Received: by 10.192.165.148 with SMTP id m20csp4937053imm; Tue, 24 Apr 2018 10:50:12 -0700 (PDT) X-Google-Smtp-Source: AIpwx48ToXO7IJ5qQ1ztAiWEzAiIaP6qQsGxTM9DiU+/as5wbdjHe6auNZfhyeLvTIfwSIbsaG2A X-Received: by 10.99.165.79 with SMTP id r15mr21658301pgu.236.1524592212857; Tue, 24 Apr 2018 10:50:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524592212; cv=none; d=google.com; s=arc-20160816; b=yRF9rPhrr53lIUZ9Sk9AFsdCTWf9uF21XAXGA/XV43QlfmuU85bSLjaU8UtJpk0ACF 1UmOCkK5UzVNHpazXUn+yJhrb/YhPMGrX1zYbr1CwzHVchNDw8pxHIoqfw9RX3TgiLZl NPoKT2xjLxRkvI++tLM6Vdp16fQHWwRu6I/WtUaXPWvm8LkWFntZZwhTWPq3/hDyPEmx pJqfaC7zt5Iq7yp4D0NE2yGXJvIoM/tpTnnWTFJ08J1oVVESS2zssivU6Uz96ALfF685 aI+Vsf47/3rnMsDoDOmh4gYH0DLUK3Usv9rW0BasCSh2UGwJNUQY2lhGZGdHsJC1T5kD WhYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=ke02t1HdCBjBheZ3FQAZsKfG6CulGmtnr06DX+yzkzo=; b=Tw9CcxRFfKwrIuJ/t6ZDmqd2TTGXbQov9QVi54M+XZM09t2G8P8wHRfcEng7igkCGw CAZxE3UN1R2ZggG+exfGw88wUAW0amwTAnB0aYN4kMPQwP3ly5SxP4Sb3GLOgvaxWv9F JKINsK/VIicb/ap2IEPcDillXxr9B4ZCssmavFJnuJ/WHWOLIJ53zjmW2n6r2XGfY7Qk FM61HUQniGLoui0Vyv6EhMXwXJRoZhVPIHuXgdEraTr2RO+1WFLYSc3kTRyOIa/bCy1d xP93tBYE4pt+qwlgOellQ3C0SBb0NAeBQkqhvmCoRnNf/sERDchf9xamdaMr9XbSKcyy 2KXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=MVK27tCh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j7-v6si14639869plk.506.2018.04.24.10.49.58; Tue, 24 Apr 2018 10:50:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=MVK27tCh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753303AbeDXRsR (ORCPT + 99 others); Tue, 24 Apr 2018 13:48:17 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:37312 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752105AbeDXRsJ (ORCPT ); Tue, 24 Apr 2018 13:48:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To: From:Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ke02t1HdCBjBheZ3FQAZsKfG6CulGmtnr06DX+yzkzo=; b=MVK27tChsLa1CUiEKyOBYlsLl S1j1k6WshWGZ5rRwcH9WFMj0nRzIbY4xO7FZGYIjHJFpGg8eTe+EVBr+k2BsbcdEDY2f/byNfxgYK Jx5mkGpzNFE1gLz3rTCspglkucmZd88pVVr//Vi/5r6qF7K9qjOAf5NLc+jFFyyoMdojriI0HAHGZ 1CUKIp34SosoLY2exV/LeFsRnQmcnHk9TU/VLNOnuhFMXqgbPGca2wKsQ7Wpz1H3kOFp9Tl/qXhqa G/mXB5e1pjXm1KjFxMzxTrhS8Y7K/HNELUnjezCJ1s33JjqByk27J5FoiM0r2Ub/ZbMT4KA791Pme 8XudKcd0w==; Received: from [177.157.96.200] (helo=vento.lan) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fB22q-00080m-V7; Tue, 24 Apr 2018 17:48:01 +0000 Date: Tue, 24 Apr 2018 14:47:55 -0300 From: Mauro Carvalho Chehab To: Peter Zijlstra Cc: Dan Carpenter , "Gustavo A. R. Silva" , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1 Message-ID: <20180424144755.1c2e2478@vento.lan> In-Reply-To: <20180424103609.GD4064@hirez.programming.kicks-ass.net> References: <3d4973141e218fb516422d3d831742d55aaa5c04.1524499368.git.gustavo@embeddedor.com> <20180423152455.363d285c@vento.lan> <20180424093500.xvpcm3ibcu7adke2@mwanda> <20180424103609.GD4064@hirez.programming.kicks-ass.net> X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Tue, 24 Apr 2018 12:36:09 +0200 Peter Zijlstra escreveu: > On Tue, Apr 24, 2018 at 12:35:00PM +0300, Dan Carpenter wrote: > > On Mon, Apr 23, 2018 at 03:24:55PM -0300, Mauro Carvalho Chehab wrote: > > > Em Mon, 23 Apr 2018 12:38:03 -0500 > > > "Gustavo A. R. Silva" escreveu: > > > > > @@ -875,6 +876,7 @@ static int vidioc_enum_fmt_vid_cap(struct file *file, void *priv, > > > > if (f->index >= ARRAY_SIZE(format)) > > > > return -EINVAL; > > > > > > > > + f->index = array_index_nospec(f->index, ARRAY_SIZE(format)); > > > > > > Please enlighten me: how do you think this could be exploited? > > TL;DR: read the papers [1] & [2] > > I suspect you didn't get the gist of