From: Michael Ellerman <mpe@ellerman.id.au>
To: Breno Leitao <leitao@debian.org>,
Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Nathan Lynch <nathanl@linux.ibm.com>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>
Subject: Re: [PATCH] powerpc/kernel: Fix potential spectre v1 in syscall
Date: Tue, 12 Mar 2024 22:07:54 +1100 [thread overview]
Message-ID: <874jdb4sj9.fsf@mail.lhotse> (raw)
In-Reply-To: <ZfAa59Z8njiGUnRW@gmail.com>
Breno Leitao <leitao@debian.org> writes:
> On Tue, Mar 12, 2024 at 08:17:42AM +0000, Christophe Leroy wrote:
>> +Nathan as this is RTAS related.
>>
>> Le 21/08/2018 à 20:42, Breno Leitao a écrit :
>> > The rtas syscall reads a value from a user-provided structure and uses it
>> > to index an array, being a possible area for a potential spectre v1 attack.
>> > This is the code that exposes this problem.
>> >
>> > args.rets = &args.args[nargs];
>> >
>> > The nargs is an user provided value, and the below code is an example where
>> > the 'nargs' value would be set to XX.
>> >
>> > struct rtas_args ra;
>> > ra.nargs = htobe32(XX);
>> > syscall(__NR_rtas, &ra);
>>
>>
>> This patch has been hanging around in patchwork since 2018 and doesn't
>> apply anymore. Is it still relevant ? If so, can you rebase et resubmit ?
>
> This seems to be important, since nargs is a user-provided value. I can
> submit it if the maintainers are willing to accept. I do not want to
> spend my time if no one is willing to review it.
My memory is that I didn't think it was actually a problem, because all
we do is memset args.rets to zero. I thought I'd talked to you on Slack
about it, but maybe I didn't.
Anyway we should probably just fix it to be safe and keep the static
checkers happy.
I'll rebase it and apply it, I'm sure you've got better things to do :)
cheers
next prev parent reply other threads:[~2024-03-12 11:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-21 18:42 [PATCH] powerpc/kernel: Fix potential spectre v1 in syscall Breno Leitao
2024-03-12 8:17 ` Christophe Leroy
2024-03-12 9:05 ` Breno Leitao
2024-03-12 11:07 ` Michael Ellerman [this message]
2024-03-12 13:10 ` Breno Leitao
2024-03-18 15:25 ` Nathan Lynch
2024-05-21 1:23 ` Michael Ellerman
2024-05-31 0:35 ` Nathan Lynch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jdb4sj9.fsf@mail.lhotse \
--to=mpe@ellerman.id.au \
--cc=christophe.leroy@csgroup.eu \
--cc=leitao@debian.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nathanl@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).