304ec1b050
Quoting Linus: I do think that it would be a good idea to very expressly document the fact that it's not that the user access itself is unsafe. I do agree that things like "get_user()" want to be protected, but not because of any direct bugs or problems with get_user() and friends, but simply because get_user() is an excellent source of a pointer that is obviously controlled from a potentially attacking user space. So it's a prime candidate for then finding _subsequent_ accesses that can then be used to perturb the cache. __uaccess_begin_nospec() covers __get_user() and copy_from_iter() where the limit check is far away from the user pointer de-reference. In those cases a barrier_nospec() prevents speculation with a potential pointer to privileged memory. uaccess_try_nospec covers get_user_try. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: linux-arch@vger.kernel.org Cc: Kees Cook <keescook@chromium.org> Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727416953.33451.10508284228526170604.stgit@dwillia2-desk3.amr.corp.intel.com
64 lines
1.5 KiB
C
64 lines
1.5 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _ASM_X86_UACCESS_32_H
|
|
#define _ASM_X86_UACCESS_32_H
|
|
|
|
/*
|
|
* User space memory access functions
|
|
*/
|
|
#include <linux/string.h>
|
|
#include <asm/asm.h>
|
|
#include <asm/page.h>
|
|
|
|
unsigned long __must_check __copy_user_ll
|
|
(void *to, const void *from, unsigned long n);
|
|
unsigned long __must_check __copy_from_user_ll_nocache_nozero
|
|
(void *to, const void __user *from, unsigned long n);
|
|
|
|
static __always_inline unsigned long __must_check
|
|
raw_copy_to_user(void __user *to, const void *from, unsigned long n)
|
|
{
|
|
return __copy_user_ll((__force void *)to, from, n);
|
|
}
|
|
|
|
static __always_inline unsigned long
|
|
raw_copy_from_user(void *to, const void __user *from, unsigned long n)
|
|
{
|
|
if (__builtin_constant_p(n)) {
|
|
unsigned long ret;
|
|
|
|
switch (n) {
|
|
case 1:
|
|
ret = 0;
|
|
__uaccess_begin_nospec();
|
|
__get_user_asm_nozero(*(u8 *)to, from, ret,
|
|
"b", "b", "=q", 1);
|
|
__uaccess_end();
|
|
return ret;
|
|
case 2:
|
|
ret = 0;
|
|
__uaccess_begin_nospec();
|
|
__get_user_asm_nozero(*(u16 *)to, from, ret,
|
|
"w", "w", "=r", 2);
|
|
__uaccess_end();
|
|
return ret;
|
|
case 4:
|
|
ret = 0;
|
|
__uaccess_begin_nospec();
|
|
__get_user_asm_nozero(*(u32 *)to, from, ret,
|
|
"l", "k", "=r", 4);
|
|
__uaccess_end();
|
|
return ret;
|
|
}
|
|
}
|
|
return __copy_user_ll(to, (__force const void *)from, n);
|
|
}
|
|
|
|
static __always_inline unsigned long
|
|
__copy_from_user_inatomic_nocache(void *to, const void __user *from,
|
|
unsigned long n)
|
|
{
|
|
return __copy_from_user_ll_nocache_nozero(to, from, n);
|
|
}
|
|
|
|
#endif /* _ASM_X86_UACCESS_32_H */
|