Received: by 10.223.176.5 with SMTP id f5csp735975wra;
        Fri, 9 Feb 2018 06:26:17 -0800 (PST)
X-Google-Smtp-Source: AH8x227oGEVGLaDw8mGIiSakrc2QO49tVX4q9mNx6eOGsoXTO5O3Gh6ABYvgmnFlnyFkXHK6mBuc
X-Received: by 10.98.102.88 with SMTP id a85mr3054291pfc.235.1518186377695;
        Fri, 09 Feb 2018 06:26:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518186377; cv=none;
        d=google.com; s=arc-20160816;
        b=D353tLv3+h/NuFrNGhNCyGslrhVZ7YEoKFWQGtcrvdZhOf+0bS880z3TBazsdTqjwv
         vurAyx2RKPhYksWn2zUCS/QfXqf0D6mV8mw5ujewV8JSyVus4SjkFtBiyKsu5Dm+gx0U
         CPZgCnEdzp3ZAwtq+mEd60H1HeN+NCcbIHgeen7oyJeP/bqPO/+83gjtoZFrwYGl//QS
         VvQjh9WoqX8C4aUldlvBVGGylnCRP6JBgL1KK7+WNXMOSu23kD8rPgkVJwjkd3+zjNAM
         VkZklu94tGf6TlhCJ5bP+wp8NL0H9/kZYNnBlOUqi1YpUBLIhtvOOQea3wV7SD0atST7
         MhjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=8jkbrK5q6X+tksnu5LC81PIPzVeg62qEIK6p5O6QDYo=;
        b=k13wpe4yErHmiTf2HNjUdM8QKwRdnYjkVOe6Z9HuUlz55gu6VTOTmLyYDJn8InzqDd
         vv2xAhJOIptrCY0Buk0MyXzlIsVTzU/xGGccPmtZwjGqCs2Fat+pich/zNjAygHpolB6
         +F2Qfq9/0sXE4k2nRWYSzPQBSBlAsO8R2aRI5BOjihy78S44NaQKc16bBTMPuovdWfJG
         cpRfMuOwswYmFRIMiX4msc0kCEDYw2Or9IJvmASdsnd+JYDbTJUo/gtQmwDlk6ayjVku
         92BmIdp0mXlQaivntswvKrh6Jf2IzConWzW2cSXpO35IzglXqVEitS/CyOojicalQhGe
         airQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=PtD/sdjR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q9-v6si1601049plr.752.2018.02.09.06.26.03;
        Fri, 09 Feb 2018 06:26:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=PtD/sdjR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752291AbeBIOWA (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Fri, 9 Feb 2018 09:22:00 -0500
Received: from mail-ot0-f196.google.com ([74.125.82.196]:44764 "EHLO
        mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750970AbeBIOV4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Feb 2018 09:21:56 -0500
Received: by mail-ot0-f196.google.com with SMTP id l5so7855100otj.11
        for <linux-kernel@vger.kernel.org>; Fri, 09 Feb 2018 06:21:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=8jkbrK5q6X+tksnu5LC81PIPzVeg62qEIK6p5O6QDYo=;
        b=PtD/sdjR3URwvQPe4X9dg0P21dMiQJumrSqbc+nJiMHEuB/fedEajvpxvpb4/P41nC
         o/GbxBMB569yScVbsFCWLZWIkRyo/JSnrcjar1KwyKBvGzO20BdI8bEtg7exm647rhXR
         ff7t+QK73KStRy2h+oNOxNfMYIo2ugLC0k9KuDkQ+B5cja8lctDgPAr2PX54Oo3qeTVP
         yikpfFHtZQoSFyng+UJwINqE9or27Hh2zCIKsS3E1Fn3hWAAChKTsRFQ7cNvdMf32/Dh
         E59iOhBPQ0NwS6e6ur0AJC53DGZQlQe+hQrycvc8qV2+XgYOB0a4b97YQzovWZTSzuXa
         DbZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=8jkbrK5q6X+tksnu5LC81PIPzVeg62qEIK6p5O6QDYo=;
        b=QRljcKFwThVjKpzgEYolWs/dk+Ec6T/2KoMZPqxcvOZXxjc26ZLTBEXSm/0S7VZvPO
         9p4Evf5rqyePt1g8rnQfJW2017hbGfViODDIPkoT9NWXFWHW72Ik5md+QUmb/Psf2mfR
