From f6bc0b8981465d78f4190e62b0ecac44c8cb226c Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Thu, 14 Feb 2019 16:21:38 +0800 Subject: [PATCH] x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() mainline inclusion from mainline-5.0-rc1 commit 6e693b3ffecb0b478c7050b44a4842854154f715 category: bugfix bugzilla: 9284 CVE: NA ------------------------------------------------- Commit 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'") makes the access_ok() check part of the user_access_begin() preceding a series of 'unsafe' accesses. This has the desirable effect of ensuring that all 'unsafe' accesses have been range-checked, without having to pick through all of the callsites to verify whether the appropriate checking has been made. However, the consolidated range check does not inhibit speculation, so it is still up to the caller to ensure that they are not susceptible to any speculative side-channel attacks for user addresses that ultimately fail the access_ok() check. This is an oversight, so use __uaccess_begin_nospec() to ensure that speculation is inhibited until the access_ok() check has passed. Reported-by: Julien Thierry Signed-off-by: Will Deacon Signed-off-by: Linus Torvalds Signed-off-by: Yang Yingliang Reviewed-by: Hanjun Guo Signed-off-by: Yang Yingliang --- arch/x86/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 8c264c8cdc67..089aa7ca0dfd 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -709,7 +709,7 @@ static __must_check inline bool user_access_begin(const void __user *ptr, size_t { if (unlikely(!access_ok(ptr,len))) return 0; - __uaccess_begin(); + __uaccess_begin_nospec(); return 1; } #define user_access_begin(a,b) user_access_begin(a,b) -- GitLab