h>
> #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>
> #include <linux/uaccess.h>
> #include <asm/desc.h>
> @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
> struct user_desc __user *u_info)
> {
> struct user_desc info;
> + int index = idx - GDT_ENTRY_TLS_MIN;
>
> if (idx == -1 && get_user(idx, &u_info->entry_number))
> return -EFAULT;
Broken in the same way as the other one.
Thanks,
tglx
Powered by blists - more mailing lists