From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Date: Wed, 19 Dec 2018 08:11:04 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: Omer Tripp <trippo@google.com>
Cc: ghackmann@android.com, viro@zeniv.linux.org.uk,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Greg Hackmann <ghackmann@google.com>, stable@vger.kernel.org
Subject: Re: [PATCH] fs: fix possible Spectre V1 indexing in __close_fd()
Message-ID: <20181219071104.GA25037@kroah.com>
References: <20180924181500.125257-1-ghackmann@google.com>
 <20180924183911.GB9122@kroah.com>
 <20181015133708.GB10221@kroah.com>
 <CALTzUognuG-N4M5w9xugxF7KZjUxF_9O32fKoUt2v7st70ppmw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALTzUognuG-N4M5w9xugxF7KZjUxF_9O32fKoUt2v7st70ppmw@mail.gmail.com>
Sender: stable-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, Oct 15, 2018 at 06:54:31AM -0700, Omer Tripp wrote:
> Hi Greg and all,
> 
> Here is my analysis of the complete gadget, and looking forward to your
> corrections/feedback if there are any inaccuracies:
> 
> 
>    1.
> 
>    __close_fd() is reachable via the close() syscall with a user-controlled
>    fd.
>    2.
> 
>    If said bounds check is mispredicted, then a user-controlled address
>    fdt->fd[fd] is obtained then dereferenced, and the value of a
>    user-controlled address is loaded into the local variable file.
>    3.
> 
>    file is then passed as an argument to filp_close, where the cache
> lines secret
>    + offsetof(f_op) and secret + offsetof(f_mode) are hot and vulnerable to
>    a timing channel attack.
> 
> 
> The mitigation proposed by Greg Hackmann blocks this gadget.

What ever happened to this patch?  Did it get reposted?  If not, can
someone please do so with this text in the changelog?

thanks,

greg k-h