Received: by 10.192.165.148 with SMTP id m20csp4540110imm;
        Tue, 24 Apr 2018 04:38:01 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/pfs85JBBAdnK/EdEcmwRF2Kn1mhFQkzBkm9j7LQGMvooJP7UMVabp5ZK2S/IQsXakA+Ra
X-Received: by 10.98.157.90 with SMTP id i87mr18943843pfd.190.1524569880974;
        Tue, 24 Apr 2018 04:38:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524569880; cv=none;
        d=google.com; s=arc-20160816;
        b=maVbk3ki1erdAaXlc59hm23MSKHjuka0kkwVuvs6tVeANyh02mwqm1AyGqCK6YXRCn
         hM2Kc/8KBs0/1Niq11r6HMndhgZM89dD4IkEm1mokLhz2mx5KFYZve44fe+Hf5hfHBho
         r/AoYmrW2TLimjMPuP52qjg/u3mNeWx21cnSNcwJ5H5KwI7Bb2kC+HZyR7dbD5HEIg2Q
         mAwfXlO70Q8Hj/Bx30gfLhJFHPEFVoFL2XJa03pi8Z4bBu9Xe5ew2SZpcUfOggLBBVR4
         VaVCS0pmvsTOVMsqiyL0gs0Mlp8Q1eByiln9vrfeVagEaDaYOu3VEi5D5jjEb0drR0Kf
         4W5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=RrPQkKwNgMm3OtEPJ/ex7g5EhaCI/UnvBCj7emZpodA=;
        b=OsyPtfGy+FTKcKT0wLfedQVwQnVE88Rpu8oPgwOXRU+u11BrBIStoVb3/NhgX1Aj9u
         mxVKKcRNKrUt6NoztiUKZ7/cFzTIbLkbwuPDkSwYCKZvXnoJskEAmFZia//WSNZDoaga
         Dhnbpev/AZacoyTiouCwDo1NVJigCS/bhdT8n8Zn9BnygeF2PPFVkbfnUFnG8x4MuPB/
         GhhMsWVyg8KAQUtAxzUMZcju+mHahTjS1sinDmqNMIvzaCm2PUjEbXEQzzsbib+lGbCi
         Ie2S3kUos10NrhaFNFYFTiRd5cN8tWUEakqBIlY1QxkjS5CfFYakw3Scjt4j+yCxLDYE
         Sktg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=rYAyAVY4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s1-v6si13221906plr.458.2018.04.24.04.37.46;
        Tue, 24 Apr 2018 04:38:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=rYAyAVY4;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932681AbeDXKgZ (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 24 Apr 2018 06:36:25 -0400
Received: from merlin.infradead.org ([205.233.59.134]:36806 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932545AbeDXKgU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Apr 2018 06:36:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=RrPQkKwNgMm3OtEPJ/ex7g5EhaCI/UnvBCj7emZpodA=; b=rYAyAVY4dx+GsjElf8InsJmIM
        5RgxP0xFYRaNDaS5A6o5NNVOH7/fW8LSaLjBkGOBVtAu6x0JP0P6KC5zNaI89iyu4mDxjq0s2yTcP
        sRRPsy8JA1Xlm9uwVGos6/Y3hFZVZXrbQnRRps2VKcqJ2eDW+sin7Z7DcW8lkYNFttY3Qb7/0D6Kb
        PHWKVsmfwoeij831WODBBIRAyVeqV6gETpSY66b4SAfYJ21fl5AqWMB5J8VhKw9EhKvzbwNKfwUwl
        7THp2ENJucTrLak0kpLq6g3ZDaYBE8xcBNNBhkfcpVzYpH8mNnTZ+Eiu+49JsioeQ5VFRiIF1DGhy
        yKJY7k3dQ==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net)
        by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux))
        id 1fAvIy-00073l-OK; Tue, 24 Apr 2018 10:36:13 +0000
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id 016E5203BFAF0; Tue, 24 Apr 2018 12:36:09 +0200 (CEST)
Date:   Tue, 24 Apr 2018 12:36:09 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     Mauro Carvalho Chehab <mchehab@kernel.org>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1
Message-ID: <20180424103609.GD4064@hirez.programming.kicks-ass.net>
References: <cover.1524499368.git.gustavo@embeddedor.com>
 <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com>
 <20180423152455.363d285c@vento.lan>
 <20180424093500.xvpcm3ibcu7adke2@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180424093500.xvpcm3ibcu7adke2@mwanda>
User-Agent: Mutt/1.9.3 (2018-01-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 24, 2018 at 12:35:00PM +0300, Dan Carpenter wrote:
> On Mon, Apr 23, 2018 at 03:24:55PM -0300, Mauro Carvalho Chehab wrote:
> > Em Mon, 23 Apr 2018 12:38:03 -0500
> > "Gustavo A. R. Silva" <gustavo@embeddedor.com> escreveu:

> > > @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void  *priv,
> > >  	if (f->index >= ARRAY_SIZE(format))
> > >  		return -EINVAL;
> > >  
> > > +	f->index = array_index_nospec(f->index, ARRAY_SIZE(format));
> >
> > Please enlighten me: how do you think this could be exploited?

TL;DR: read the papers [1] & [2]

I suspect you didn't get the gist of Spectre V1 [1], let me explain:

Suppose userspace provides f->index > ARRAY_SIZE(format), and we predict
the branch to -EINVAL to not be taken.

Then the CPU _WILL_ load (out of bounds) format[f->index] into
f->pixelformat and continue onwards to use this bogus value, all the way
until it figures out the branch was mis-predicted.

Once it figures out the mispredict, it will throw away the state and
start over at the condition site. So far, so basic.

The thing is, is will not (and cannot) throw away all state. Suppose our
speculation continues into v4l_fill_fmtdesc() and that switch there is
compiled as another array lookup, it will then feed our f->pixelformat
(which contains random kernel memory) into that array to find the
requested descr pointer.

Now, imagine userspace having flushed cache on the descr pointer array,
having trained the branch predictor to mis-predict the branch (see
branchscope paper [2]) and doing that out-of-bounds ioctl().

It can then speculative do the out-of-bounds array access, followed by
the desc array load, then figure out it was wrong and redo.

Then usespace probes which part of the descr[] array is now in cache and
from that it can infer the initial out-of-bound value.

So while format[] is static and bound, it can read random kernel memory
up to format+4g, including your crypto keys.

As far as V1 goes, this is actually a fairly solid exploit candidate. No
false positive about it.

Now kernel policy is to kill any and all speculation on user controlled
array indexing such that we don't have to go look for subsequent side
channels (the above cache side channel is the one described in the
Spectre paper and by far the easiest, but there are other possible side
channels) and we simply don't want to worry about it.

So even from that pov, the proposed patch is good.


[1] https://spectreattack.com/spectre.pdf
[2] www.cs.ucr.edu/~nael/pubs/asplos18.pdf