Received: by 10.192.165.148 with SMTP id m20csp4461859imm; Tue, 24 Apr 2018 03:13:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx48M0RwIDXHVk27kq8+1pkZ1L27dsim05GZGNWoZsYRviXCfotEeWqHqcCIyCqvXoQ4NfZnN X-Received: by 2002:a17:902:6887:: with SMTP id i7-v6mr24210365plk.269.1524564799098; Tue, 24 Apr 2018 03:13:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524564799; cv=none; d=google.com; s=arc-20160816; b=N1TKBV9asT0Yw+kD1Vvhutrd0zKpW4YDidiUvc9e8BP+/pm0RskRuBNxsyPPjB4wgl tPS4CGreEit/14j0PQXInJun39WBTRlgZ51Zqz4ByL7RhbEWd0YlNJACu+/Im+hvvjRn PUu3Zim6FYj9TwyiKVyiUYuBcPYEIK5vnxDpZ/iTDgomtoSnkpW3qOqelCggml/qX5xT 5qOCvIkiuiknj7EDorCM1bXyJDK+BdJLUxm8+kZQUaPMu2sN/JLLLZQTTjQCSOfsR/Zb 0OQUDVNyBggy4E18Drs4Uk1w0kk/o/rEDxN7x6wXpGV8w1PANRnT360I09y/3j3K3Y/D p9Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=DL0vFAnUiQDIIOTrgRvzvKARD14KJ7FDOukgpWZkH9E=; b=OpachYpBdRVfCd5d7LD1LqbwymuZBjQGVVqLu1FQXRgbDYqnBA1w/kMvoJHmXAniGh ka97ANajcsNwn1NTF0ttvALMzdofANI2jKX0VFJTX0Pe9KlswXwN/H2JRX2/fhr0aHt1 goFiK9ASDxdS6bkagDI09kPBL9K41sG0pHyAl8tQj6MGs64afYjloUQGpufqFuVqE7z1 JRb5U3bi3ksSDJu9O3zL7C+Lp6LCXgLApJ/dHBkSQOAnH35sGfkcoT8rzx4K4YINQW2R 7BDo6upk1N2hIFkprRkItbO4jN9XfgZXpVG6CDYe0iklj3RQzUSBFrF11oXu1Im7tNNK L9UQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=rnbxp8S2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d65si5437796pfd.182.2018.04.24.03.13.01; Tue, 24 Apr 2018 03:13:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=rnbxp8S2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932516AbeDXKL1 (ORCPT + 99 others); Tue, 24 Apr 2018 06:11:27 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:49770 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932342AbeDXKLW (ORCPT ); Tue, 24 Apr 2018 06:11:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To: From:Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=DL0vFAnUiQDIIOTrgRvzvKARD14KJ7FDOukgpWZkH9E=; b=rnbxp8S2n8D6WE3BjtSiaz88R KBcAUWh27QY+bLHrX7uT+kXfzQLDPxVnzFc5nLrV56V2b/lshnOujv5bw6LoGayln84bKN9z8v3+d Sidr8slhieBKjhp/NU3bv8ISdD6ggjjPfmt8UCN3b1+qPawb/KW2DG6VBR9X6LSu29oa15KNaud7/ ABj770wQTBIpi9vg6enIxp2ZRvjmCHwMtEBz/AqyPneGBPrmdjKwyHeCeefuT0aPVBL1U7bXAqIPH ufRBHT+Uyfq5q+4ounr0y5npXSGqFPFEjQfZ0e+k5liYa2Dx9QWk+J8EG5hBgfFd3AaWOhHOT3hW0 FtpvxHC8g==; Received: from [177.157.96.200] (helo=vento.lan) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fAuuq-0005Lc-LD; Tue, 24 Apr 2018 10:11:17 +0000 Date: Tue, 24 Apr 2018 07:11:12 -0300 From: Mauro Carvalho Chehab To: Dan Carpenter Cc: "Gustavo A. R. Silva" , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Peter Zijlstra Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1 Message-ID: <20180424071112.628f3e7f@vento.lan> In-Reply-To: <20180424093500.xvpcm3ibcu7adke2@mwanda> References: <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com> <20180423152455.363d285c@vento.lan> <20180424093500.xvpcm3ibcu7adke2@mwanda> X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Dan, Em Tue, 24 Apr 2018 12:35:00 +0300 Dan Carpenter escreveu: > Hi Mauro, > > I saw your comment on LWN. You argue on LWN that since the format array > is static the CPU won't speculatively read past the L1 cache? The intent of that comment is to be provocative, in the sense that people would argue against and point flaws (if any) on my rationale. As I explained when reviewing this patch, I don't care much if an automatic tool is saying that there's a vulnerability at the code, as it could be a false positive. So, what I want at the patch description is a threat analysis explaining how an algorithm is exploited. With regards to Spectre, I never tried to write an exploit myself, nor had to study it in detail in order to mitigate it. So, what I know about it is what I read on a few places. From the places where I read, the boundaries for an array exploit are limited to L1 cache, but, as I said before, I can be wrong on that. It will be great to hear to