Add user pointer masking to clear_user() to mitigate Spectre v1. A write in a mispredicted access_ok() branch to a user-controlled kernel address can populate the rest of the affected cache line with kernel data.
Signed-off-by: Josh Poimboeuf <[email protected]> --- arch/x86/include/asm/uaccess_64.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h index 0587830a47e1..8027db7f68c2 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -199,7 +199,7 @@ static __always_inline __must_check unsigned long __clear_user(void __user *addr static __always_inline unsigned long clear_user(void __user *to, unsigned long n) { if (__access_ok(to, n)) - return __clear_user(to, n); + return __clear_user(mask_user_address(to), n); return n; } #endif /* _ASM_X86_UACCESS_64_H */ -- 2.47.0
