Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751563AbeAEKdv (ORCPT + 1 other); Fri, 5 Jan 2018 05:33:51 -0500 Received: from mail-qk0-f196.google.com ([209.85.220.196]:35328 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751330AbeAEKdr (ORCPT ); Fri, 5 Jan 2018 05:33:47 -0500 X-Google-Smtp-Source: ACJfBosebIKRkVydJQNToGuCZOywUQF7b/5CPVjOI3jnhbQr1MCqs7zURbf63jY4JGytRJICNlYvR5wg35t3gqjyeyg= MIME-Version: 1.0 From: Alexey Dobriyan Date: Fri, 5 Jan 2018 12:33:45 +0200 Message-ID: Subject: Re: [RFC PATCH] asm/generic: introduce if_nospec and nospec_barrier To: viro@zeniv.linux.org.uk Cc: linux-kernel@vger.kernel.org, dave.hansen@intel.com, dan.j.williams@intel.com, ebiederm@xmission.com, gnomes@lxorguk.ukuu.org.uk, jikos@kernel.org, torvalds@linux-foundation.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: Al Viro wrote: > > > No, the concern is that an fd value >= fdt->max_fds may cause the cpu > > > to read arbitrary memory addresses relative to files->fdt and > > > userspace can observe that it got loaded. > > > > Yes. And all that might reveal is the value of files->fdt. Who cares? > > Sorry, s/files->fdt/files->fdt->fd/. Still the same question - what information > would that extract and how would attacker use that? Al, paper exploit requires second data dependent load but they only do it for easy demonstration. struct file *file = (fd < fdt->max_fds) ? fdt->fd[fd] : NULL; if (file && (file->f_mode & mask)) ... Speculative "struct file *" can be anything. If ->f_mode access happens cacheline will be primed. If pointer is userspace address nothing will happen because of SMAP. Now you know that some data past fdtable looks like canonical kernel address.