On Mon, 14 May 2018 22:00:38 -0500 "Gustavo A. R. Silva" <gust...@embeddedor.com> wrote:
> resource can be controlled by user-space, hence leading to a > potential exploitation of the Spectre variant 1 vulnerability. > > This issue was detected with the help of Smatch: > > kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential > spectre issue 'get_current()->signal->rlim' (local cap) > kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue > 'get_current()->signal->rlim' (local cap) > > Fix this by sanitizing *resource* before using it to index > current->signal->rlim > > Notice that given that speculation windows are large, the policy is > to kill the speculation on the first load and not worry if it can be > completed with a dependent load/store [1]. hm. Not my area, but I'm always willing to learn ;) > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -69,6 +69,9 @@ > #include <asm/io.h> > #include <asm/unistd.h> > > +/* Hardening for Spectre-v1 */ > +#include <linux/nospec.h> > + > #include "uid16.h" > > #ifndef SET_UNALIGN_CTL > @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource, > if (resource >= RLIM_NLIMITS) > return -EINVAL; > > + resource = array_index_nospec(resource, RLIM_NLIMITS); > task_lock(current->group_leader); > x = current->signal->rlim[resource]; Can the speculation proceed past the task_lock()? Or is the policy to ignore such happy happenstances even if they are available? > task_unlock(current->group_leader); > @@ -1470,6 +1474,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, > resource, > if (resource >= RLIM_NLIMITS) > return -EINVAL; > > + resource = array_index_nospec(resource, RLIM_NLIMITS); > task_lock(current->group_leader); > r = current->signal->rlim[resource]; > task_unlock(current->group_leader);