From: David Laight <David.Laight@ACULAB.COM>
To: 'Pawan Gupta' <pawan.kumar.gupta@linux.intel.com>,
Borislav Petkov <bp@alien8.de>
Cc: Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
"x86@kernel.org" <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"tony.luck@intel.com" <tony.luck@intel.com>,
"antonio.gomez.iglesias@linux.intel.com"
<antonio.gomez.iglesias@linux.intel.com>,
Daniel Sneddon <daniel.sneddon@linux.intel.com>,
"andrew.cooper3@citrix.com" <andrew.cooper3@citrix.com>,
Josh Poimboeuf <jpoimboe@kernel.org>
Subject: RE: [RESEND RFC PATCH] x86/bugs: Add "unknown" reporting for MMIO Stale Data
Date: Fri, 29 Jul 2022 10:40:20 +0000 [thread overview]
Message-ID: <e7ba00885fca4ec9849d8525cbc46f7b@AcuMS.aculab.com> (raw)
In-Reply-To: <20220729022851.mdj3wuevkztspodh@desk>
From: Pawan Gupta
> Sent: 29 July 2022 03:29
>
> On Thu, Jul 28, 2022 at 02:00:13PM +0200, Borislav Petkov wrote:
> > On Thu, Jul 14, 2022 at 06:30:18PM -0700, Pawan Gupta wrote:
> > > Older CPUs beyond its Servicing period are not listed in the affected
> > > processor list for MMIO Stale Data vulnerabilities. These CPUs currently
> > > report "Not affected" in sysfs, which may not be correct.
I looked this up....
The mitigations seem to rely on unprivileged code not being able
to do MMIO accesses.
That isn't true, device drivers can mmap PCIe addresses directly
into user program address space.
While unlikely, there is no reason this can't be supported for
non-root processes.
So if the underlying hardware doesn't correctly validate the
byte enables then stale data can be read.
It has to be said that I can't actually imagine getting anything
useful unless you have co-operating processes using it as a
security bypass side channel.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2022-07-29 10:40 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-15 1:30 [RESEND RFC PATCH] x86/bugs: Add "unknown" reporting for MMIO Stale Data Pawan Gupta
2022-07-28 1:29 ` Pawan Gupta
2022-07-28 12:00 ` Borislav Petkov
2022-07-29 2:28 ` Pawan Gupta
2022-07-29 10:40 ` David Laight [this message]
2022-07-29 17:45 ` 'Pawan Gupta'
2022-07-29 14:05 ` Borislav Petkov
2022-07-29 17:36 ` Pawan Gupta
2022-07-29 20:30 ` Borislav Petkov
2022-07-29 21:46 ` Pawan Gupta
2022-07-29 22:02 ` Borislav Petkov
2022-07-30 2:31 ` Pawan Gupta
2022-07-29 22:54 ` Dave Hansen
2022-07-29 23:07 ` Tony Luck
2022-07-29 23:18 ` Dave Hansen
2022-07-30 2:40 ` Pawan Gupta
2022-07-28 19:08 ` Dave Hansen
2022-07-29 17:59 ` Pawan Gupta
2022-07-29 18:02 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e7ba00885fca4ec9849d8525cbc46f7b@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=andrew.cooper3@citrix.com \
--cc=antonio.gomez.iglesias@linux.intel.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=daniel.sneddon@linux.intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jpoimboe@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox