[MODERATED] Re: [patch 07/11] [PATCH v2 07/10] Linux Patch #7

[Jiri Kosina <jkosina@suse.com>]

On Mon, 23 Apr 2018, speck for Linus Torvalds wrote:

> Yeah, I'm not in the least interested in theory. 
> 
> Are there actual real attacks where it makes sense?
> 
> In particular since we actually have the RSB stuffing workarounds too, not 
> just bare retpoline. Which leaves the "call stacks deeper than 16" case as 
> the only actual possible case even in theory, and then you have to be able 
> to attack it too.

BTW in addition to that, there is this gcc patch (I don't think any distro 
is shipping it yet in any way though):

	https://github.com/clearlinux-pkgs/gcc/blob/master/zero-regs.patch

that should make any such theoretical attack even harder (it zeroes all 
clobbered GPRs before ret, which is cheap, and dramatically reduces the 
potential of introducing "bad" dependencies).

> Anyway, I was wondering if there was any reason why we'd care for the 
> store buffer bypass problem? The whole "run with store buffers in user 
> space, disable them in kernel space" model seems insane.

This is all just about defining the security domain boundaries. If we 
hypothetically disable MD on kernel entry, then it's impossible for ring3 
store to badly influence ring0 load.
But absolutely yeah, there are many other scenarios that need protecting 
as well (userspace-userspace, guest-host, etc), which'd stay unprotected 
with that model.

-- 
Jiri Kosina
SUSE Labs