Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934192AbeALP0c (ORCPT + 1 other); Fri, 12 Jan 2018 10:26:32 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:54990 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933997AbeALP03 (ORCPT ); Fri, 12 Jan 2018 10:26:29 -0500 Subject: Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution From: James Bottomley To: Greg KH , Dan Williams Cc: Linux Kernel Mailing List , linux-arch@vger.kernel.org, "Martin K. Petersen" , linux-scsi , Peter Zijlstra , Netdev , qla2xxx-upstream@qlogic.com, Thomas Gleixner , Linus Torvalds , Elena Reshetova , Alan Cox Date: Fri, 12 Jan 2018 07:25:11 -0800 In-Reply-To: <20180112072758.GD25517@kroah.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520104838.32271.7038801336240727574.stgit@dwillia2-desk3.amr.corp.intel.com> <20180106090322.GF4380@kroah.com> <20180112072758.GD25517@kroah.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18011215-0012-0000-0000-000015972D35 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008365; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000245; SDB=6.00973978; UDB=6.00493556; IPR=6.00753924; BA=6.00005775; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00019003; XFM=3.00000015; UTC=2018-01-12 15:25:19 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18011215-0013-0000-0000-000051085D8C Message-Id: <1515770711.3922.5.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-12_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801120211 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, 2018-01-12 at 08:27 +0100, Greg KH wrote: > On Thu, Jan 11, 2018 at 02:15:12PM -0800, Dan Williams wrote: > > > > On Sat, Jan 6, 2018 at 1:03 AM, Greg KH > > wrote: > > > > > > On Fri, Jan 05, 2018 at 05:10:48PM -0800, Dan Williams wrote: > > > > > > > > Static analysis reports that 'handle' may be a user controlled > > > > value that is used as a data dependency to read 'sp' from the > > > > 'req->outstanding_cmds' array.  In order to avoid potential > > > > leaks of kernel memory values, block speculative execution of > > > > the instruction stream that could issue reads based on an > > > > invalid value of 'sp'. In this case 'sp' is directly > > > > dereferenced later in the function. > > > > > > I'm pretty sure that 'handle' comes from the hardware, not from > > > userspace, from what I can tell here.  If we want to start > > > auditing __iomem data sources, great!  But that's a bigger task, > > > and one I don't think we are ready to tackle... > > > > I think it falls in the hygiene bucket of shutting off an array > > index from a source that could be under attacker control. Should we > > leave this one un-patched while we decide if we generally have a > > problem with trusting completion 'tags' from hardware? My vote is > > patch it for now. > > Hah, if you are worried about "tags" from hardware, we have a lot > more auditing to do, right?  We'd also have a lot more to do: the assumption would have to be malicious hardware and most hardware has access to fairly vital stuff directly.  I really don't think we have to worry about side channel attacks from hardware until the direct attack vector is closed. James