| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251218191332.35849-1-lukas.gerlach@cispa.de> Date: Thu, 18 Dec 2025 20:13:30 +0100 From: Lukas Gerlach <lukas.gerlach@...pa.de> To: <linux-riscv@...ts.infradead.org> CC: <palmer@...belt.com>, <pjw@...nel.org>, <aou@...s.berkeley.edu>, <alex@...ti.fr>, <linux-kernel@...r.kernel.org>, <daniel.weber@...pa.de>, <michael.schwarz@...pa.de>, <marton.bognar@...euven.be>, <jo.vanbulck@...euven.be>, Lukas Gerlach <lukas.gerlach@...pa.de> Subject: [PATCH 0/2] riscv: Add Spectre v1 mitigations This series adds Spectre v1 to RISC-V in line with x86 and arm64. Modern RISC-V CPUs with deep pipelines (e.g., XuanTie C910, SiFive P550) are susceptible to Spectre v1 attacks where an attacker can speculatively bypass bounds checks and leak kernel memory via cache side channels. The first patch adds pointer masking to uaccess routines. Similar to arm64's uaccess_mask_ptr(), this clears the top bit of user pointers before access, ensuring that even under speculation, a user-controlled pointer cannot reach kernel memory. The second patch sanitizes the syscall number using array_index_nospec() before indexing into the syscall table, preventing out-of-bounds speculative reads similar to what x86 does. Lukas Gerlach (2): riscv: Use pointer masking to limit uaccess speculation riscv: Sanitize syscall table indexing under speculation arch/riscv/include/asm/uaccess.h | 41 +++++++++++++++++++++++++------- arch/riscv/kernel/traps.c | 4 +++- 2 files changed, 35 insertions(+), 10 deletions(-) -- 2.51.0
Powered by blists - more mailing lists