Commit b46395f4 authored by Will Deacon's avatar Will Deacon Committed by Greg Kroah-Hartman

x86: uaccess: Inhibit speculation past access_ok() in user_access_begin()

commit 6e693b3f upstream.

Commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
makes the access_ok() check part of the user_access_begin() preceding a
series of 'unsafe' accesses.  This has the desirable effect of ensuring
that all 'unsafe' accesses have been range-checked, without having to
pick through all of the callsites to verify whether the appropriate
checking has been made.

However, the consolidated range check does not inhibit speculation, so
it is still up to the caller to ensure that they are not susceptible to
any speculative side-channel attacks for user addresses that ultimately
fail the access_ok() check.

This is an oversight, so use __uaccess_begin_nospec() to ensure that
speculation is inhibited until the access_ok() check has passed.
Reported-by: default avatarJulien Thierry <julien.thierry@arm.com>
Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Cc: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e8236726
...@@ -717,7 +717,7 @@ static __must_check inline bool user_access_begin(int type, ...@@ -717,7 +717,7 @@ static __must_check inline bool user_access_begin(int type,
{ {
if (unlikely(!access_ok(type, ptr, len))) if (unlikely(!access_ok(type, ptr, len)))
return 0; return 0;
__uaccess_begin(); __uaccess_begin_nospec();
return 1; return 1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment