From: Josh Poimboeuf <jpoimboe@kernel.org>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Waiman Long <longman@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michael Ellerman <mpe@ellerman.id.au>,
linuxppc-dev@lists.ozlabs.org,
Mark Rutland <mark.rutland@arm.com>,
"Kirill A . Shutemov" <kirill@shutemov.name>
Subject: Re: [PATCH v2 0/6] x86/uaccess: Avoid barrier_nospec()
Date: Thu, 17 Oct 2024 15:42:46 -0700 [thread overview]
Message-ID: <20241017224246.5pcgeeiforndgiha@treble> (raw)
In-Reply-To: <8baa42b8-2529-44d8-99e5-341132c09264@citrix.com>
On Thu, Oct 17, 2024 at 11:31:30PM +0100, Andrew Cooper wrote:
> Even if you can get Intel and AMD to agree that STAC/CLAC are really
> LFENCEs (and I think you'll struggle), they'd only confer the safety you
> want between a real conditional that excludes the non-canonical range,
> and the pointer deference.
>
> Any path that genuinely deferences a non-canonical pointer is not safe,
> whatever serialisation you put in the way. The attacker wins the moment
> the load uop executes.
>
> The final hunk of patch 1 is safe (iff STAC is given extra guarantees)
> because it is between the conditional and the deference. Patch 4 is not
> safe (if the comment is correct) because it removes the conditional.
So the naming is confusing:
- put_user() implementation is __put_user_*()
- __put_user() implementation is __put_user_nocheck_*()
Patch 4 only affects __put_user(), for which the user is expected to
call access_ok() beforehand.
The current implementations of get_user(), put_user() and
masked_user_access_begin() avoid the conditional. Those are the ones it
sounds like you're worried about?
None of my patches remove conditional checks.
--
Josh
prev parent reply other threads:[~2024-10-17 22:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 21:55 [PATCH v2 0/6] x86/uaccess: Avoid barrier_nospec() Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 1/6] x86/uaccess: Avoid barrier_nospec() in copy_from_user() Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 2/6] x86/uaccess: Avoid barrier_nospec() in __get_user() Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 3/6] x86/uaccess: Rearrange putuser.S Josh Poimboeuf
2024-10-18 8:51 ` Kirill A . Shutemov
2024-10-18 15:55 ` Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 4/6] x86/uaccess: Add user pointer masking to __put_user() Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 5/6] x86/uaccess: Add user pointer masking to copy_to_user() Josh Poimboeuf
2024-10-17 21:55 ` [PATCH v2 6/6] x86/uaccess: Add user pointer masking to clear_user() Josh Poimboeuf
2024-10-17 22:31 ` [PATCH v2 0/6] x86/uaccess: Avoid barrier_nospec() Andrew Cooper
2024-10-17 22:42 ` Josh Poimboeuf [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241017224246.5pcgeeiforndgiha@treble \
--to=jpoimboe@kernel.org \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=longman@redhat.com \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).