Spectre V1 [1], let me explain: > > Suppose userspace provides f->index > ARRAY_SIZE(format), and we predict > the branch to -EINVAL to not be taken. > > Then the CPU _WILL_ load (out of bounds) format[f->index] into > f->pixelformat and continue onwards to use this bogus value, all the way > until it figures out the branch was mis-predicted. > > Once it figures out the mispredict, it will throw away the state and > start over at the condition site. So far, so basic. > > The thing is, is will not (and cannot) throw away all state. Suppose our > speculation continues into v4l_fill_fmtdesc() and that switch there is > compiled as another array lookup, it will then feed our f->pixelformat > (which contains random kernel memory) into that array to find the > requested descr pointer. > > Now, imagine userspace having flushed cache on the descr pointer array, > having trained the branch predictor to mis-predict the branch (see > branchscope paper [2]) and doing that out-of-bounds ioctl(). > > It can then speculative do the out-of-bounds array access, followed by > the desc array load, then figure out it was wrong and redo. > > Then usespace probes which part of the descr[] array is now in cache and > from that it can infer the initial out-of-bound value. > > So while format[] is static and bound, it can read random kernel memory > up to format+4g, including your crypto keys. > > As far as V1 goes, this is actually a fairly solid exploit candidate. No > false positive about it. > > Now kernel policy is to kill any and all speculation on user controlled > array indexing such that we don't have to go look for subsequent side > channels (the above cache side channel is the one described in the > Spectre paper and by far the easiest, but there are other possible side > channels) and we simply don't want to worry about it. > > So even from that pov, the proposed patch is good. > > > [1] https://spectreattack.com/spectre.pdf > [2] www.cs.ucr.edu/~nael/pubs/asplos18.pdf > On Tue, Apr 24, 2018 at 12:36:09PM +0200, Peter Zijlstra wrote: > > > > Then usespace probes which part of the descr[] array is now in cache and > > from that it can infer the initial out-of-bound value. > > Just had a better look at v4l_fill_fmtdesc() and actually read the > comment. The code cannot be compiled as a array because it is big and > sparse. But the log(n) condition tree is a prime candidate for the > branchscope side-channel, which would be able to reconstruct a > significant number of bits of the original value. A denser tree gives > more bits etc. Peter, Thanks for a comprehensive explanation about that. It now makes more sense to me. Yeah, better to apply a fix to avoid the issue with VIDIOC_ENUM_FMT. Btw, on almost all media drivers, the implementation for enumerating the supported formats are the same (and we have a few other VIDOC_ENUM_foo ioctls that usually do similar stuff): the V4L2 core calls a driver, with looks into an array, returning the results to the core. So, a fix like that should likely go to almost all media drivers (there are a lot of them!), and, for every new one, to take care to avoid introducing it again during patch review process. So, I'm wondering if are there any way to mitigate it inside the core itself, instead of doing it on every driver, e. g. changing v4l_enum_fmt() implementation at v4l2-ioctl. Ok, a "poor man" approach would be to pass the array directly to the core and let the implementation there to implement the array fetch logic, calling array_index_nospec() there, but I wonder if are there any other way that won't require too much code churn. Thanks, Mauro