On 19/11/2019 18:27, speck for Josh Poimboeuf wrote:
>>> To protect the kernel, we'd presumably need to look for places where
>>> users can trigger a faulting/assisting load.  For example,
>>> copy_from_user().
>>>
>>> copy_from_user() has an LFENCE between the access_ok() check and the
>>> actual copy to protect against Spectre v1.  What if we move that LFENCE
>>> to *after* the copy?  I think that would protect against both Spectre v1
>>> and LVI.
>>>
>>> Thoughts?
>> The lfence before protects from speculating into copy_from_user() with a
>> bad pointer.  This protection is still necessary.
> What's the harm of speculating the copy with a bad pointer if we can
> confirm there are no gadgets between the copy and the LFENCE?

Because the other hyperthread can read the data directly out of the
cache using L1TF/MDS/other as applicable.

True - this is applicable to any speculative OoB read on the first
thread so isn't unique to copy_from_user(), but copy_from_user() is very
easy for an attacker to control.

~Andrew