Add user pointer masking to copy_to_user() to mitigate Spectre v1. A write in a mispredicted access_ok() branch to a user-controlled kernel address can populate the rest of the affected cache line with kernel data.
Signed-off-by: Josh Poimboeuf <[email protected]> --- arch/x86/include/asm/uaccess_64.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h index 61693028ea2b..0587830a47e1 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -140,6 +140,7 @@ raw_copy_from_user(void *dst, const void __user *src, unsigned long size) static __always_inline __must_check unsigned long raw_copy_to_user(void __user *dst, const void *src, unsigned long size) { + dst = mask_user_address(dst); return copy_user_generic((__force void *)dst, src, size); } -- 2.47.0