         M8URMzqm93FyfcMy3xs4t1duXYltr+G67+x4G5ZsdlGl0y5Rh0D67G5qgU45XvFFjNAR
         pEzZXNBROd89dT2UpJq5GYJuUmqqP4fs3WJGnhZCh11x+BlfZ5m/IB78U0shRrmjjv4G
         pJ7KYAWwbvBhSEofVC+6QBaINnOJea144W5bOM5JFUDXtOdhnZsZyi+6htfZ5lI+Ox8I
         3rHw==
X-Gm-Message-State: APf1xPDb2em5oh3JG8eKwpDpdN5kgQvGjFjDghJM/SDLY5e+Q4XDG4Nj
        bqEuK1gQn0LTMIB1mKZkhdOgTj9SumyINfrNeSM=
X-Received: by 10.157.1.56 with SMTP id 53mr2454865otu.381.1518186115961; Fri,
 09 Feb 2018 06:21:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.168.66.10 with HTTP; Fri, 9 Feb 2018 06:21:55 -0800 (PST)
In-Reply-To: <42258ad55dac4191813d258e43a44e0e@AcuMS.aculab.com>
References: <20180205150340.328921-1-arnd@arndb.de> <67d8f0f1-0846-876d-d36a-c8a9f9366243@citrix.com>
 <CAK8P3a36O-NbrKkt-DEEZE2A2JQ5Gu9GZ98j0BjoFET4kgTaWw@mail.gmail.com> <42258ad55dac4191813d258e43a44e0e@AcuMS.aculab.com>
From:   Arnd Bergmann <arnd@arndb.de>
Date:   Fri, 9 Feb 2018 15:21:55 +0100
X-Google-Sender-Auth: wF-pjlwAJy0ehl-DLZjsdsYOmT0
Message-ID: <CAK8P3a0EVW-shM0JNz0fsMWx19Z+BT3kvB6McwotSLGtThhAdA@mail.gmail.com>
Subject: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
To:     David Laight <David.Laight@aculab.com>
Cc:     Andrew Cooper <andrew.cooper3@citrix.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Juergen Gross <jgross@suse.com>,
        xen-devel <xen-devel@lists.xenproject.org>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Dan Williams <dan.j.williams@intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 9, 2018 at 3:13 PM, David Laight <David.Laight@aculab.com> wrote:
> From: Arnd Bergmann
>> Sent: 09 February 2018 12:58
> ...
>> However, aside from this driver, I wonder if we should be worried about
>> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
>> statement into an array lookup behind our back, e.g. in an ioctl handler.
>> Has anybody got this on their radar?
>
> The canonical code for a switch statement is to jump indirect on an array
> of code pointers.
> ioctl handlers probably use a series of compares because the values are
> sparse.

The majority of ioctl handlers is sparse enough that a table lookup wouldn't
work, but there are still subsystems that never fully adopted the _IOC()
macros, e.g. tty or socket ioctls are just consecutive numbers.

> Also remember that gcc-8 will convert dense switch statements that just
> load a value into a data array lookup.

Right, that's the case I'm interested in here. I don't know how many of
those exist in the kernel, as this would again be a small subset of the
switch()/case statements that use consecutive numbers.

> I guess both those jump tables are potential attack vectors.
> Not quite sure how they might be used to leak info though.

When I tested the xen fallback code with gcc-7.3, I noticed a retpoline
getting generated for pointer array, so that should be safe.

      Arnd