From e28b415565b89deb57e628a8bce78c64d52e8b2d Mon Sep 17 00:00:00 2001
From: Will Deacon <will.deacon@arm.com>
Date: Sat, 19 Jan 2019 21:56:05 +0000
Subject: [PATCH] x86: uaccess: Inhibit speculation past access_ok() in
 user_access_begin()

commit 6e693b3ffecb0b478c7050b44a4842854154f715 upstream.

Commit 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'")
makes the access_ok() check part of the user_access_begin() preceding a
series of 'unsafe' accesses.  This has the desirable effect of ensuring
that all 'unsafe' accesses have been range-checked, without having to
pick through all of the callsites to verify whether the appropriate
checking has been made.

However, the consolidated range check does not inhibit speculation, so
it is still up to the caller to ensure that they are not susceptible to
any speculative side-channel attacks for user addresses that ultimately
fail the access_ok() check.

This is an oversight, so use __uaccess_begin_nospec() to ensure that
speculation is inhibited until the access_ok() check has passed.

Reported-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
---
 arch/x86/include/asm/uaccess.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index a53b670bac1a..47f7c66ba499 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -720,7 +720,7 @@ static __must_check inline bool user_access_begin(const void __user *ptr, size_t
 	 */
 	if (unlikely(!access_ok(VERIFY_WRITE,ptr,len)))
 		return 0;
-	__uaccess_begin();
+	__uaccess_begin_nospec();
 	return 1;
 }
 #define user_access_begin(a,b)	user_access_begin(a,b)
-- 
GitLab