From: Michael Ellerman <mpe@ellerman.id.au>
To: Breno Leitao <leitao@debian.org>,
Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Nathan Lynch <nathanl@linux.ibm.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: Re: [PATCH] powerpc/kernel: Fix potential spectre v1 in syscall
Date: Tue, 12 Mar 2024 22:07:54 +1100 [thread overview]
Message-ID: <874jdb4sj9.fsf@mail.lhotse> (raw)
In-Reply-To: <ZfAa59Z8njiGUnRW@gmail.com>
Breno Leitao <leitao@debian.org> writes:
> On Tue, Mar 12, 2024 at 08:17:42AM +0000, Christophe Leroy wrote:
>> +Nathan as this is RTAS related.
>>
>> Le 21/08/2018 à 20:42, Breno Leitao a écrit :
>> > The rtas syscall reads a value from a user-provided structure and uses it
>> > to index an array, being a possible area for a potential spectre v1 attack.
>> > This is the code that exposes this problem.
>> >
>> > args.rets = &args.args[nargs];
>> >
>> > The nargs is an user provided value, and the below code is an example where
>> > the 'nargs' value would be set to XX.
>> >
>> > struct rtas_args ra;
>> > ra.nargs = htobe32(XX);
>> > syscall(__NR_rtas, &ra);
>>
>>
>> This patch has been hanging around in patchwork since 2018 and doesn't
>> apply anymore. Is it still relevant ? If so, can you rebase et resubmit ?
>
> This seems to be important, since nargs is a user-provided value. I can
> submit it if the maintainers are willing to accept. I do not want to
> spend my time if no one is willing to review it.
My memory is that I didn't think it was actually a problem, because all
we do is memset args.rets to zero. I thought I'd talked to you on Slack
about it, but maybe I didn't.
Anyway we should probably just fix it to be safe and keep the static
checkers happy.
I'll rebase it and apply it, I'm sure you've got better things to do :)
cheers
next prev parent reply other threads:[~2024-03-12 11:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-21 18:42 [PATCH] powerpc/kernel: Fix potential spectre v1 in syscall Breno Leitao
2024-03-12 8:17 ` Christophe Leroy
2024-03-12 9:05 ` Breno Leitao
2024-03-12 11:07 ` Michael Ellerman [this message]
2024-03-12 13:10 ` Breno Leitao
2024-03-18 15:25 ` Nathan Lynch
2024-05-21 1:23 ` Michael Ellerman
2024-05-31 0:35 ` Nathan Lynch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jdb4sj9.fsf@mail.lhotse \
--to=mpe@ellerman.id.au \
--cc=christophe.leroy@csgroup.eu \
--cc=leitao@debian.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nathanl@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.