Received: by 10.223.176.5 with SMTP id f5csp640481wra; Fri, 9 Feb 2018 05:00:18 -0800 (PST) X-Google-Smtp-Source: AH8x227Xv1tMeDiDIXbpDr5HeZ5LBzTmPmcvDIdwiD7CP7GYXv2yGSzqbAkNCkmH1OEYrBrO+2VT X-Received: by 10.98.77.195 with SMTP id a186mr2387424pfb.69.1518181218861; Fri, 09 Feb 2018 05:00:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518181218; cv=none; d=google.com; s=arc-20160816; b=tH9AmXtJwioOAr8Y2qIIeJPTVWJcwbKItilrREc/evxI8GQw/ELYXAleoHB/5NC2r8 d+34nIkd0OJnw+G4p7H5MhYLm358ZyykH1ybG036XJpiey4SBEh6D1aObd/eA3YliIfk jgGQiAfD0ghLwH5QMkcvhJiKcfDyCJcc842lvC4OKknkv7DGd1uE7I+txKjRR7wFnT5r 6lWVtQrOwkyJcx6g9H9scjXlyV5Oi5I6mLnF7WdZwPN0mLx3KasynimdChC9qFB0O8za 49MEaFwk2e4xZAVtafotcmtNQXnPj696pVtZtD3/uz2mRWl7KJxbo2b2bb3n4lel1nE2 Z8jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=OmN7JZxh/abMrUwRwgBbe3VYB+okqfSJzQqalxtF5C0=; b=D9kYcg+BayOmfqqdpLPifatDpG0yTz3VqGf3ekl+93J9A8odyDaAv9YG2+NITrjR3K 03Rod+aQox3DT618TsqH3McOBeway8R6bce/kNHyGO5JaVCLVlPE6TQi/MxSgBlhjjHn g0TSYi336+jM6hZrZApSyirIAO1KS6zpa+5oe/toF2hHIt7NwxCmQDGJTgT60mxrWRul fRu8M9DCgKWhQ+1tLyeWgd36PKb3OZbJ24k0ydLJosCrvk7iJ9nMiIupXXXLo6KmRBL6 3q+Kp4G3tsZ4PysqnVVVGPfuVm+49uYjCp04ojt4wwSDlqkgCDcybUu4Y3LK7uLVdghn GJYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=lUf2G2Vy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h4-v6si1517169pln.91.2018.02.09.05.00.05; Fri, 09 Feb 2018 05:00:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=lUf2G2Vy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751299AbeBIM5r (ORCPT + 99 others); Fri, 9 Feb 2018 07:57:47 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:35553 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751053AbeBIM5q (ORCPT ); Fri, 9 Feb 2018 07:57:46 -0500 Received: by mail-ot0-f194.google.com with SMTP id a2so7655097otf.2 for ; Fri, 09 Feb 2018 04:57:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=OmN7JZxh/abMrUwRwgBbe3VYB+okqfSJzQqalxtF5C0=; b=lUf2G2Vy9nLegMO12kfL5BHDn1eeRUsfTgvF5DB5IpzuOitNi4KH4gBJBolZfSKq+c J8SWr7DpzYVJWAykvLx8MRUpPVvLDDbGX/9Uy07jYpjteVbEH2ITe5HYITHeQj3vi79C bTaF61bEQubmtENGZzz8LcQKzu3qymVCo60o0em2VkNAF5oh8aayQxVehoXL0DYb1zRb S27EROlIQe6Zj2ChSa+IzB/z3v68YpUXUFtDeZlCuTQCWxoMoQ6ACX6PvY//eDuHL0IO RK4ilsuCzxCn7sFsLqvDBfoeQR1S/GSyLT3oU0G1c2ajHDV54WYekZCW+L/KhonsrGVo 0WoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=OmN7JZxh/abMrUwRwgBbe3VYB+okqfSJzQqalxtF5C0=; b=DORFYI+WSTp9kCPpPsT2MIP3ksfn2Ioq9rHQlFeiw5s+hibk7X0TFHubQKCKKYyKAd q96xlpO0s7uSAisJ4BEmQ2ooIrGugNN/tpY0kiUYeN+3KnocWkOFPxhzkDeTXgTuFwVW RWIl5W0ekCwoEsbvKZhXrhEui4nzGIkWXQsxScZzMy2wS7A/YIo7spwe0GvsNTgAZe2I R7BS4XGGSDt1mMPc8q48VUso5w7bn4iqFLAtE28deqk02d6CYr7stHzroKPkGkKdwygT /EpkYdY6DWpMMPPcnk1sYId2lfa+uncPrV6dWIWeRP2TN+PCne7Rj5XrAveBGUGVSQ1U L1RQ== X-Gm-Message-State: APf1xPBs9LP0hs8TswQWNmY6lOsMmcOywmMGMkdCsnCjtIcny6WA4ckv BcFSMp4IFDNndepoHZyv2BcFVKr1EuluY/d8DVE= X-Received: by 10.157.24.103 with SMTP id t36mr2056598ott.281.1518181065384; Fri, 09 Feb 2018 04:57:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.168.66.10 with HTTP; Fri, 9 Feb 2018 04:57:44 -0800 (PST) In-Reply-To: <67d8f0f1-0846-876d-d36a-c8a9f9366243@citrix.com> References: <20180205150340.328921-1-arnd@arndb.de> <67d8f0f1-0846-876d-d36a-c8a9f9366243@citrix.com> From: Arnd Bergmann Date: Fri, 9 Feb 2018 13:57:44 +0100 X-Google-Sender-Auth: 7qVoKc_dq92aq7SKedkZvZ_WJSI Message-ID: Subject: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy To: Andrew Cooper Cc: Boris Ostrovsky , Juergen Gross , xen-devel , David Laight , Dan Carpenter , Linux Kernel Mailing List , Kees Cook , Dan Williams , David Woodhouse Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper wrote: > On 05/02/18 15:03, Arnd Bergmann wrote: > > Snipping deleted code to make things clearer: > >> + if (cmd > ARRAY_SIZE(physdevop_len)) >> + return -ENOSYS; >> >> + len = physdevop_len[cmd]; >> + memcpy(&op.u, arg, len); > > You'll want an array_nospec() or whatever its called these days. This > code is SP1-leaky. Maybe the best solution would be to remove the file completely. From looking at the Xen git history, we only need this to run on Xen 3.0.2 or earlier, those early Xen releases (according to Wikipedia) never even supported running modern kernel versions anyway, so the code appears to be completely pointless here. However, aside from this driver, I wonder if we should be worried about Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case statement into an array lookup behind our back, e.g. in an ioctl handler. Has anybody got this on their radar? Arnd