From: Ingo Molnar <mingo@kernel.org>
To: "Van De Ven, Arjan" <arjan.van.de.ven@intel.com>
Cc: "Williams, Dan J" <dan.j.williams@intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-arch <linux-arch@vger.kernel.org>,
Cyril Novikov <cnovikov@lynx.com>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
X86 ML <x86@kernel.org>, Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg KH <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>, Alan Cox <alan@linux.intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCH v5 02/12] array_idx: sanitize speculative array de-references
Date: Wed, 31 Jan 2018 09:03:10 +0100 [thread overview]
Message-ID: <20180131080310.ebqtxe5p7j54wglj@gmail.com> (raw)
In-Reply-To: <0575AF4FD06DD142AD198903C74E1CC87A6048F5@ORSMSX103.amr.corp.intel.com>
* Van De Ven, Arjan <arjan.van.de.ven@intel.com> wrote:
> > > IOW, is there some work on tooling/analysis/similar? Not asking for
> > > near-term, but more of a "big picture" question..
>
> short term there was some extremely rudimentary static analysis done. clearly
> that has extreme limitations both in insane rate of false positives, and missing
> cases.
What was the output roughly, how many suspect places that need array_idx_nospec()
handling: a few, a few dozen, a few hundred or a few thousand?
I'm guessing 'static tool emitted hundreds of sites with many false positives
included, but the real sites are probably a few dozen' - but that's really just a
very, very wild guess.
Our whole mindset and approach with these generic APIs obviously very much depends
on the order of magnitude:
- For array users up to a few dozen per 20 MLOC code base accumulated over 20
years, and with no more than ~1 new site per kernel release we can probably
do what we do for buffer overflows: static analyze and fix via
array_idx_nospec().
- If it's more than a few dozen then intuitively I'd also be very much in favor of
compiler help: for example trickle down __user annotations that Sparse uses some
more and let the compiler sanitize indices or warn about them - without hurting
performance of in-kernel array handling.
- If it's "hundreds" then probably both the correctness and the maintenance
aspects won't scale well to a 20+ MLOC kernel code base - in that case we _have_
to catch the out of range values at a much earlier stage, at the system call and
other system ABI level, and probably need to do it via a self-maintaining
approach such as annotations/types that also warns about 'unsanitized' uses. But
filtering earlier has its own problems as well: mostly the layering violations
(high level interfaces often don't know the safe array index range) can create
worse bugs and more fragility than what is being fixed ...
- If it's "thousands" then it _clearly_ won't scale and we probably need compiler
help: i.e. a compiler that tracks ranges and automatically sanitizes indices.
This will have some performance effect, but should result in almost immediate
correctness.
Also, IMHO any tooling should very much be open source: this isn't the kind of bug
that can be identified via code review, so there's no fall-back detection method
like we have for buffer overflows.
Anyway, the approach taken very much depends on the order of magnitude of such
affected array users we are targeting ...
Thanks,
Ingo
next prev parent reply other threads:[~2018-01-31 8:03 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-27 7:55 [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-27 7:55 ` [PATCH v5 01/12] Documentation: document array_idx Dan Williams
2018-01-27 7:55 ` [PATCH v5 02/12] array_idx: sanitize speculative array de-references Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-28 8:55 ` Ingo Molnar
2018-01-28 11:36 ` Thomas Gleixner
2018-01-28 11:36 ` Thomas Gleixner
2018-01-28 16:28 ` Dan Williams
2018-01-28 18:33 ` Ingo Molnar
2018-01-29 16:45 ` Dan Williams
2018-01-29 16:45 ` Dan Williams
2018-01-28 18:36 ` Thomas Gleixner
2018-01-28 18:36 ` Thomas Gleixner
2018-01-30 6:29 ` Dan Williams
2018-01-30 6:29 ` Dan Williams
2018-01-30 19:38 ` Linus Torvalds
2018-01-30 20:13 ` Dan Williams
2018-01-30 20:27 ` Van De Ven, Arjan
2018-01-31 8:03 ` Ingo Molnar [this message]
2018-01-31 14:13 ` Van De Ven, Arjan
2018-01-31 14:21 ` Greg KH
2018-01-27 7:55 ` [PATCH v5 03/12] x86: implement array_idx_mask Dan Williams
2018-01-28 9:02 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 04/12] x86: introduce __uaccess_begin_nospec and ifence Dan Williams
2018-01-28 9:06 ` Ingo Molnar
2018-01-28 9:14 ` Ingo Molnar
2018-01-29 20:41 ` Dan Williams
2018-01-29 20:41 ` Dan Williams
2018-01-30 6:56 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 05/12] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-28 9:19 ` Ingo Molnar
2018-01-28 9:19 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 06/12] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-27 7:55 ` Dan Williams
2018-01-28 9:25 ` Ingo Molnar
2018-01-28 9:25 ` Ingo Molnar
2018-01-27 7:55 ` [PATCH v5 07/12] x86: remove the syscall_64 fast-path Dan Williams
2018-01-28 9:29 ` Ingo Molnar
2018-01-28 9:29 ` Ingo Molnar
2018-01-28 15:22 ` Andy Lutomirski
2018-01-28 15:22 ` Andy Lutomirski
2018-01-27 7:55 ` [PATCH v5 08/12] x86: sanitize sycall table de-references under speculation Dan Williams
2018-01-28 9:36 ` Ingo Molnar
2018-01-27 7:56 ` [PATCH v5 09/12] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-27 7:56 ` [PATCH v5 10/12] kvm, x86: update spectre-v1 mitigation Dan Williams
[not found] ` <151703971300.26578.1185595719337719486.stgit-p8uTFz9XbKj2zm6wflaqv1nYeNYlB/vhral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2018-01-27 7:56 ` [PATCH v5 11/12] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-27 7:56 ` Dan Williams
2018-01-27 7:56 ` [PATCH v5 12/12] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-28 9:50 ` Ingo Molnar
2018-01-29 22:05 ` Dan Williams
2018-01-31 8:07 ` Ingo Molnar
2018-02-01 20:23 ` Dan Williams
2018-02-01 20:23 ` Dan Williams
2018-01-27 18:52 ` [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti Linus Torvalds
2018-01-27 18:52 ` Linus Torvalds
2018-01-27 19:26 ` Dan Williams
2018-01-27 19:26 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180131080310.ebqtxe5p7j54wglj@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=alan@linux.intel.com \
--cc=arjan.van.de.ven@intel.com \
--cc=catalin.marinas@arm.com \
--cc=cnovikov@lynx.com \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).