From: ebiederm@xmission.com (Eric W. Biederman)
To: Dan Williams <dan.j.williams@intel.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
Netdev <netdev@vger.kernel.org>,
Greg KH <gregkh@linuxfoundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>,
Elena Reshetova <elena.reshetova@intel.com>,
Alan Cox <alan@linux.intel.com>
Subject: Re: [PATCH 16/18] net: mpls: prevent bounds-check bypass via speculative execution
Date: Tue, 09 Jan 2018 18:54:26 -0600 [thread overview]
Message-ID: <87bmi2edod.fsf@xmission.com> (raw)
In-Reply-To: <CAPcyv4jQ=2s25keWbk-6bHK=xqeKbvbd0wX5319Csgg+iM+b2w@mail.gmail.com> (Dan Williams's message of "Tue, 9 Jan 2018 10:01:47 -0800")
Dan Williams <dan.j.williams@intel.com> writes:
> On Tue, Jan 9, 2018 at 8:17 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
>> Dan Williams <dan.j.williams@intel.com> writes:
> [..]
>> The user controlled value condition of your patchset implies that you
>> assume indirect branch predictor poisoning is handled in other ways.
>>
>> Which means that we can assume speculation will take some variation of
>> the static call chain.
>>
>> Further you are worrying about array accesses. Which means you
>> are worried about attacks that are the equivalent of meltdown that
>> can give you reading of all memory available to the kernel.
>>
>>
>> The mpls code in question reads a pointer from memory.
>>
>>
>> The only thing the code does with that pointer is verify it is not NULL
>> and dereference it.
>>
>> That does not make it possible to extricate the pointer bits via a cache
>> side-channel as a pointer is 64bits wide.
>>
>> There might maybe be a timing attack where it is timed how long the
>> packet takes to deliver. If you can find the base address of the array,
>> at best such a timeing attack will tell you is if some arbitrary cache
>> line is already cached in the kernel. Which is not the class of attack
>> your patchset is worried about. Further there are more direct ways
>> to probe the cache from a local process.
>>
>> So I submit to you that the mpls code is not vulnerable to the class of
>> attack you are addressing.
>>
>> Further I would argue that anything that reads a pointer from memory is
>> a very strong clue that it falls outside the class of code that you are
>> addressing.
>>
>> Show me where I am wrong and I will consider patches.
>
> No, the concern is a second dependent read (or write) within the
> speculation window after this first bounds-checked dependent read.
> I.e. this mpls code path appears to have the setup condition:
>
> if (x < max)
> val = array1[x];
>
> ...but it's not clear that there is an exploit condition later on in
> the instruction stream:
>
> array2[val] = y;
> /* or */
> y = array2[val];
>
> My personal paranoia says submit the patch and not worry about finding
> that later exploit condition, if DaveM wants to drop the patch that's
> his prerogative. In general, with the performance conscious version of
> nospec_array_ptr() being the default, why worry about what is / is not
> in the speculation window?
Sigh.
I am not worrying about what is in the speculation window. My
assumption is that the speculation window could be infinite, as we don't
know the limitations of all possible processors.
I am saying there is not a way to get the data out of the speculation
window.
I was saying that when you have:
if (x < max)
val = array1[x];
When val is a pointer not an integer.
Then
array2[val] = y;
/* or */
y = array2[va];
Won't happen.
val->field;
Will happen.
Which looks similar. However the address space of pointers is too
large. Making it impossible for an attack to know where to look in the
cache to see if "val->field" happened. At least on the assumption that
val is an arbitrary value.
Further mpls_forward is small enough the entire scope of "rt" the value
read possibly past the bound check is auditable without too much
trouble. I have looked and I don't see anything that could possibly
allow the value of "rt" to be exfitrated. The problem continuing to be
that it is a pointer and the only operation on the pointer besides
derferencing it is testing if it is NULL.
Other types of timing attacks are very hard if not impossible because
any packet presenting with a value outside the bounds check will be
dropped. So it will hard if not impossible to find something to time to
see how long it took to drop the packet.
So no this code path does not present with the classic signature of
variant 1: bounds check bypass CVE-2017-5753
Show me where I am wrong and I will gladly take patches. As it is the
mpls fast path does not appear vulnerable to the issue you are
addressing. So the best thing we can do for performance is nothing at
all.
All I am after is a plausible scenario. I just want to see it spelled
out which combinations of things could possibly be a problem.
