Received: by 10.223.176.46 with SMTP id f43csp457578wra; Fri, 26 Jan 2018 01:29:58 -0800 (PST) X-Google-Smtp-Source: AH8x226Eq6W1fteJ3iy2wvgUSBDb/2r8DnlvAiA8ETHGoCRfY2vEQ3g4Xb5qIg9pU+8fWFXSNCFi X-Received: by 10.99.165.28 with SMTP id n28mr15632959pgf.103.1516958997987; Fri, 26 Jan 2018 01:29:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516958997; cv=none; d=google.com; s=arc-20160816; b=M+SuGyB04yOV+lbxUyZJM7rbFY7S/y7Qtfx13LnW2giEBeskHdtTndbnrBAL08+IcS W0lTHQMdO15l9HMDKRRF4mNKaT78mFq7seLQEdLoqQTEYepteV0/GBP7LcrBJTKXLZcp NQBprhZR5ag5o22/Glg3v0Mct2hemWM3ghjhby810Ahyrp78wb+hkcJWGy3GWib5dGT5 S5jaUsBdXoTcr0cHFZlxsEpiwLta4V3WeaiGkz7janXnEIrhvtvcuew4ooMvO4wRrBbK pIZt+GXalRgy13Gg76rZtUP3YRZcxcgjfZQVHob7SDN3gmQBZ5ARWdLV9sFUvxUmIp/K WAGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=PGRe1ItFIPoita3qqhxWK0ULR7f/1b/Nf4ZhQe5yNsM=; b=Ap1b1/9CrTYPpKr8iBZbPHDem3MagC/uJA41A6khHFUDvrPWTUz1A4GTSZQJjvqlwD 4hTVsCwfd89DqHPkOlgwXgfSn8nBiuh41kFyF6OLYQiEVtIFqSZnY94dkDrooR4p2I00 rOEhBv9HLxo7h41Al2BBnFvU6mVekLH5YK9nih92E4b7acvicl+Dz3dCAaXIiSWU53fU 9j+tLZOHh/Sczcch0wBekk/46FZyVmlL187yU6Q3mFiK2aTkNG2+nHbDz+hheJ2+xCTA RnEEUFrOd3b1Xyz4WlDs2WzpZsJ/4HRF4S1nEnnNVI+shBCj32oHv1dG81y6aesQ6JIO cxaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=podlesie.net Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u19si5167319pfl.141.2018.01.26.01.29.43; Fri, 26 Jan 2018 01:29:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=podlesie.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752850AbeAZJ2o (ORCPT + 99 others); Fri, 26 Jan 2018 04:28:44 -0500 Received: from shrek-s3.podlesie.net ([85.14.110.209]:45619 "EHLO shrek.podlesie.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752652AbeAZJ2j (ORCPT ); Fri, 26 Jan 2018 04:28:39 -0500 Received: by shrek.podlesie.net (Postfix, from userid 603) id 97220DAB; Fri, 26 Jan 2018 10:28:36 +0100 (CET) Date: Fri, 26 Jan 2018 10:28:36 +0100 From: Krzysztof Mazur To: Nadav Amit Cc: Joerg Roedel , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , the arch/x86 maintainers , LKML , "open list:MEMORY MANAGEMENT" , Linus Torvalds , Andy Lutomirski , Dave Hansen , Josh Poimboeuf , Juergen Gross , Peter Zijlstra , Borislav Petkov , Jiri Kosina , Boris Ostrovsky , Brian Gerst , David Laight , Denys Vlasenko , Eduardo Valentin , Greg KH , Will Deacon , aliguori@amazon.com, daniel.gruss@iaik.tugraz.at, hughd@google.com, keescook@google.com, Andrea Arcangeli Subject: Re: [RFC PATCH 00/16] PTI support for x86-32 Message-ID: <20180126092836.GA11003@shrek.podlesie.net> References: <1516120619-1159-1-git-send-email-joro@8bytes.org> <20180124185800.GA11515@shrek.podlesie.net> <67E8EB67-EB60-441E-BDFB-521F3D431400@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67E8EB67-EB60-441E-BDFB-521F3D431400@gmail.com> User-Agent: Mutt/1.6.2 (2016-07-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 25, 2018 at 02:09:40PM -0800, Nadav Amit wrote: > The PoC apparently does not work with 3GB of memory or more on 32-bit. Does > you setup has more? Can you try the attack while setting max_addr=1G ? No, I tested on: Pentium M (Dothan): 1.5 GB RAM, PAE for NX, 2GB/2GB split CONFIG_NOHIGHMEM=y CONFIG_VMSPLIT_2G=y CONFIG_PAGE_OFFSET=0x80000000 CONFIG_X86_PAE=y and Xeon (Pentium 4): 2 GB RAM, no PAE, 1.75GB/2.25GB split CONFIG_NOHIGHMEM=y CONFIG_VMSPLIT_2G_OPT=y CONFIG_PAGE_OFFSET=0x78000000 Now I'm testing with standard settings on Pentium M: 1.5 GB RAM, no PAE, 3GB/1GB split, ~890 MB RAM available CONFIG_NOHIGHMEM=y CONFIG_PAGE_OFFSET=0xc0000000 CONFIG_X86_PAE=n and it still does not work. reliability from https://github.com/IAIK/meltdown reports 0.38% (1/256 = 0.39%, "true" random), and other libkdump tools does not work. https://github.com/paboldin/meltdown-exploit (on linux_proc_banner symbol) reports: cached = 46, uncached = 515, threshold 153 read c0897020 = ff (score=0/1000) read c0897021 = ff (score=0/1000) read c0897022 = ff (score=0/1000) read c0897023 = ff (score=0/1000) read c0897024 = ff (score=0/1000) NOT VULNERABLE and my exploit with: for (i = 0; i < 256; i++) { unsigned char *px = p + (i << 12); t = rdtsc(); readb(px); t = rdtsc() - t; if (t < 100) printf("%02x %lld\n", i, t); } loop returns only "00 45". When I change the exploit code (now based on paboldin code to be sure) to: movzx (%[addr]), %%eax movl $0xaa, %%eax shl $12, %%eax movzx (%[target], %%eax), %%eax I always get "0xaa 51", so the CPU is speculatively executing the second load with (0xaa << 12) in eax, and without the movl instruction, eax seems to be always 0. I even tried to remove the shift: movzx (%[addr]), %%eax movzx (%[target], %%eax), %%eax and I've been reading known value (from /dev/mem, for instance 0x20), I've modified target array offset, and the CPU is still touching "wrong" cacheline, eax == 0 instead of 0x20. I've also tested movl instead of movzx (with and 0xff). On Core 2 Quad in 64-bit mode everything works as expected, vulnerable to Meltdown (I did not test it in 32-bit mode). I don't have any Core "1" to test. On that Pentium M syscall slowdown caused by PTI is huge, 7.5 times slower (7 times compared to patched kernel with disabled PTI), on Skylake with PCID the same trivial benchmark is "only" 3.5 times slower (and 5.2 times slower without PCID). Krzysiek