lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 24 Nov 2020 07:06:26 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     yangerkun <yangerkun@...wei.com>
Cc:     linux-kernel@...r.kernel.org, dja@...ens.net, npiggin@...il.com,
        stable-commits@...r.kernel.org
Subject: Re: Patch "powerpc/64s: flush L1D after user accesses" has been
 added to the 4.4-stable tree

On Tue, Nov 24, 2020 at 11:18:05AM +0800, yangerkun wrote:
> 
> 
> 在 2020/11/20 15:30, gregkh@...uxfoundation.org 写道:
> > 
> > This is a note to let you know that I've just added the patch titled
> > 
> >      powerpc/64s: flush L1D after user accesses
> > 
> > to the 4.4-stable tree which can be found at:
> >      http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > 
> > The filename of the patch is:
> >       powerpc-64s-flush-l1d-after-user-accesses.patch
> > and it can be found in the queue-4.4 subdirectory.
> > 
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@...r.kernel.org> know about it.
> > 
> > 
> > > > From foo@baz Fri Nov 20 08:28:41 AM CET 2020
> > From: Daniel Axtens <dja@...ens.net>
> > Date: Fri, 20 Nov 2020 11:07:04 +1100
> > Subject: powerpc/64s: flush L1D after user accesses
> > To: stable@...r.kernel.org
> > Cc: dja@...ens.net
> > Message-ID: <20201120000704.374811-9-dja@...ens.net>
> > 
> > From: Nicholas Piggin <npiggin@...il.com>
> > 
> > commit 9a32a7e78bd0cd9a9b6332cbdc345ee5ffd0c5de upstream.
> > 
> > IBM Power9 processors can speculatively operate on data in the L1 cache before
> > it has been completely validated, via a way-prediction mechanism. It is not possible
> > for an attacker to determine the contents of impermissible memory using this method,
> > since these systems implement a combination of hardware and software security measures
> > to prevent scenarios where protected data could be leaked.
> > 
> > However these measures don't address the scenario where an attacker induces
> > the operating system to speculatively execute instructions using data that the
> > attacker controls. This can be used for example to speculatively bypass "kernel
> > user access prevention" techniques, as discovered by Anthony Steinhauser of
> > Google's Safeside Project. This is not an attack by itself, but there is a possibility
> > it could be used in conjunction with side-channels or other weaknesses in the
> > privileged code to construct an attack.
> > 
> > This issue can be mitigated by flushing the L1 cache between privilege boundaries
> > of concern. This patch flushes the L1 cache after user accesses.
> > 
> > This is part of the fix for CVE-2020-4788.
> > 
> > Signed-off-by: Nicholas Piggin <npiggin@...il.com>
> > Signed-off-by: Daniel Axtens <dja@...ens.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > ---
> >   Documentation/kernel-parameters.txt            |    4 +
> >   arch/powerpc/include/asm/book3s/64/kup-radix.h |   23 ++++++
> >   arch/powerpc/include/asm/feature-fixups.h      |    9 ++
> >   arch/powerpc/include/asm/kup.h                 |    4 +
> >   arch/powerpc/include/asm/security_features.h   |    3
> >   arch/powerpc/include/asm/setup.h               |    1
> >   arch/powerpc/kernel/exceptions-64s.S           |   86 +++++++------------------
> >   arch/powerpc/kernel/ppc_ksyms.c                |    7 ++
> >   arch/powerpc/kernel/setup_64.c                 |   80 +++++++++++++++++++++++
> >   arch/powerpc/kernel/vmlinux.lds.S              |    7 ++
> >   arch/powerpc/lib/feature-fixups.c              |   50 ++++++++++++++
> >   arch/powerpc/platforms/powernv/setup.c         |    7 +-
> >   arch/powerpc/platforms/pseries/setup.c         |    4 +
> >   13 files changed, 224 insertions(+), 61 deletions(-)
> >   create mode 100644 arch/powerpc/include/asm/book3s/64/kup-radix.h
> > 
> > --- a/Documentation/kernel-parameters.txt
> > +++ b/Documentation/kernel-parameters.txt
> > @@ -2197,6 +2197,7 @@ bytes respectively. Such letter suffixes
> >   					       mds=off [X86]
> >   					       tsx_async_abort=off [X86]
> >   					       no_entry_flush [PPC]
> > +					       no_uaccess_flush [PPC]
> >   			auto (default)
> >   				Mitigate all CPU vulnerabilities, but leave SMT
> > @@ -2521,6 +2522,9 @@ bytes respectively. Such letter suffixes
> >   	nospec_store_bypass_disable
> >   			[HW] Disable all mitigations for the Speculative Store Bypass vulnerability
> > +	no_uaccess_flush
> > +			[PPC] Don't flush the L1-D cache after accessing user data.
> > +
> >   	noxsave		[BUGS=X86] Disables x86 extended register state save
> >   			and restore using xsave. The kernel will fallback to
> >   			enabling legacy floating-point and sse state.
> > --- /dev/null
> > +++ b/arch/powerpc/include/asm/book3s/64/kup-radix.h
> > @@ -0,0 +1,23 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#ifndef _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H
> > +#define _ASM_POWERPC_BOOK3S_64_KUP_RADIX_H
> > +#include <linux/jump_label.h>
> > +
> > +DECLARE_STATIC_KEY_FALSE(uaccess_flush_key);
> > +
> > +/* Prototype for function defined in exceptions-64s.S */
> > +void do_uaccess_flush(void);
> > +
> > +static __always_inline void allow_user_access(void __user *to, const void __user *from,
> > +					      unsigned long size)
> > +{
> > +}
> > +
> > +static inline void prevent_user_access(void __user *to, const void __user *from,
> 
> Hi,
> 
> This will redefine prevent_user_access and lead to compile error...
> 
> 
> In file included from arch/powerpc/kernel/ppc_ksyms.c:10:0:
> ./arch/powerpc/include/asm/book3s/64/kup-radix.h:11:29: error: redefinition
> of 'allow_user_access'
>  static __always_inline void allow_user_access(void __user *to, const void
> __user *from,
>                              ^~~~~~~~~~~~~~~~~
> In file included from ./arch/powerpc/include/asm/uaccess.h:12:0,
>                  from arch/powerpc/kernel/ppc_ksyms.c:8:
> ./arch/powerpc/include/asm/kup.h:12:20: note: previous definition of
> 'allow_user_access' was here
>  static inline void allow_user_access(void __user *to, const void __user
> *from,
>                     ^~~~~~~~~~~~~~~~~
> In file included from arch/powerpc/kernel/ppc_ksyms.c:10:0:
> ./arch/powerpc/include/asm/book3s/64/kup-radix.h:16:20: error: redefinition
> of 'prevent_user_access'
>  static inline void prevent_user_access(void __user *to, const void __user
> *from,
>                     ^~~~~~~~~~~~~~~~~~~
> In file included from ./arch/powerpc/include/asm/uaccess.h:12:0,
>                  from arch/powerpc/kernel/ppc_ksyms.c:8:
> ./arch/powerpc/include/asm/kup.h:14:20: note: previous definition of
> 'prevent_user_access' was here
>  static inline void prevent_user_access(void __user *to, const void __user
> *from,
>                     ^~~~~~~~~~~~~~~~~~~
> make[1]: *** [scripts/Makefile.build:277: arch/powerpc/kernel/ppc_ksyms.o]
> Error 1
> make[1]: *** Waiting for unfinished jobs....

Should be fixed in the -rc releases I just made yesterday, right?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