Eric
next prev parent reply other threads:[~2018-01-10 0:54 UTC|newest]
Thread overview: 157+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-06 1:09 [PATCH 00/18] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-06 1:09 ` [PATCH 01/18] asm-generic/barrier: add generic nospec helpers Dan Williams
2018-01-06 2:55 ` Linus Torvalds
2018-01-06 5:23 ` Dan Williams
2018-01-06 17:08 ` Mark Rutland
2018-01-06 1:10 ` [PATCH 02/18] Documentation: document " Dan Williams
2018-01-08 16:29 ` Jonathan Corbet
2018-01-08 17:09 ` Mark Rutland
2018-01-08 21:19 ` Jonathan Corbet
2018-01-06 1:10 ` [PATCH 03/18] arm64: implement nospec_ptr() Dan Williams
2018-01-06 1:10 ` [PATCH 04/18] arm: " Dan Williams
2018-01-10 2:04 ` Laura Abbott
2018-01-10 7:40 ` Hanjun Guo
2018-01-10 17:24 ` Laura Abbott
2018-01-06 1:10 ` [PATCH 05/18] x86: implement nospec_barrier() Dan Williams
2018-01-06 1:10 ` [PATCH 06/18] x86, barrier: stop speculation for failed access_ok Dan Williams
2018-01-06 2:52 ` Linus Torvalds
2018-01-06 3:09 ` Linus Torvalds
2018-01-06 23:31 ` Dan Williams
2018-01-07 1:20 ` Linus Torvalds
2018-01-08 21:09 ` Dan Williams
2018-01-08 23:44 ` Linus Torvalds
2018-01-08 23:53 ` Dan Williams
2018-01-06 5:47 ` Dan Williams
2018-01-06 12:32 ` Alan Cox
2018-01-06 17:56 ` Linus Torvalds
2018-01-06 18:13 ` Alexei Starovoitov
2018-01-06 18:29 ` Dan Williams
2018-01-06 18:39 ` Alexei Starovoitov
2018-01-06 18:54 ` Dan Williams
2018-01-06 19:25 ` Alexei Starovoitov
2018-01-06 19:36 ` Dan Williams
2018-01-06 19:41 ` Thomas Gleixner
2018-01-08 10:02 ` Andrea Arcangeli
2018-01-06 18:38 ` Alan Cox
2018-01-06 18:51 ` Alexei Starovoitov
2018-01-06 19:55 ` Alan Cox
2018-01-06 20:09 ` Alexei Starovoitov
2018-01-06 20:22 ` Alan Cox
2018-01-06 21:17 ` Alexei Starovoitov
2018-01-06 21:21 ` Thomas Gleixner
2018-01-06 23:05 ` Alan Cox
2018-01-07 3:38 ` Alexei Starovoitov
2018-01-07 6:33 ` Willy Tarreau
2018-01-07 19:47 ` Linus Torvalds
2018-01-07 20:12 ` Willy Tarreau
2018-01-07 20:17 ` Linus Torvalds
2018-01-07 20:56 ` Thomas Gleixner
2018-01-08 2:23 ` David Miller
2018-01-08 7:38 ` Greg KH
2018-01-07 22:15 ` Willy Tarreau
2018-01-07 20:15 ` Dan Williams
2018-01-08 2:24 ` Alexei Starovoitov
2018-01-08 9:51 ` Peter Zijlstra
2018-01-08 18:21 ` Ingo Molnar
2018-01-08 12:00 ` David Laight
2018-01-08 12:12 ` Alan Cox
2018-01-08 12:33 ` David Laight
2018-01-07 10:08 ` Thomas Gleixner
2018-01-08 2:09 ` Alexei Starovoitov
2018-01-07 13:59 ` Alan Cox
2018-01-08 2:57 ` Alexei Starovoitov
2018-01-08 9:57 ` Peter Zijlstra
2018-01-06 20:42 ` Willy Tarreau
2018-01-07 1:36 ` David Miller
2018-01-07 17:19 ` James Bottomley
2018-01-07 18:31 ` Thomas Gleixner
2018-01-08 2:04 ` David Miller
2018-01-07 19:24 ` Alan Cox
2018-01-09 21:41 ` Josh Poimboeuf
2018-01-09 21:47 ` Dan Williams
2018-01-09 21:49 ` Josh Poimboeuf
2018-01-09 21:59 ` Dan Williams
2018-01-09 22:23 ` Josh Poimboeuf
2018-01-09 22:35 ` Dan Williams
2018-01-06 1:10 ` [PATCH 07/18] [media] uvcvideo: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-06 9:09 ` Greg KH
2018-01-06 9:40 ` Greg KH
2018-01-06 17:41 ` Dan Williams
2018-01-07 9:09 ` Greg KH
