arm64: Use pointer masking to limit uaccess speculation

Commit 4d8efc2d5ee4 upstream.

Similarly to x86, mitigate speculation past an access_ok() check by
masking the pointer against the address limit before use.

Even if we don't expect speculative writes per se, it is plausible that
a CPU may still speculate at least as far as fetching a cache line for
writing, hence we also harden put_user() and clear_user() for peace of
mind.

Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2e985d2647a07bad21892811e8eb85f5231a1d4a)

CVE-2017-5753
CVE-2017-5715
CVE-2017-5754

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 87a6a52cee65b057a28aca06cfb7236b4dc627fe..6d0c7179a9908bf50fc4b13a47e8fee975ba60f5 100644 (file)
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -215,6 +215,26 @@ static inline void uaccess_enable_not_uao(void)
        __uaccess_enable(ARM64_ALT_PAN_NOT_UAO);
 }
 
+/*
+ * Sanitise a uaccess pointer such that it becomes NULL if above the
+ * current addr_limit.
+ */
+#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
+static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
+{
+       void __user *safe_ptr;
+
+       asm volatile(
+       "       bics    xzr, %1, %2\n"
+       "       csel    %0, %1, xzr, eq\n"
+       : "=&r" (safe_ptr)
+       : "r" (ptr), "r" (current_thread_info()->addr_limit)
+       : "cc");
+
+       csdb();
+       return safe_ptr;
+}
+
 /*
  * The "__xxx" versions of the user access functions do not verify the address
  * space - it must have been done previously with a separate "access_ok()"
@@ -285,7 +305,7 @@ do {                                                                        \
        __typeof__(*(ptr)) __user *__p = (ptr);                         \
        might_fault();                                                  \
        access_ok(VERIFY_READ, __p, sizeof(*__p)) ?                     \
-               __get_user((x), __p) :                                  \
+               __p = uaccess_mask_ptr(__p), __get_user((x), __p) :     \
                ((x) = 0, -EFAULT);                                     \
 })
 
@@ -349,7 +369,7 @@ do {                                                                        \
        __typeof__(*(ptr)) __user *__p = (ptr);                         \
        might_fault();                                                  \
        access_ok(VERIFY_WRITE, __p, sizeof(*__p)) ?                    \
-               __put_user((x), __p) :                                  \
+               __p = uaccess_mask_ptr(__p), __put_user((x), __p) :     \
                -EFAULT;                                                \
 })
 
@@ -365,7 +385,7 @@ extern unsigned long __must_check __clear_user(void __user *addr, unsigned long
 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
 {
        if (access_ok(VERIFY_WRITE, to, n))
-               n = __clear_user(to, n);
+               n = __clear_user(__uaccess_mask_ptr(to), n);
        return n;
 }