x86/uaccess: Avoid barrier_nospec()

[PATCH v2 6/6] x86/uaccess: Add user pointer masking to clear_user()

Posted by Josh Poimboeuf 1 month, 1 week ago

Add user pointer masking to clear_user() to mitigate Spectre v1.

A write in a mispredicted access_ok() branch to a user-controlled kernel
address can populate the rest of the affected cache line with kernel
data.

Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
---
 arch/x86/include/asm/uaccess_64.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index 0587830a47e1..8027db7f68c2 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -199,7 +199,7 @@ static __always_inline __must_check unsigned long __clear_user(void __user *addr
 static __always_inline unsigned long clear_user(void __user *to, unsigned long n)
 {
 	if (__access_ok(to, n))
-		return __clear_user(to, n);
+		return __clear_user(mask_user_address(to), n);
 	return n;
 }
 #endif /* _ASM_X86_UACCESS_64_H */
-- 
2.47.0

[PATCH v2 1/6] x86/uaccess: Avoid barrier_nospec() in copy_from_user()
[PATCH v2 2/6] x86/uaccess: Avoid barrier_nospec() in __get_user()
[PATCH v2 3/6] x86/uaccess: Rearrange putuser.S
[PATCH v2 4/6] x86/uaccess: Add user pointer masking to __put_user()
[PATCH v2 5/6] x86/uaccess: Add user pointer masking to copy_to_user()
[PATCH v2 6/6] x86/uaccess: Add user pointer masking to clear_user()