2018-01-07 19:37 ` Dan Williams
2018-01-09 8:40 ` Laurent Pinchart
2018-01-09 10:04 ` Greg KH
2018-01-09 14:26 ` Laurent Pinchart
2018-01-09 14:47 ` Greg KH
2018-01-08 11:23 ` Laurent Pinchart
2018-01-09 2:11 ` Dan Williams
2018-01-06 1:10 ` [PATCH 08/18] carl9170: " Dan Williams
2018-01-06 10:01 ` Sergei Shtylyov
2018-01-06 14:23 ` Christian Lamparter
2018-01-06 15:06 ` Alan Cox
2018-01-06 16:38 ` Christian Lamparter
2018-01-06 16:34 ` Dan Williams
2018-01-06 1:10 ` [PATCH 09/18] p54: " Dan Williams
2018-01-06 10:01 ` Sergei Shtylyov
2018-01-06 1:10 ` [PATCH 10/18] qla2xxx: " Dan Williams
2018-01-06 9:03 ` Greg KH
2018-01-06 9:42 ` Greg KH
2018-01-11 22:15 ` Dan Williams
2018-01-12 7:27 ` Greg KH
2018-01-12 15:25 ` James Bottomley
2018-01-06 1:10 ` [PATCH 11/18] cw1200: " Dan Williams
2018-01-06 1:10 ` [PATCH 12/18] Thermal/int340x: " Dan Williams
2018-01-06 1:53 ` Srinivas Pandruvada
2018-01-06 1:57 ` Dan Williams
2018-01-06 17:24 ` Srinivas Pandruvada
2018-01-06 10:03 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 13/18] ipv6: " Dan Williams
2018-01-06 10:04 ` Sergei Shtylyov
2018-01-06 14:48 ` Stephen Hemminger
2018-01-06 18:05 ` Dan Williams
2018-01-06 1:11 ` [PATCH 14/18] ipv4: " Dan Williams
2018-01-06 9:00 ` Greg KH
2018-01-06 9:01 ` Greg KH
2018-01-06 12:23 ` Alan Cox
2018-01-06 15:14 ` Greg KH
2018-01-06 16:29 ` Dan Williams
2018-01-06 18:10 ` Dan Williams
2018-01-06 10:04 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 15/18] vfs, fdtable: " Dan Williams
2018-01-06 10:05 ` Sergei Shtylyov
2018-01-06 1:11 ` [PATCH 16/18] net: mpls: " Dan Williams
2018-01-06 10:06 ` Sergei Shtylyov
2018-01-09 3:11 ` Eric W. Biederman
2018-01-09 3:42 ` Dan Williams
2018-01-09 4:13 ` Linus Torvalds
2018-01-09 4:21 ` Linus Torvalds
2018-01-10 0:48 ` Dan Williams
2018-01-10 1:33 ` Dan Williams
2018-01-10 1:57 ` Alexei Starovoitov
2018-01-10 2:22 ` Dan Williams
2018-01-10 3:07 ` Alexei Starovoitov
2018-01-10 3:27 ` Linus Torvalds
2018-01-09 16:17 ` Eric W. Biederman
2018-01-09 18:01 ` Dan Williams
2018-01-10 0:54 ` Eric W. Biederman [this message]
2018-01-10 1:31 ` Dan Williams
2018-01-06 1:11 ` [PATCH 17/18] udf: " Dan Williams
2018-01-08 10:20 ` Jan Kara
2018-01-06 1:11 ` [PATCH 18/18] userns: " Dan Williams
2018-01-06 2:22 ` [PATCH 00/18] " Eric W. Biederman
[not found] ` <87y3lbpvzp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2018-01-06 6:30 ` Dan Williams
2018-01-08 10:08 ` Peter Zijlstra
2018-01-08 11:43 ` Alan Cox
2018-01-08 11:55 ` Peter Zijlstra
2018-01-08 18:33 ` Ingo Molnar
2018-01-08 16:20 ` Bart Van Assche
2018-01-06 18:56 ` Florian Fainelli
2018-01-06 18:59 ` Arjan van de Ven
2018-01-06 19:37 ` Dan Williams
2018-01-06 20:07 ` Dan Williams
2018-01-09 19:34 ` Jiri Kosina
2018-01-09 19:44 ` Dan Williams
2018-01-09 20:55 ` Josh Poimboeuf
2018-01-11 9:54 ` Jiri Kosina
2018-01-11 15:58 ` Dan Williams
2018-01-11 16:34 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bmi2edod.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=alan@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=davem@davemloft.net \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).