Received: by 10.223.176.5 with SMTP id f5csp861900wra;
        Fri, 9 Feb 2018 08:23:09 -0800 (PST)
X-Google-Smtp-Source: AH8x2247NLaZkMbQIK0QCmMQDT43kXgcIBRcVUEMkLlj3oNkB972vnZxdy5xFNaZUQwFealCBqX3
X-Received: by 2002:a17:902:5a3:: with SMTP id f32-v6mr3122657plf.48.1518193389606;
        Fri, 09 Feb 2018 08:23:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518193389; cv=none;
        d=google.com; s=arc-20160816;
        b=aTHJJX/mPFpEayKF3xMU3xL//4zGia8ieqvIfg3SV/V7JWH4vKf6F6+LJnTY34esYu
         DjULaLKu26PGTPVBY1Yll1C7hcVngrlLMn0pVBL0poPjTfw5z9BqhnbXtNrPityUak8d
         WliqMTTr2qgKeuPt+QWWdQ1RtblmRLC46sAo4lSLDBm46lmAj8xU3K0ccFHhZBXh/n7K
         Yyty1Mk1WZ6z0kL69XVesFX6aOv/Ei8RlIpxAfTV22D4WeEIDVe9CVqVBGP/rXDMQ9DM
         64D38Jm5uzdkLAPZEJZikQcDcAAK1QLqNhF1by3MfhcpxHOuhPewMSSO14vXjad27MmX
         FqlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=GZdNwaZWc3yRNbRqWCJPBUyKPwOqYjSHkjhLr7PwSG0=;
        b=ssYmy273KjRfTKK2EIPDMXw/ps4/RLKaB5eslWs9fPxt32wdAIQADRDM4kUQNWIhNr
         vF+xt3FUIBWc6Oxo0nwhH1QL4z+TgQg8LfZRxSJTi/TTBfBo9bIfAyhCbDTMsj294ErG
         wFRVD/m0uYDtNLKIlb6IjtM15/7+4SQGgpxsjI2ufHwesRUusB2bZ7eM03jkzHQcARvH
         R1dDjush2tad/s/J3jK9K1i85/d40ktTs7QRYHeHfitJFEmJeKy7GhAR3D/S6TV+GbY4
         IM5nGnRAQfsm+fV7xM9C8tsd3Pq7sgypKdFCcO1HYV4Xj7umUkaniCJve2YrbYDygXkm
         L/Gg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=YV5Gkgw3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 23si1890231pfr.333.2018.02.09.08.22.55;
        Fri, 09 Feb 2018 08:23:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=YV5Gkgw3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752086AbeBIQUp (ORCPT <rfc822;huangleihappily@gmail.com>
        + 99 others); Fri, 9 Feb 2018 11:20:45 -0500
Received: from mail-ot0-f196.google.com ([74.125.82.196]:39592 "EHLO
        mail-ot0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751145AbeBIQUo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Feb 2018 11:20:44 -0500
Received: by mail-ot0-f196.google.com with SMTP id f18so8208135otf.6
        for <linux-kernel@vger.kernel.org>; Fri, 09 Feb 2018 08:20:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=GZdNwaZWc3yRNbRqWCJPBUyKPwOqYjSHkjhLr7PwSG0=;
        b=YV5Gkgw3QW5SQMQUGBQ1EKfX9ABAeg3Wu0wpBGtc1eZNIqWafsOISPjqD2HHty/d9H
         lnjIcXTju3C6CiZensRacV8IknI50z6mE2TieNFaQp88khiRv2KTpfiKyzZX6mduWPGg
         ThsyC2oK8Q6fOKNZEDf/ZUwzkStXwneuzbxR3BzR3IjoxAw2CcSt/ELeIOMTQbIOnZMs
         36YJcm92CZDedzds+XinEm2QWItlzIBIDrGpzNIf5IQxA2KGtf33QuGDjAKlJyCIX8RB
         vqfwgFElrgTzvyFuzHJavJQDPWAZYB3tIPy6JEMWc3EWXJFmuFvMG92Gqsl0OY7WqVJd
         kooQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=GZdNwaZWc3yRNbRqWCJPBUyKPwOqYjSHkjhLr7PwSG0=;
        b=maM+Fg4SHPMJkwLmC5HEbXgcGL6HqyEQWg9jalZjDco7tPp0fPIu5+lJVd3L09YXu1
         xtVhRUSQun3fdY9yKzRGmnyLEqANvMF/D/aZTMkWRF+ehnz/SnJr+Mqiwl672DhIN101
         DmWr/OwrHkRBK++3Ns+u2sopRQX1ofO/wne+Ery/YDSZ+qdFgsa+6460aqJ2HYtpUfbg
         l/1AqoKPxYgpli9NvAqCdn7E9y0NWhcxFw8tiwiN3XgZI3LUF22LrL8efeXP966DHWG2
         n/K3I9Z6jzabgI95Ors/O0u6sTGvDJqjDg4mFtSQ91ThlEXyfXzn4v78/eYGqQri5lf6
