linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: David Miller <davem@davemloft.net>,
	ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: core: Fix Spectre v1 vulnerability
Date: Sat, 22 Dec 2018 23:03:31 -0600	[thread overview]
Message-ID: <e8343bfd-7846-a23b-b6c0-4b82218efdc0@embeddedor.com> (raw)
In-Reply-To: <20181223041253.bxqru567rs32mecg@ast-mbp.dhcp.thefacebook.com>

Alexei,

On 12/22/18 10:12 PM, Alexei Starovoitov wrote:
> On Sat, Dec 22, 2018 at 09:37:02PM -0600, Gustavo A. R. Silva wrote:
>>
>> Can't we have the case in which the code can be "trained" to read
>> perfectly valid values for prog->len for quite a while, making the
>> microcode come into place and speculate about:
>>
>> 1013         if (flen == 0 || flen > BPF_MAXINSNS)
>> 1014                 return false;
>>
>> and then make flen to be greater than BPF_MAXINSNS?
> 
> Yes. The user space can train line 1013 to mispredict by passing
> smaller flen N times and then passing large flen.
> Why do you think it's exploitable?
> 
> Without the patch in the mispredicted path the cpu will do
> if (0 < flen) condition and since flen is hot in the cache
> it will happily execute the filter[0] load...
> and about 12-20 u-ops later (depending on u-arch of cpu) when
> branch predictor realizes that it's a miss, the cpu will ignore
> the values computed in the shadow cpu registers used by speculative execution
> and go back to the 'return false' execution path.
> The side effect of bringing filter[0] value in L1 cache is still there.
> The cpu is incapable to undo that cache load. That's what spectre1 is about.
> Do you see how filter[0] value in cpu L1 cache is exploitable?
> 

In this regard, the policy has been to kill the speculation on that
first load (as I mentioned in my last email. It is also mentioned in
the commit log for every patch).

> I took another look at the following patches:
> "net: core: Fix Spectre v1 vulnerability"
> "nfc: af_nfc: Fix Spectre v1 vulnerability"
> "can: af_can: Fix Spectre v1 vulnerability"
> and I have to say that none of them are necessary.
> I'm not sure whether there were other patches that pretend to fix spectre1.
> 

It's not about pretending to fix it. It's about trying to prevent the
conditions that can actually trigger the exploitation of a potential
vulnerability.  The code is not always the same, it changes, it evolves,
and we are currently trying to catch that first load (that's what smatch
does in all these cases) that could eventually lead to an actual vuln.

Thanks
--
Gustavo

  reply	other threads:[~2018-12-23  5:04 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-21 20:49 [PATCH] net: core: Fix Spectre v1 vulnerability Gustavo A. R. Silva
2018-12-22 23:07 ` David Miller
2018-12-22 23:59   ` Alexei Starovoitov
2018-12-23  2:40     ` David Miller
2018-12-23  2:53       ` Gustavo A. R. Silva
2018-12-23  3:00         ` Alexei Starovoitov
2018-12-23  3:37           ` Gustavo A. R. Silva
2018-12-23  3:50             ` Gustavo A. R. Silva
2018-12-23  4:12             ` Alexei Starovoitov
2018-12-23  5:03               ` Gustavo A. R. Silva [this message]
2018-12-23  6:00                 ` Alexei Starovoitov
2018-12-23 23:58                   ` David Miller
2018-12-24  0:01                     ` Gustavo A. R. Silva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e8343bfd-7846-a23b-b6c0-4b82218efdc0@embeddedor.com \
    --to=gustavo@embeddedor.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).