lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 23 Jun 2019 13:55:58 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Dianzhang Chen <dianzhangchen0@...il.com>
cc:     mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86: tls: fix possible spectre-v1 in
 do_get_thread_area()

On Tue, 11 Jun 2019, Dianzhang Chen wrote:

Subject prefix is 'x86/tls:' please.

> The idx in do_get_thread_area() is controlled by userspace

The idx? Please to not variable names in the change log. The variable name
is an implementation detail.

  The index to access the threads tls array is controlled ....

Hmm?

> via syscall: ptrace(defined in kernel/ptrace.c), hence

sys_ptrace() again.

> leading to a potential exploitation of the Spectre variant 1 vulnerability.
> The idx can be controlled from:
> 	ptrace -> arch_ptrace -> do_get_thread_area.
> 
> Fix this by sanitizing idx before using it to index p->thread.tls_array.
> 
> Signed-off-by: Dianzhang Chen <dianzhangchen0@...il.com>
> ---
>  arch/x86/kernel/tls.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
> index a5b802a..4cd338c 100644
> --- a/arch/x86/kernel/tls.c
> +++ b/arch/x86/kernel/tls.c
> @@ -5,6 +5,7 @@
>  #include <linux/user.h>
>  #include <linux/regset.h>
>  #include <linux/syscalls.h>
> +#include <linux/nospec.h>
>  
>  #include <linux/uaccess.h>
>  #include <asm/desc.h>
> @@ -220,6 +221,7 @@ int do_get_thread_area(struct task_struct *p, int idx,
>  		       struct user_desc __user *u_info)
>  {
>  	struct user_desc info;
> +	int index = idx - GDT_ENTRY_TLS_MIN;
>  
>  	if (idx == -1 && get_user(idx, &u_info->entry_number))
>  		return -EFAULT;

Broken in the same way as the other one.

Thanks,

	tglx

Powered by blists - more mailing lists