         XHhQ==
X-Gm-Message-State: APf1xPBVQxMwaENarTS936+9n4MytNPjJtJ+HkdI1zCS/U0/tyQFDM/c
        +nCykN38K0nqSFzqY4qxd7Lr9FZjTGqCZwhccYNnJA==
X-Received: by 10.157.35.114 with SMTP id k47mr2775863otd.338.1518193243845;
 Fri, 09 Feb 2018 08:20:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.62.91 with HTTP; Fri, 9 Feb 2018 08:20:43 -0800 (PST)
In-Reply-To: <CAK8P3a0EVW-shM0JNz0fsMWx19Z+BT3kvB6McwotSLGtThhAdA@mail.gmail.com>
References: <20180205150340.328921-1-arnd@arndb.de> <67d8f0f1-0846-876d-d36a-c8a9f9366243@citrix.com>
 <CAK8P3a36O-NbrKkt-DEEZE2A2JQ5Gu9GZ98j0BjoFET4kgTaWw@mail.gmail.com>
 <42258ad55dac4191813d258e43a44e0e@AcuMS.aculab.com> <CAK8P3a0EVW-shM0JNz0fsMWx19Z+BT3kvB6McwotSLGtThhAdA@mail.gmail.com>
From:   Dan Williams <dan.j.williams@intel.com>
Date:   Fri, 9 Feb 2018 08:20:43 -0800
Message-ID: <CAPcyv4jE0LghCXEMbAyLwXV3xK_K63V_yi_y+YA5LSQHDuHzLQ@mail.gmail.com>
Subject: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
To:     Arnd Bergmann <arnd@arndb.de>
Cc:     David Laight <David.Laight@aculab.com>,
        Andrew Cooper <andrew.cooper3@citrix.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>,
        Juergen Gross <jgross@suse.com>,
        xen-devel <xen-devel@lists.xenproject.org>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        David Woodhouse <dwmw@amazon.co.uk>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 9, 2018 at 6:21 AM, Arnd Bergmann <arnd@arndb.de> wrote:
> On Fri, Feb 9, 2018 at 3:13 PM, David Laight <David.Laight@aculab.com> wrote:
>> From: Arnd Bergmann
>>> Sent: 09 February 2018 12:58
>> ...
>>> However, aside from this driver, I wonder if we should be worried about
>>> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
>>> statement into an array lookup behind our back, e.g. in an ioctl handler.
>>> Has anybody got this on their radar?
>>
>> The canonical code for a switch statement is to jump indirect on an array
>> of code pointers.
>> ioctl handlers probably use a series of compares because the values are
>> sparse.
>
> The majority of ioctl handlers is sparse enough that a table lookup wouldn't
> work, but there are still subsystems that never fully adopted the _IOC()
> macros, e.g. tty or socket ioctls are just consecutive numbers.
>
>> Also remember that gcc-8 will convert dense switch statements that just
>> load a value into a data array lookup.
>
> Right, that's the case I'm interested in here. I don't know how many of
> those exist in the kernel, as this would again be a small subset of the
> switch()/case statements that use consecutive numbers.
>
>> I guess both those jump tables are potential attack vectors.
>> Not quite sure how they might be used to leak info though.
>
> When I tested the xen fallback code with gcc-7.3, I noticed a retpoline
> getting generated for pointer array, so that should be safe.

The retpoline would protect the indirect call itself, but not the
lookup into the array. So this needs the same protection as the
syscall table where we sanitize the lookup index in addition to the
retpoline on the actual call.