From: Greg KH <gregkh@linuxfoundation.org>
To: speck@linutronix.de
Subject: [MODERATED] Re: LVI
Date: Tue, 19 Nov 2019 19:12:57 +0100 [thread overview]
Message-ID: <20191119181257.GA2283647@kroah.com> (raw)
In-Reply-To: <20191119174008.7dbymix2eo4mrv57@treble>
On Tue, Nov 19, 2019 at 11:40:08AM -0600, speck for Josh Poimboeuf wrote:
> Hi,
>
> What kernel changes (if any) are needed for LVI? I haven't seen any
> discussion here.
>
> The last I heard, the official CRD was Dec 10, but was likely to move to
> March.
>
> For the uninitiated, LVI is a reverse MDS/L1TF:
>
> 1) Victim puts secret data in CPU buffer or L1. Alternatively,
> attacker puts address of secret data in CPU buffer or L1.
>
> 2) Attacker gets victim to fault or assist on a load. (Note that an
> assist gives a much bigger speculation window - it can be triggered
> if a page Accessed bit needs updating)
>
> 3) While waiting for the fault/assist to complete, victim speculatively
> reads CPU buffer or L1 to get data (or address) from step 1.
>
> 4) Victim gadgets expose the data via the usual L1 side channel.
>
>
> To protect the kernel, we'd presumably need to look for places where
> users can trigger a faulting/assisting load. For example,
> copy_from_user().
>
> copy_from_user() has an LFENCE between the access_ok() check and the
> actual copy to protect against Spectre v1. What if we move that LFENCE
> to *after* the copy? I think that would protect against both Spectre v1
> and LVI.
>
> Thoughts?
>
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 61d93f062a36..457207aece71 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -119,9 +119,9 @@ extern int __get_user_bad(void);
>
> #define __uaccess_begin() stac()
> #define __uaccess_end() clac()
> -#define __uaccess_begin_nospec() \
> +#define __uaccess_end_nospec() \
> ({ \
> - stac(); \
> + clac(); \
> barrier_nospec(); \
> })
Um, don't we _really_ want stac() here? That's the only thing that is
saving our butts in a number of places. Why get rid of it? Otherwise
it should be easy to cause a speculatave load by userspace for any
address they feel like.
Or am I mistaken about what you are trying to solve here?
thanks,
greg k-h
next prev parent reply other threads:[~2019-11-19 18:13 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 17:40 [MODERATED] LVI Josh Poimboeuf
2019-11-19 17:51 ` [MODERATED] LVI Andrew Cooper
2019-11-19 18:27 ` Josh Poimboeuf
2019-11-19 19:26 ` Andrew Cooper
2019-11-20 9:52 ` Paolo Bonzini
2019-11-19 18:12 ` Greg KH [this message]
2019-11-19 18:21 ` Josh Poimboeuf
2019-11-19 18:46 ` Greg KH
2019-11-19 18:21 ` Paolo Bonzini
2019-11-19 18:22 ` Andrew Cooper
2019-11-19 18:27 ` Josh Poimboeuf
2019-11-19 18:36 ` Luck, Tony
2019-11-20 17:02 ` Greg KH
2019-11-19 18:39 ` Andrew Cooper
2019-11-19 21:00 ` Josh Poimboeuf
2019-11-19 21:03 ` Josh Poimboeuf
2019-11-20 14:11 ` Andrew Cooper
2019-11-20 8:04 ` Peter Zijlstra
2019-11-20 9:49 ` Andrew Cooper
2019-11-20 17:13 ` Josh Poimboeuf
2019-11-20 17:25 ` Greg KH
2019-11-20 17:29 ` Tyler Hicks
2019-11-20 17:30 ` Andrew Cooper
2019-11-20 17:46 ` Greg KH
2019-11-20 19:09 ` Peter Zijlstra
2019-11-20 19:19 ` Greg KH
2019-11-21 0:50 ` LVI Thomas Gleixner
2019-11-21 13:45 ` [MODERATED] LVI Greg KH
2019-11-26 0:54 ` Andi Kleen
2019-11-26 10:37 ` Greg KH
2019-11-26 18:23 ` Andi Kleen
2019-11-27 7:38 ` Greg KH
2019-11-26 10:55 ` Paolo Bonzini
2019-11-26 18:28 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191119181257.GA2283647@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.