From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 20 Feb 2019 19:26:40 -0000 Received: from mx2.suse.de ([195.135.220.15] helo=mx1.suse.de) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gwXVu-0006fB-DF for speck@linutronix.de; Wed, 20 Feb 2019 20:26:39 +0100 Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0DA10ADBE for ; Wed, 20 Feb 2019 19:26:32 +0000 (UTC) Date: Wed, 20 Feb 2019 20:26:25 +0100 (CET) From: Jiri Kosina Subject: [MODERATED] Re: [patch V2 04/10] MDS basics+ 4 In-Reply-To: <20190220151400.306266355@linutronix.de> Message-ID: References: <20190220150753.665964899@linutronix.de> <20190220151400.306266355@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On Wed, 20 Feb 2019, speck for Thomas Gleixner wrote: > + Neither can NMIs be reliably controlled by a non priviledged attacker > + and their exposure to sensitive data is very limited. NMIs originate > + from: [ ... snip ... ] > + None of those are controllable by unpriviledged attackers to form a > + reliable exploit surface. One thing where I am not completely sure about this at the moment, is NMI that's used to trigger backtrace on all CPUs. In a hypothetical case where we have a situation where unprivileged user can (due to some other issue) controllably trigger either of: - hung task situation - rcu stall - hardlockup then MDS turns this into revealing contents of kernel stacks (as the stacktrace unwinder will walk the whole thing between the stack top and %rsp) of all CPUs. -- Jiri Kosina SUSE Labs