Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp375620ybi; Wed, 29 May 2019 23:25:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqw+Kny81TyTjZ/nHNGTq4nwyqA2on99iWa1J0wvZvpWvv07+cfNQIkC7tPyTckni1ELlfq7 X-Received: by 2002:a17:902:163:: with SMTP id 90mr2274182plb.212.1559197543147; Wed, 29 May 2019 23:25:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559197543; cv=none; d=google.com; s=arc-20160816; b=mLeli/YIm3jbAi5uf7CKIoyi8a6Pz6rYhyAsDOkNTalZ/NFjM9b4yJhr24f0t7oHju wg3n22juqejIrFskSv494xBG8Zth2A3/+FIOQBjIWzR5JP5kMXYKgz0HeRz0HUcOXoNW /9KWKMoaza+1YabY/9+n/6cT3man55KyeeOzQNoJpqhOPRgWcz51PKBJFEvUKHWhjmAv qAJEmu5CcJAavDyJHvFoXyb6Ep3hbEdq9zNjBN2nWCGHnEaYLlXDm7bVPvwPgc1hY8W6 PMl/ygw3wJMI6v+KyIHWnOABqHq7TAAvS0+JBr4WUO3gK+vZhkgv6WvjjMtOvUP63naH Njow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=lFbxJVmwwDktBP7Omlp2VSDl1R2lSTomTFt7z7dkoXE=; b=YXjPqEmPegRvfkBjNre4H6O6q6OWiXiOhQuJoFQHLi5/1oWEaC6nt2jS4pjZknMkLM lHUoM9AEbSobeJuxYUSR/iWLxb6Sez4Xpgk+AwB1jnM7A8tOjBjjNnJmRrCztCau4z9a xqS5yWH+dwbIB2QvTcxSjdLCjzLHv4Fvw6PR3n3n5Mp4xv7X8wnvfUF6t4ibeJ5lqASQ bZJHbKRROAI2A77QZbxr1IYBjpJMAnCI3qbx9vGu+I55UIt5z1DoDi9opfAGhb1alQOY 0FEhgW69OptSz7LcDXA4/z3ioErjYaQ7D5wkQMupiptEkP1hYUX0scAObCK8z9C5Mlqn 3nQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h6si2021828pjk.65.2019.05.29.23.25.26; Wed, 29 May 2019 23:25:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727331AbfE3GYV (ORCPT + 99 others); Thu, 30 May 2019 02:24:21 -0400 Received: from mx2.suse.de ([195.135.220.15]:47722 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725961AbfE3GYV (ORCPT ); Thu, 30 May 2019 02:24:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 38A4AACA8; Thu, 30 May 2019 06:24:20 +0000 (UTC) Date: Thu, 30 May 2019 08:24:18 +0200 From: Michal Hocko To: Dianzhang Chen Cc: cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, akpm@linux-foundation.org, linux-mm@kvack.org, LKML Subject: Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab() Message-ID: <20190530062418.GB6703@dhcp22.suse.cz> References: <1559133448-31779-1-git-send-email-dianzhangchen0@gmail.com> <20190529162532.GG18589@dhcp22.suse.cz> <20190529174931.GH18589@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [Please do not top-post] On Thu 30-05-19 13:20:01, Dianzhang Chen wrote: > It is possible that a CPU mis-predicts the conditional branch, and > speculatively loads size_index[size_index_elem(size)], even if size >192. > Although this value will subsequently be discarded, > but it can not drop all the effects of speculative execution, > such as the presence or absence of data in caches. Such effects may > form side-channels which can be > observed to extract secret information. I understand the general mechanism of spectre v1. What I was asking for is an example of where userspace directly controls the allocation size as this is usually bounded to an in kernel object size. I can see how and N * sizeof(object) where N is controlled by the userspace could be the target. But calling that out explicitly would be appreciated. > As for "why this particular path a needs special treatment while other > size branches are ok", > i think the other size branches need to treatment as well at first place, > but in code `index = fls(size - 1)` the function `fls` will make the > index at specific range, > so it can not use `kmalloc_caches[kmalloc_type(flags)][index]` to load > arbitury data. > But, still it may load some date that it shouldn't, if necessary, i > think can add array_index_nospec as well. Please mention that in the changelog as well. > On Thu, May 30, 2019 at 1:49 AM Michal Hocko wrote: > > > > On Thu 30-05-19 00:39:53, Dianzhang Chen wrote: > > > It's come from `192+1`. > > > > > > > > > The more code fragment is: > > > > > > > > > if (size <= 192) { > > > > > > if (!size) > > > > > > return ZERO_SIZE_PTR; > > > > > > size = array_index_nospec(size, 193); > > > > > > index = size_index[size_index_elem(size)]; > > > > > > } > > > > OK I see, I could have looked into the code, my bad. But I am still not > > sure what is the potential exploit scenario and why this particular path > > a needs special treatment while other size branches are ok. Could you be > > more specific please? > > -- > > Michal Hocko > > SUSE Labs -- Michal Hocko SUSE Labs