Received: by 10.223.185.116 with SMTP id b49csp1008287wrg; Fri, 16 Feb 2018 10:43:10 -0800 (PST) X-Google-Smtp-Source: AH8x22778fQxhMBLOM+GKgDxs04kyOyGyfYFgNQV+naz5mDBcIX+mLGt5/JFYWJosZHm5f2f64T6 X-Received: by 2002:a17:902:9895:: with SMTP id s21-v6mr6605803plp.297.1518806590420; Fri, 16 Feb 2018 10:43:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518806590; cv=none; d=google.com; s=arc-20160816; b=AP8+DhEg0s9x7Fn0ko8CDNV4D2o5ysJSLc3U8BdjkpQ0YKsiSPQG3acqayhRKml4i3 ZliM4wJqvTYjaaXZf9iH+7y+FWq3I0wyd/TyGVWe6CVU++pQcVrBQMA+Mj1gK52nNDoX CSSq0n1y/JxovpXa3TqVavMWT3/OYcPirUct9E83xm/ZJMAP99Spd3jlwvZAiGlb/m7X C6Uw9x839C51JKn6kanWR8Z0lfvu730fX5zI52aUdmQ4FYUeic83cpr7buc8EH+KyvI7 VVjK+bvwxmYYvN5Aj6pqBShwr4KjX807Y+munp8S6ZE1YUm+Bl3kTpnqFexI4Y4Ykaxn xh8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=73EASs9SgvrENNOimG+48vU03dGSsDjLkV+rb+opkf8=; b=gkGypLRC3CsOYhHX+qmqVme/cSFfJFOIHKKFUivX/3s6lUKVze4zDjcQ5x2JO1ckUv B56VkuyMbduVqiWfV8ZPHq6H2zjjX2AMHy5phTk6tFlsxJXePrHkSOcoZx12GrFCf0CB NIanOyKHxMl/0kLEPVazGQ1KtLC5Q9ZNSERZmydJT/02sXf2xho8cw7IeJoIBFIGSjuR MrUv/eizDOr6WRolxuix/jzPB/2n9hr3hNn9xUMQR9/uV/csNGQuBa2IKvIonjkg+pIy ExQ3dEZPYgtdIqLQN8N1TckqFojXqlBlwTiNSaS1G/x1q9UzBLeTaZGnMoG8UIwRnwQT Q+DQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b10si1790041pge.563.2018.02.16.10.42.56; Fri, 16 Feb 2018 10:43:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757372AbeBPDGI convert rfc822-to-8bit (ORCPT + 99 others); Thu, 15 Feb 2018 22:06:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:41732 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757331AbeBPDGH (ORCPT ); Thu, 15 Feb 2018 22:06:07 -0500 Received: from mail-it0-f46.google.com (mail-it0-f46.google.com [209.85.214.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C1D2F217BB for ; Fri, 16 Feb 2018 03:06:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C1D2F217BB Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f46.google.com with SMTP id b66so508732itd.5 for ; Thu, 15 Feb 2018 19:06:06 -0800 (PST) X-Gm-Message-State: APf1xPBRIHNt3JCW0FJTysnizEd/MGOOLirLVwRSB1J3gPY7hWkTmjeE bMAzfMn6nqindQhgZHYHRJt0A2vm7t38ylYkCXA5/w== X-Received: by 10.36.73.133 with SMTP id e5mr6227890itd.109.1518750366187; Thu, 15 Feb 2018 19:06:06 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.84 with HTTP; Thu, 15 Feb 2018 19:05:45 -0800 (PST) In-Reply-To: References: <20180215163602.61162-1-namit@vmware.com> <27a0082c-fadb-792a-740e-70932d51f1b5@linux.intel.com> <91CEEFA7-86C8-4731-BC7E-6AF5CC3A1BA4@gmail.com> From: Andy Lutomirski Date: Fri, 16 Feb 2018 03:05:45 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC v2 0/6] x86: Disabling PTI in compatibility mode To: Nadav Amit Cc: Andrew Cooper , Dave Hansen , Ingo Molnar , Thomas Gleixner , Andy Lutomirski , Peter Zijlstra , Willy Tarreau , X86 ML , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 16, 2018 at 12:51 AM, Nadav Amit wrote: > Andrew Cooper wrote: > >> On 16/02/2018 00:25, Nadav Amit wrote: >>> Dave Hansen wrote: >>> >>>> On 02/15/2018 08:35 AM, Nadav Amit wrote: >>>>> I removed the PTI disabling while SMEP is unsupported, although I >>>>> must admit I did not fully understand why it is required. >>>> Do you mean you don't fully understand how PTI gives SMEP-like behavior >>>> on non-SMEP hardware? >>> No. I understand how it provide SMEP-like behavior, and I understand the value >>> of SMEP by itself. >>> >>> However, I do not understand why SMEP-like protection is required to protect >>> processes that run in compatibility-mode from Meltdown/Spectre attacks. As >>> far as I understand, the process should not be able to manipulate the kernel >>> to execute code in the low 4GB. >> >> Being 32bit is itself sufficient protection against Meltdown (as long as >> there nothing interesting of the kernels mapped below the 4G boundary). >> >> However, a 32bit compatibility process try to attack with Spectre/SP2 to >> redirect speculation back into userspace, at which point (if successful) >> the pipeline will be speculating in 64bit mode, and Meltdown is back on >> the table. SMEP will block this attack vector, irrespective of other >> SP2 defences the kernel may employ, but a fully SP2-defended kernel >> doesn't require SMEP to be safe in this case. > > Based on Jann Horn’s description of the branch predictor, it basically only > holds the lowest 31-bits of the target address. There might be a subtle > problem if the prediction wrapsaround, but excluding this case, I do not see > how Spectre v2 can be used to jump into running user code. > If you can make the *kernel* speculate into user code, you can create whatever gadget you want. A 32-bit task can poison the branch predictor and use this to attack a non-retpolined kernel.