From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <laurent.pinchart@ideasonboard.com>
X-Google-Smtp-Source: ACJfBovCby4c2h6tH7zfHnH5R3+5BvSCKnSceG9Sk2uqIL35DU4LqgSHfk0acgFdOTXMQ3+WH9cb
ARC-Seal: i=1; a=rsa-sha256; t=1515410058; cv=none;
        d=google.com; s=arc-20160816;
        b=U4jsq4C9jf3okpXAFcFTSmDWSrKkICjo2tz2mnvDFTfqmBAihs7eByKSowozlaux5S
         HrYTYOrGS++wmc//8C7H8db84dzw+lHUTvr0k+418sINHaO+p/45i5g94vYFzEmJQA6A
         BKzkU1fPjFgDG317H0ylgjR7rlPb1Ah6Wb0+9C9G5WWUxzsEKJh15Uu6+ZF0rIDZPYDR
         qt9w0SF3H3TfNqK/U9k/QkblpfhQQ8/xeBVAgj32bt6QPS2OoQ4kUas2OZskeP/ZU67i
         52BzZcWAy7FyRwz4B8vaFux/8c3i5mKFPr9xVz6mGb2BJVpZuT1hr2q6/tM0RkMSWMJ4
         SOoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :organization:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=g8nCPETPgtI6DqA1lpvNvv3erTmG/ns//uONO1rmh+s=;
        b=ZCpS9iQYeaqDfGV01tgHoyzTfX+LlNCwNajQdzN0szYljB2mJ1jyMVJBGTXM2MhxqB
         EWdCA291eQ4dkF1X6Xo2ZSlCyMwv3PBGZ3it0D0Y2OlF8VUtqsFuS2swX6fQ5K1wnqgr
         8HKD92YbmnbbYVW4c9+fNZ8Q+DArrNJlP3La9m5L4OrZnX8CUQbDl5teuU9BWEan+r83
         iVbsuBH5Bk9pEw26XAXIMDKM6mViSGR0swMlckQR6q6u1yQBZVqh8RYG74/3DAGHyR4Q
         rYtWmY1yon/6N/dxUXrux0LdKTcJkCN2ryhoZKT5xrezpiu2/uUbhxjv3pCRKpVM9+NI
         2b6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail (test mode) header.i=@ideasonboard.com header.s=mail header.b=qW1lT8Rh;
       spf=pass (google.com: domain of laurent.pinchart@ideasonboard.com designates 2001:4b98:dc2:45:216:3eff:febb:480d as permitted sender) smtp.mailfrom=laurent.pinchart@ideasonboard.com
Authentication-Results: mx.google.com;
       dkim=fail (test mode) header.i=@ideasonboard.com header.s=mail header.b=qW1lT8Rh;
       spf=pass (google.com: domain of laurent.pinchart@ideasonboard.com designates 2001:4b98:dc2:45:216:3eff:febb:480d as permitted sender) smtp.mailfrom=laurent.pinchart@ideasonboard.com
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Dan Williams <dan.j.williams@intel.com>, "Eric W. Biederman" <ebiederm@xmission.com>, Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, Mark Rutland <mark.rutland@arm.com>, Alan Cox <alan.cox@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Will Deacon <will.deacon@arm.com>, Solomon Peachy <pizza@shaftnet.org>, "H. Peter Anvin" <hpa@zytor.com>, Christian Lamparter <chunkeey@googlemail.com>, Elena Reshetova <elena.reshetova@intel.com>, linux-arch@vger.kernel.org, Andi Kleen <ak@linux.intel.com>, "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, linux-scsi <linux-scsi@vger.kernel.org>, Jonathan Corbet <corbet@lwn.net>, X86 ML <x86@kernel.org>, Ingo Molnar <mingo@redhat.com>, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>, Zhang Rui <rui.zhang@intel.com>, "Linux-media@vger.kernel.org" <linux-media@vger.kernel.org>, Arnd Bergmann <arnd@arndb.de>, Jan Kara <jack@suse.com>, Eduardo Valentin <edubezval@gmail.com>, Al Viro <viro@zeniv.linux.org.uk>, qla2xxx-upstrea
 m@qlogic.com, Thomas Gleixner <tglx@linutronix.de>, Mauro Carvalho Chehab <mchehab@kernel.org>, Arjan van de Ven <arjan@linux.intel.com>, Kalle Valo <kvalo@codeaurora.org>, Alan Cox <alan@linux.intel.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>, Greg KH <gregkh@linuxfoundation.org>, linux-wireless@vger.kernel.org, Netdev <netdev@vger.kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, "David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 00/18] prevent bounds-check bypass via speculative execution
Date: Mon, 08 Jan 2018 13:14:47 +0200
Message-ID: <3415073.MEFzjWuAPN@avalon>
Organization: Ideas on Board Oy
In-Reply-To: <20180108100836.GF3040@hirez.programming.kicks-ass.net>
References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <CAPcyv4hVisGeXbTH985Hb6dkYKA9Sr8wwZHudNF-CtH0=ADFug@mail.gmail.com> <20180108100836.GF3040@hirez.programming.kicks-ass.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: =?utf-8?q?1588803914824910705?=
X-GMAIL-MSGID: =?utf-8?q?1589022617484845699?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

H Peter,

On Monday, 8 January 2018 12:08:36 EET Peter Zijlstra wrote:
> On Fri, Jan 05, 2018 at 10:30:16PM -0800, Dan Williams wrote:
> > On Fri, Jan 5, 2018 at 6:22 PM, Eric W. Biederman wrote:
> >> In at least one place (mpls) you are patching a fast path.  Compile out
> >> or don't load mpls by all means.  But it is not acceptable to change the
> >> fast path without even considering performance.
> > 
> > Performance matters greatly, but I need help to identify a workload
> > that is representative for this fast path to see what, if any, impact
> > is incurred. Even better is a review that says "nope, 'index' is not
> > subject to arbitrary userspace control at this point, drop the patch."
> 
> I think we're focussing a little too much on pure userspace. That is, we
> should be saying under the attackers control. Inbound network packets
> could equally be under the attackers control.

I was thinking about that as well. It would then require a way to observe 
cache hits from the network. While not easy I'm pretty sure it could be 
doable, opening the door to remote attacks. With my paranoid security hat on 
(paranoid just means cautious when dealing with security issues, doesn't it ?) 
I'm more concerned about that than by some of the local attack vectors.

> Sure, userspace is the most direct and highest bandwidth one, but I
> think we should treat all (kernel) external values with the same
> paranoia.

-- 
Regards,

Laurent Pinchart