lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250925025744.6807-1-xieyuanbin1@huawei.com>
Date: Thu, 25 Sep 2025 10:57:43 +0800
From: Xie Yuanbin <xieyuanbin1@...wei.com>
To: <rmk+kernel@...linux.org.uk>, <linux@...linux.org.uk>, <rppt@...nel.org>,
	<vbabka@...e.cz>, <pfalcato@...e.de>, <brauner@...nel.org>,
	<lorenzo.stoakes@...cle.com>, <kuninori.morimoto.gx@...esas.com>,
	<tony@...mide.com>, <arnd@...db.de>, <bigeasy@...utronix.de>,
	<akpm@...ux-foundation.org>, <punitagrawal@...il.com>, <rjw@...ysocki.net>,
	<marc.zyngier@....com>
CC: <will@...nel.org>, <linux-arm-kernel@...ts.infradead.org>,
	<linux-kernel@...r.kernel.org>, <liaohua4@...wei.com>,
	<lilinjie8@...wei.com>, <xieyuanbin1@...wei.com>
Subject: [PATCH v2 1/2] ARM: spectre-v2: Fix potential missing mitigations

For the latest kernel, with arm's multi_v7_defconfig, and set
CONFIG_PREEMPT=y, CONFIG_DEBUG_PREEMPT=y, CONFIG_ARM_LPAE=y,
if a user program try to accesses any valid kernel address, for example:
```c
static void han(int x)
{
	while (1);
}

int main(void)
{
	signal(SIGSEGV, han);
	/* 0xc0331fd4 is just a kernel address in kernel .text section */
	__asm__ volatile (""::"r"(*(int *)(uintptr_t)0xc0331fd4):"memory");
	while (1);
	return 0;
}
```
, the following WARN will be triggered:

[    1.089103] BUG: using smp_processor_id() in preemptible [00000000] code: init/1
[    1.093367] caller is __do_user_fault+0x20/0x6c
[    1.094355] CPU: 0 UID: 0 PID: 1 Comm: init Not tainted 6.14.3 #7
[    1.094585] Hardware name: Generic DT based system
[    1.094706] Call trace:
[    1.095211]  unwind_backtrace from show_stack+0x10/0x14
[    1.095329]  show_stack from dump_stack_lvl+0x50/0x5c
[    1.095352]  dump_stack_lvl from check_preemption_disabled+0x104/0x108
[    1.095448]  check_preemption_disabled from __do_user_fault+0x20/0x6c
[    1.095459]  __do_user_fault from do_page_fault+0x334/0x3dc
[    1.095505]  do_page_fault from do_DataAbort+0x30/0xa8
[    1.095528]  do_DataAbort from __dabt_usr+0x54/0x60
[    1.095570] Exception stack(0xf0825fb0 to 0xf0825ff8)

This WARN indicates that the current CPU is not stable, which means that
current can be migrated to other CPUs.
Therefore, in some scenarios, mitigation measures may be missed, such as:
1. Thread A attacks on cpu0 and triggers do_page_fault
2. Thread A migrates to cpu1 before bp_hardening
3. Thread A do bp_hardening on cpu1
4. Thread A migrates to cpu0
5. Thread A ret_to_user on cpu0

Assuming that all of the context_stwitch() mentioned above does not
trigger switch_mm(), therefore all of the context_stwitch() does not
trigger mitigation. Thread A successfully bypassed the mitigation on cpu0.

Over the past six years, there have been continuous reports of this bug:
2025.4.24 https://lore.kernel.org/all/20250424100437.27477-1-xieyuanbin1@huawei.com/
2022.6.22 https://lore.kernel.org/all/795c9463-452e-bf64-1cc0-c318ccecb1da@I-love.SAKURA.ne.jp/
2021.3.25 https://lore.kernel.org/all/20210325095049.6948-1-liu.xiang@zlingsmart.com/
2021.3.12 https://lore.kernel.org/all/20210312041246.15113-1-qiang.zhang@windriver.com/
2021.3.11 https://lore.kernel.org/all/0000000000007604cb05bd3e6968@google.com/
2019.5.27 https://lore.kernel.org/all/1558949979-129251-1-git-send-email-gaoyongliang@huawei.com/
2019.3.19 https://lore.kernel.org/all/20190319203239.gl46fxnfz6gzeeic@linutronix.de/

To fix it, we must check whether mitigation are needed before enabling
interrupt(with PREEMPT) or before calling mm_read_lock()(without PREEMPT).

Fixes: f5fe12b1eaee ("ARM: spectre-v2: harden user aborts in kernel space")

Signed-off-by: Xie Yuanbin <xieyuanbin1@...wei.com>
---
 arch/arm/mm/fault.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c..e4dc7c2cfe75 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -265,20 +265,27 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma;
 	int sig, code;
 	vm_fault_t fault;
 	unsigned int flags = FAULT_FLAG_DEFAULT;
 	vm_flags_t vm_flags = VM_ACCESS_FLAGS;
 
 	if (kprobe_page_fault(regs, fsr))
 		return 0;
 
+#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR
+	if (unlikely(addr > TASK_SIZE) && user_mode(regs)) {
+		fault = 0;
+		code = SEGV_MAPERR;
+		goto bad_area;
+	}
+#endif
 
 	/* Enable interrupts if they were enabled in the parent context. */
 	if (interrupts_enabled(regs))
 		local_irq_enable();
 
 	/*
 	 * If we're in an interrupt or have no user
 	 * context, we must not take the fault..
 	 */
 	if (faulthandler_disabled() || !mm)
-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