From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Andrew Cooper <andrew.cooper3@citrix.com>,
x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Waiman Long <longman@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Michael Ellerman <mpe@ellerman.id.au>,
linuxppc-dev@lists.ozlabs.org,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>
Subject: Re: [PATCH] x86/uaccess: Avoid barrier_nospec() in copy_from_user()
Date: Tue, 22 Oct 2024 01:16:58 -0700 [thread overview]
Message-ID: <20241022081658.pmf3j5dcxohsvr5e@desk> (raw)
In-Reply-To: <4fvuiq7h3zay3ios6kpyqye4x2igixew4k44k5nkq2ywbu5lig@ybpx5fowgy7x>
On Mon, Oct 21, 2024 at 01:48:15PM +0300, Kirill A. Shutemov wrote:
> On Sun, Oct 20, 2024 at 03:59:25PM -0700, Linus Torvalds wrote:
> > On Sun, 20 Oct 2024 at 15:44, Josh Poimboeuf <jpoimboe@kernel.org> wrote:
> > >
> > > Anyway, I'd really like to make forward progress on getting rid of the
> > > LFENCEs in copy_from_user() and __get_user(), so until if/when we hear
> > > back from both vendors, how about we avoid noncanonical exceptions
> > > altogether (along with the edge cases mentioned above) and do something
> > > like the below?
> >
> > That doesn't work for LAM at _all_.
> >
> > So at a minimum, you need to then say "for LAM enabled CPU's we do the
> > 'shift sign bit' trick".
> >
> > Hopefully any LAM-capable CPU doesn't have this issue?
>
> LAM brings own speculation issues[1] that is going to be addressed by
> LASS[2]. There was a patch[3] to disable LAM until LASS is landed, but it
> never got applied for some reason.
AIU, issue with LAM is it allows speculative translation of non-canonical
user address. It does not allow data fetches from those addresses. SLAM
attack uses LAM to form a TLB-based disclosure gadget. In essence, SLAM
needs to chain another speculative vulnerability to form a successful
attack. If the data accessed by a chained speculative vulnerability is
interpreted as a pointer, LAM may allow the translation of non-canonical
user address. This is specially true for ascii characters that have MSB
masked off.
I don't really know how this could be a problem for something like
copy_from_user() that ensures the canonicality of bit 63.
AFAIK, Sierra Forest, Lunar Lake and Arrow Lake support LAM. To be on safe
side, it is better to keep LAM disabled until LASS arrives.
next prev parent reply other threads:[~2024-10-22 12:14 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-12 4:09 [PATCH] x86/uaccess: Avoid barrier_nospec() in copy_from_user() Josh Poimboeuf
2024-10-12 8:48 ` Andrew Cooper
2024-10-12 14:09 ` Josh Poimboeuf
2024-10-12 14:21 ` Borislav Petkov
2024-10-12 15:58 ` Linus Torvalds
2024-10-12 14:26 ` Andrew Cooper
2024-10-12 15:44 ` Linus Torvalds
2024-10-12 17:23 ` Andrew Cooper
2024-10-12 17:44 ` Linus Torvalds
2024-10-13 0:53 ` Linus Torvalds
2024-10-13 1:21 ` Linus Torvalds
2024-10-14 3:54 ` Josh Poimboeuf
2024-10-14 6:50 ` Linus Torvalds
2024-10-14 9:59 ` David Laight
2024-10-14 11:20 ` Linus Torvalds
2024-10-14 14:40 ` David Laight
2024-10-14 11:12 ` Andrew Cooper
2024-10-14 12:30 ` Kirill A. Shutemov
2024-10-14 15:39 ` Andrew Cooper
2024-10-15 10:00 ` Borislav Petkov
2024-10-20 22:44 ` Josh Poimboeuf
2024-10-20 22:59 ` Linus Torvalds
2024-10-20 23:11 ` Josh Poimboeuf
2024-10-20 23:14 ` Josh Poimboeuf
2024-10-20 23:35 ` Linus Torvalds
2024-10-23 9:44 ` Borislav Petkov
2024-10-23 19:17 ` Linus Torvalds
2024-10-23 20:07 ` Linus Torvalds
2024-10-23 23:32 ` Linus Torvalds
2024-10-24 2:00 ` Linus Torvalds
2024-10-24 9:21 ` David Laight
2024-10-24 16:53 ` Linus Torvalds
2024-10-25 8:56 ` David Laight
2024-10-25 16:35 ` Linus Torvalds
2024-10-21 10:48 ` Kirill A. Shutemov
2024-10-22 2:36 ` Linus Torvalds
2024-10-22 10:33 ` Kirill A. Shutemov
2024-10-22 8:16 ` Pawan Gupta [this message]
2024-10-22 10:44 ` Kirill A. Shutemov
2024-10-14 16:55 ` Linus Torvalds
2024-10-16 16:10 ` Linus Torvalds
2024-10-16 22:02 ` Andrew Cooper
2024-10-16 22:13 ` Kirill A. Shutemov
2024-10-16 22:34 ` Linus Torvalds
2024-10-28 11:29 ` Kirill A. Shutemov
2024-10-28 18:44 ` Linus Torvalds
2024-10-28 20:31 ` Kirill A. Shutemov
2024-10-28 20:49 ` Linus Torvalds
2024-10-16 22:32 ` Linus Torvalds
2024-10-17 11:00 ` Borislav Petkov
2024-10-14 11:56 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241022081658.pmf3j5dcxohsvr5e@desk \
--to=pawan.kumar.gupta@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=jpoimboe@kernel.org \
--cc=kirill@shutemov.name \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=longman@redhat.com \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).