Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3071037imu; Sun, 23 Dec 2018 15:14:05 -0800 (PST) X-Google-Smtp-Source: AFSGD/UZ2DK+JTLr1qDqxy+jfkeKx2oJ+HhA2YjCYuGwlkvV5tpYHUSuyaqumccSf6dhrzfckVqo X-Received: by 2002:a62:75d1:: with SMTP id q200mr11080492pfc.254.1545606845452; Sun, 23 Dec 2018 15:14:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545606845; cv=none; d=google.com; s=arc-20160816; b=jBtB9rfAj5SOu38Bshg3IWmITs5EVqz8cZ+K7QIi28xF+BiNrKOSVVYi0kFd72bOep sXD1a0QbzGfQEY/bfq2+L9lagI8l7TuTXtoPxcUSS0KML4cAx8onGV3FdLzldtkVndUL M5NZBRT864NZtC+2p2O40rae+Q0XBIuQBaLFxg50zJzXJMSyulx55bbqP/1WUdH52Y0/ a7JHypBz1LpzJu9uycSnjOy/QniKy09rUJCnTNr3fqQhDAcYeyfRZdWDBigvCCIshn7+ fm8tSIYUOT8HeeaFdWuxuESpzES+tE/umxzHlj0IaMh8BxwiHA2LKwVD/70/98r+sADs k6Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=yo8mbqWnMHbde7X3yplhhkPZVj44wIEIKuxIr9Idckk=; b=iyIW0FLYYIP0y5pQsNCKCrF0f6/LzC1lMXMuxSE9d6zG3ZnWS+MfiONSN16ng8NUDB jqKUcL9TspGD6o+JY6Nhn1N9sqNLiYoPXzrxE6cxbkisnGOvZpRVw5FCv5/cTDO+sC1f CCuURCof+iaPXqQ3QdhDqQJENLCKZkVtttg+iZwKS7vo8zlK00OjKy5MPpjUx+JVCF5E Q9UC+8nOm/BNDGg1N1wvmLYbVIN/y3CDpCul2UB8n8lWVLoYE2E2J/2T9qQ+LNOBJaGL h6uT2+3fMtACtGMqO0U39FvxSNkiy6lyKqxFG6G+5HUDYfRr2CqO8x2A2Db6VchCp538 7qKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Le3OWjJo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j21si26572666pfn.277.2018.12.23.15.13.49; Sun, 23 Dec 2018 15:14:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Le3OWjJo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726151AbeLWXL4 (ORCPT + 99 others); Sun, 23 Dec 2018 18:11:56 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:38913 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725911AbeLWXLz (ORCPT ); Sun, 23 Dec 2018 18:11:55 -0500 Received: by mail-pg1-f194.google.com with SMTP id w6so4919560pgl.6; Sun, 23 Dec 2018 15:11:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=yo8mbqWnMHbde7X3yplhhkPZVj44wIEIKuxIr9Idckk=; b=Le3OWjJo3WG6qelDo8/Yg7KeMfUhF8f5NQt9ARxNsm9R+bHPpuicf9LLXpSj/DPige Srs45X0lqW7AI5/kJI7jFZ+m9S2wQkxaf+oBqA+5tqZE9DuVILL+1fh8KLWitTEk1MqT T77atGhoLUUHeB0r/OcKIhRq1oaF5TW40EXsk1tFVOpF6tHksqC1O9+Q3tJCLmoIUO+N NzOYxTz7EkHcOI8iLHZB4VWHEC4eRd6MgIdZJdQpaIlsP47bpLDuCbvyiwcgsW2NhLDg 5gm7C0qU8BAAx1E2AWH+ANEIpgPVO+ZBV0pIEllMszXs3Jb4qtb2dxxYfkUb6bDywdaP IYNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=yo8mbqWnMHbde7X3yplhhkPZVj44wIEIKuxIr9Idckk=; b=FtWG/RISoXVW1wzDsCF7MYAyQnMFLHi4Gs8TPvntd540FQ8BnoGCVJtsutw8LU39HI oCfMnpXupmkhDiisz2/1LzTt5RixD0xL6J8zIAg6XimsqPRTXyUlR3e928PmhQJV0G4F 2vfClsxcd0kOOUwsKRyeOv74CkffcTqRQIva0GITXmCedY6ZTqeS2qlkFeBbYCNEbq6V LSLJU9VfhPOe9aCyBfZJxFG6we6O4cmTzLW1wmgLL6xirym2L5p/m2PTAbJ0vbxNGjFU FG38ZqisMEOHe5ajAMgCwwPyu7Z5Si3TQ/DOlVmyILo/cV6KGKIgHen9wvOncLSS8dyF N5lw== X-Gm-Message-State: AJcUukeysGs2y4bX9q8qJsiEyxy8IB3HO3ur4+vD1HOjk20/4buTJRa2 XzWUMRtJtQZwy/ZGImJQ6gU= X-Received: by 2002:a63:f444:: with SMTP id p4mr10374896pgk.124.1545606714766; Sun, 23 Dec 2018 15:11:54 -0800 (PST) Received: from ast-mbp.dhcp.thefacebook.com ([2620:10d:c090:180::1:add8]) by smtp.gmail.com with ESMTPSA id i21sm47478980pgm.17.2018.12.23.15.11.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Dec 2018 15:11:53 -0800 (PST) Date: Sun, 23 Dec 2018 15:11:51 -0800 From: Alexei Starovoitov To: Tim Chen Cc: Thomas Gleixner , Jiri Kosina , Linus Torvalds , Tom Lendacky , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , David Woodhouse , Andi Kleen , Dave Hansen , Asit Mallick , Arjan van de Ven , Jon Masters , Waiman Long , Greg KH , Borislav Petkov , linux-kernel@vger.kernel.org, x86@kernel.org, stable@vger.kernel.org, daniel@iogearbox.net Subject: Re: [PATCH] x86/speculation: Add document to describe Spectre and its mitigations Message-ID: <20181223231149.5yuenb53pavlvr3m@ast-mbp.dhcp.thefacebook.com> References: <64efec3fda40c0758601bf9b1480a35d76d3c487.1545413988.git.tim.c.chen@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <64efec3fda40c0758601bf9b1480a35d76d3c487.1545413988.git.tim.c.chen@linux.intel.com> User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 21, 2018 at 09:44:44AM -0800, Tim Chen wrote: > + > +4. Kernel sandbox attacking kernel > +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > + > +The kernel has support for running user-supplied programs within the > +kernel. Specific rules (such as bounds checking) are enforced on these > +programs by the kernel to ensure that they do not violate access controls. > + > +eBPF is a kernel sub-system that uses user-supplied program > +to execute JITed untrusted byte code inside the kernel. eBPF is used > +for manipulating and examining network packets, examining system call > +parameters for sand boxes and other uses. > + > +A malicious local process could upload and trigger an malicious > +eBPF script to the kernel, with the script attacking the kernel > +using variant 1 or 2 and reading memory. Above is not correct. The exploit for var2 does not load bpf progs into kernel. Instead the bpf interpreter is speculatively executing bpf prog that was never loaded. Hence CONFIG_BPF_JIT_ALWAYS_ON=y is necessary to make var2 harder to exploit. Same goes for other in kernel interpreters and state machines. > + > +Necessary Prerequisites: > +1. Malicious local process > +2. eBPF JIT enabled for unprivileged users, attacking kernel with secrets > +on the same machine. This is not quite correct either. Var 1 could have been exploited with and without JIT. Also above sounds like that var1 is still exploitable through bpf which is not the case.