Peter's comment on that, as he knows a lot more than me about it. > > I don't know if that's true. It should be easy enough to filter out > the reads into static arrays. Peter do you know the answer here? > > regards, > dan carpenter > > On Mon, Apr 23, 2018 at 03:24:55PM -0300, Mauro Carvalho Chehab wrote: > > Em Mon, 23 Apr 2018 12:38:03 -0500 > > "Gustavo A. R. Silva" escreveu: > > > > > f->index can be controlled by user-space, hence leading to a > > > potential exploitation of the Spectre variant 1 vulnerability. > > > > > > Smatch warning: > > > drivers/media/usb/tm6000/tm6000-video.c:879 vidioc_enum_fmt_vid_cap() warn: potential spectre issue 'format' > > > > > > Fix this by sanitizing f->index before using it to index > > > array _format_ > > > > > > Notice that given that speculation windows are large, the policy is > > > to kill the speculation on the first load and not worry if it can be > > > completed with a dependent load/store [1]. > > > > > > [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 > > > > > > Cc: stable@vger.kernel.org > > > Reported-by: Dan Carpenter > > > Signed-off-by: Gustavo A. R. Silva > > > --- > > > drivers/media/usb/tm6000/tm6000-video.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c > > > index b2399d4..d701027 100644 > > > --- a/drivers/media/usb/tm6000/tm6000-video.c > > > +++ b/drivers/media/usb/tm6000/tm6000-video.c > > > @@ -26,6 +26,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > > > > #include "tm6000-regs.h" > > > #include "tm6000.h" > > > @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv, > > > if (f->index >= ARRAY_SIZE(format)) > > > return -EINVAL; > > > > > > + f->index = array_index_nospec(f->index, ARRAY_SIZE(format)); > > > > Please enlighten me: how do you think this could be exploited? > > > > When an application calls VIDIOC_ENUM_FMT from a /dev/video0 device, > > it will just enumerate a hardware functionality, with is constant > > for a given hardware piece. > > > > The way it works is that userspace do something like: > > > > int ret = 0; > > > > for (i = 0; ret == 0; i++) { > > ret = ioctl(VIDIOC_ENUM_FMT, ...); > > } > > > > in order to read an entire const table. > > > > Usually, it doesn't require any special privilege to call this ioctl, > > but, even if someone changes its permission to 0x400, a simple lsusb > > output is enough to know what hardware model is there. A lsmod > > or cat /proc/modules) also tells that the tm6000 module was loaded, > > with is a very good hint that the tm6000 is there or was there in the > > past. > > > > In the specific case of tm6000, all hardware supports exactly the > > same formats, as this is usually defined per-driver. So, a quick look > > at the driver is enough to know exactly what the ioctl would answer. > > Also, the net is full of other resources that would allow anyone > > to get the supported formats for a piece of hardware. > > > > Even assuming that the OS doesn't have lsusb, that /proc is not > > mounted, that /dev/video0 require special permissions, that the > > potential attacker doesn't have physical access to the equipment (in > > order to see if an USB board is plugged), etc... What possible harm > > he could do by identifying a hardware feature? > > > > Similar notes for the other patches to drivers/media in this > > series: let's not just start adding bloatware where not needed. > > > > Please notice that I'm fine if you want to submit potential > > Spectre variant 1 fixups, but if you're willing to do so, > > please provide an explanation about the potential threat scenarios > > that you're identifying at the code. > > > > Dan, > > > > It probably makes sense to have somewhere at smatch a place where > > we could explicitly mark the false-positives, in order to avoid > > use to receive patches that would just add an extra delay where > > it is not needed. > > > > Regards, > > Mauro Thanks, Mauro