Received: by 10.223.176.5 with SMTP id f5csp387579wra; Tue, 30 Jan 2018 13:10:49 -0800 (PST) X-Google-Smtp-Source: AH8x227ymHDTJ+4y2x+A1fiofvtIXfrpfbe4XDsNBmHPiaX8/Mf50bZLhleHO3saC0KmjHjbv8vs X-Received: by 10.98.204.144 with SMTP id j16mr31895859pfk.101.1517346649814; Tue, 30 Jan 2018 13:10:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517346649; cv=none; d=google.com; s=arc-20160816; b=QUGthhCI5NjlQpt06HGmI14HUIOcUVhBETDIYYodiCKM33GRkkqTyFl21/MwyBVca8 ymhwvuhd4ck1ZAtGbQcfkWQbLtmKzXRacoSNwG0MZ9mhqfpkkd9IIqBPOSCvqLmExv+m afqvtPJ+rAwk5+vhquKnDpQeCsUJF/0hOxCPIC9+c9vD5uoD1yV0PRL75UzBACmSRC// pq2kKQOsLRngFlaQegT9wkkuqY4QmHAHF5+BETrXeEf62stuziuFVTRI7yVOvCIP5S+J 0bhg/i1eKbOcWhvPn4FpT2Oa1RTh/vUbR2OLL8n7AJC372KmstVCiz3j+5fbrnEh4sWE +Yww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=1IBO06+duIUdburC8ZkIlsbfZcbmhCbPhTz0Dxr7hTA=; b=v236LFm4CuAvSUSR3mxs9SucUNfVHwMba7GwkdA38HMwuM9SgrbRGfaeww41pBwjuD XwyINhPIMrnaVktUuVsh4xSwUw5SL7P2LrTdOpe7xhvVzrq8N0IGOhI5mS8GJn0YuGVU AylFG3jTvqKDdQVIZhkvcJ3Nvt3Uad8O15evrye7dJ4CgFHKAf/Ehqk0BHK0GvaDflBj rZbCMvkfX6IxRYM+QU47kejegnrUgOpv/TimsPBeaDyBWRzPCSFnHwAOqJA7cs3yb4od tJClqf6s+c1ZBGE0xjoOWW6VaR3DL/YFCmHO6tlQmIMPhz7dkmOwREzvTBLth66O0p4d ur7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b4si9754080pgq.646.2018.01.30.13.10.34; Tue, 30 Jan 2018 13:10:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753355AbeA3Uiq (ORCPT + 99 others); Tue, 30 Jan 2018 15:38:46 -0500 Received: from mail.skyhub.de ([5.9.137.197]:46830 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751970AbeA3Uio (ORCPT ); Tue, 30 Jan 2018 15:38:44 -0500 X-Virus-Scanned: Nedap ESD1 at mail.skyhub.de Received: from mail.skyhub.de ([127.0.0.1]) by localhost (blast.alien8.de [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vh5Aiq0FahYB; Tue, 30 Jan 2018 21:38:42 +0100 (CET) Received: from pd.tnic (p200300EC2BCF0F005D4DFBFD0E3B986B.dip0.t-ipconnect.de [IPv6:2003:ec:2bcf:f00:5d4d:fbfd:e3b:986b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id A04BA1EC00A7; Tue, 30 Jan 2018 21:38:42 +0100 (CET) Date: Tue, 30 Jan 2018 21:38:36 +0100 From: Borislav Petkov To: David Woodhouse Cc: arjan@linux.intel.com, tglx@linutronix.de, karahmed@amazon.de, x86@kernel.org, linux-kernel@vger.kernel.org, tim.c.chen@linux.intel.com, peterz@infradead.org, pbonzini@redhat.com, ak@linux.intel.com, torvalds@linux-foundation.org, gregkh@linux-foundation.org, mingo@kernel.org, luto@kernel.org, linux@dominikbrodowski.net Subject: Re: [PATCH] x86/speculation: Use Indirect Branch Prediction Barrier in context switch Message-ID: <20180130203836.bsgme6kf6hstgbrx@pd.tnic> References: <1517263487-3708-1-git-send-email-dwmw@amazon.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1517263487-3708-1-git-send-email-dwmw@amazon.co.uk> User-Agent: NeoMutt/20170609 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 29, 2018 at 10:04:47PM +0000, David Woodhouse wrote: > + if (tsk && tsk->mm && > + tsk->mm->context.ctx_id != last_ctx_id && > + get_dumpable(tsk->mm) != SUID_DUMP_USER) > + indirect_branch_prediction_barrier(); Ok, so while staring at this, someone just came up with the following sequence: 1. Malicious process runs with UID=A, does BTB poisoning 2. Sensitive process (e.g. gpg) starts also with UID=A, no IBPB flush occurs since task is initially dumpable 3. gpg now does prctl(PR_SET_DUMPABLE, ...) to clear the dumpable flag 4. gpg now does sensitive stuff that it thinks is protected 5. gpg does indirect branches that shouldn't be influenced by the malicious process Now, if you switch between steps 3. and 4., you're good because gpg became non-dumpable. But if you *don't* switch, the bad BTB entries are still there. So, *actually*, we need to flush IBPB in set_dumpable() too, when we clear SUID_DUMP_USER. Or, are we missing something obvious here and that is not needed because of reasons I haven't thought about? I know, gpg doesn't do prctl() but disables core dumping with setrlimit() but there might be other processes who do that... Thx. -- Regards/Gruss, Boris. Good mailing practices for 400: avoid top-posting and trim the reply.