From: Andrew Cooper <andrew.cooper3@citrix.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: LVI
Date: Wed, 20 Nov 2019 14:11:41 +0000 [thread overview]
Message-ID: <c4faf59e-3982-59a0-64c2-9f93f08c69a8@citrix.com> (raw)
In-Reply-To: <20191119210318.2itaoogwxu2oezok@treble>
[-- Attachment #1: Type: text/plain, Size: 2106 bytes --]
On 19/11/2019 21:03, speck for Josh Poimboeuf wrote:
> On Tue, Nov 19, 2019 at 03:00:07PM -0600, speck for Josh Poimboeuf wrote:
>> On Tue, Nov 19, 2019 at 06:39:34PM +0000, speck for Andrew Cooper wrote:
>>> On 19/11/2019 18:27, speck for Josh Poimboeuf wrote:
>>>>>> To protect the kernel, we'd presumably need to look for places where
>>>>>> users can trigger a faulting/assisting load. For example,
>>>>>> copy_from_user().
>>>>>>
>>>>>> copy_from_user() has an LFENCE between the access_ok() check and the
>>>>>> actual copy to protect against Spectre v1. What if we move that LFENCE
>>>>>> to *after* the copy? I think that would protect against both Spectre v1
>>>>>> and LVI.
>>>>>>
>>>>>> Thoughts?
>>>>> The lfence before protects from speculating into copy_from_user() with a
>>>>> bad pointer. This protection is still necessary.
>>>> What's the harm of speculating the copy with a bad pointer if we can
>>>> confirm there are no gadgets between the copy and the LFENCE?
>>> Because the other hyperthread can read the data directly out of the
>>> cache using L1TF/MDS/other as applicable.
>>>
>>> True - this is applicable to any speculative OoB read on the first
>>> thread so isn't unique to copy_from_user(), but copy_from_user() is very
>>> easy for an attacker to control.
>> Ok, I guess had just assumed we didn't care about SMT at this point, we
>> should at least try to do a best effort there.
>>
>> Does this match your thinking?
>>
>> if (SMT && (BUG_L1TF || BUG_MDS || BUG_TAA))
>> lfence();
>>
>> ... do the copy ...
>>
>> if (BUG_LVI)
>> lfence();
> Or, taking SMAP and Spectre v1 into account...
>
> if (!SMAP && SMT && (BUG_L1TF || BUG_MDS || BUG_TAA))
> lfence();
>
> ... do the copy ...
>
> if (!SMAP && (BUG_SPECTRE_V1 || BUG_LVI))
> lfence();
I'd be hesitant to depend on SMAP like this, until we get some concrete
statements on the behaviour we may rely upon from both Intel and AMD.
Their implementations are not necessarily equivalent when it comes to
hidden side effects on speculation.
~Andrew
next prev parent reply other threads:[~2019-11-20 14:11 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 17:40 [MODERATED] LVI Josh Poimboeuf
2019-11-19 17:51 ` [MODERATED] LVI Andrew Cooper
2019-11-19 18:27 ` Josh Poimboeuf
2019-11-19 19:26 ` Andrew Cooper
2019-11-20 9:52 ` Paolo Bonzini
2019-11-19 18:12 ` Greg KH
2019-11-19 18:21 ` Josh Poimboeuf
2019-11-19 18:46 ` Greg KH
2019-11-19 18:21 ` Paolo Bonzini
2019-11-19 18:22 ` Andrew Cooper
2019-11-19 18:27 ` Josh Poimboeuf
2019-11-19 18:36 ` Luck, Tony
2019-11-20 17:02 ` Greg KH
2019-11-19 18:39 ` Andrew Cooper
2019-11-19 21:00 ` Josh Poimboeuf
2019-11-19 21:03 ` Josh Poimboeuf
2019-11-20 14:11 ` Andrew Cooper [this message]
2019-11-20 8:04 ` Peter Zijlstra
2019-11-20 9:49 ` Andrew Cooper
2019-11-20 17:13 ` Josh Poimboeuf
2019-11-20 17:25 ` Greg KH
2019-11-20 17:29 ` Tyler Hicks
2019-11-20 17:30 ` Andrew Cooper
2019-11-20 17:46 ` Greg KH
2019-11-20 19:09 ` Peter Zijlstra
2019-11-20 19:19 ` Greg KH
2019-11-21 0:50 ` LVI Thomas Gleixner
2019-11-21 13:45 ` [MODERATED] LVI Greg KH
2019-11-26 0:54 ` Andi Kleen
2019-11-26 10:37 ` Greg KH
2019-11-26 18:23 ` Andi Kleen
2019-11-27 7:38 ` Greg KH
2019-11-26 10:55 ` Paolo Bonzini
2019-11-26 18:28 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4faf59e-3982-59a0-64c2-9f93f08c69a8@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).