Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp532499rdb;
        Tue, 19 Sep 2023 02:58:44 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFe5QH0N3yGPr9KaI9Rq3JqdtBu/AhYrtzf2IJmSX3F0711WpoX6CjWruDCHvOkcf46iL51
X-Received: by 2002:a17:90b:3b4b:b0:26d:355a:47e3 with SMTP id ot11-20020a17090b3b4b00b0026d355a47e3mr9651318pjb.38.1695117524400;
        Tue, 19 Sep 2023 02:58:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695117524; cv=none;
        d=google.com; s=arc-20160816;
        b=bVU0bMmS5TLfYZ1UVpvB4FOaT6reZxQ6hHCGxrX8fT335u4peDqydXFkQ/xJLOC6T1
         YzXFfXAG1N/GVCQiq3qfiZFBs3C1Osa/3ML2aEuL22ZeRMTchMjS+xwaKL6+nLTxWP0v
         cGB46B/Q1v32M/pBlNtL6RRdFKSFWYDKSb5JcFqstrc5Cu4ApISpsojiHG6piEVFWnwj
         PCqDwZ20evJtCinUyXdVTrJOeiAVxbnmNCS0Pq57NJDw6NI9Bc7QvTac+p8Ud1nPys0T
         2Y17DwF3PPF8M+ENCWkLz5Pdg3WJapRIZOY9vYcwbkePZBlm4UA+/TCKuFvXGgb/qi7/
         /AOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=8M0oH3rEpj2jIH57zHE90N6wAzwLmk1hC60jq7/TfHg=;
        fh=EjX1nraRIg7WGwxfST+ksPiC+DNiLyiA2eewp6K6rfI=;
        b=FrYPaw7Kb7q0ztz8/ICvp4m3H3mlLe5g+cdN8k+fQaEwcXQYG5YW29akPyp0BUiTJb
         YRGLZREhL4jz6ZIR6RbWb7sMWih5/Nr8CmLQkIzHYb3yy0/za4a6kFYtV//TMRjvRH5l
         2Q7aaRE7Xi1iQRpiogoshMetIE0phHgKPXusa7JE71rb+eXJseWlFNslVQLWzDP2Yykf
         Pi3xfby3K8ffLIdGH/dtu23YROV97l61MfFOhs5iQ0qYYE0MAWYwQhfiZSFiGd2MIr7p
         eWu7xiHKnZBZIQR9vfQ+2ujtVGAs7QrM8zaYkplr5TP3oIpdbPPgFF6X5xJcui26uS+6
         QM3A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=UnvUmYW9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from pete.vger.email (pete.vger.email. [23.128.96.36])
        by mx.google.com with ESMTPS id gf21-20020a17090ac7d500b00262ef440ed4si3927185pjb.27.2023.09.19.02.58.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 19 Sep 2023 02:58:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=UnvUmYW9;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by pete.vger.email (Postfix) with ESMTP id 69C6C80765FC;
	Tue, 19 Sep 2023 01:57:50 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230494AbjISI5m (ORCPT <rfc822;bh1scw@gmail.com> + 99 others);
        Tue, 19 Sep 2023 04:57:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46146 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229690AbjISI5k (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Sep 2023 04:57:40 -0400
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDCEA11A;
        Tue, 19 Sep 2023 01:57:34 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-31f71b25a99so5336250f8f.2;
        Tue, 19 Sep 2023 01:57:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695113853; x=1695718653; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8M0oH3rEpj2jIH57zHE90N6wAzwLmk1hC60jq7/TfHg=;
        b=UnvUmYW9t+62tSO9cDZLDbwBNl0sLb/ElHQhYNWBNFnkmSHpH53HhSMbHKM3wmxnm9
         nQfAJfz1JE3yqc0ZC+DfxsHNi11Id0LWKjoyDpfJK8BT/4Ov/NUe9w3hQMGvyy6PUNkh
         0TyNsm8KFzQHF6S0mZm5eVUzIaBVCKlc6DKscas3MhaIU+BKfxkMzgpbH0HD8fxYPztc
         iBViLpo0W5lPQPI+6IARjdadXo5g0ISfHHXz6r2SoLIyTDLNDb1OP4gZetL2FqIsBEUV
         Kxi5hRNJ6VzKgc6f2Huf9gGYpirxqhetqjV0L8hFsLblSSV5mWYMkC2+q5hJxQerkt6g
         gk4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695113853; x=1695718653;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=8M0oH3rEpj2jIH57zHE90N6wAzwLmk1hC60jq7/TfHg=;
        b=ROdYee6uVmJmbTBv2Gmu8xwDG22BVw5e8BOAqONeD0/IivdiVyTXPeqk9G+UyK8WbS
         kvPxjw1Y03mvwlvEKVchaz5hLyI/9PAJPwKnG9e8XexJVGHINkeLkqpYqU31YEzW1su6
         wlV0B5c2Bjp4/DXhCwXW6EP0d/Exu3ziywoCV9AGdtVjyMO0Y0dW/iBGp53lMpRkujQ6
         x3NnxOqePh+cDNw4aYl+JntOQVeinV/Hgy1DNYWMnLtEYZdQ5mER8qg4Ure/ZeRZ7zeA
         EEQMbw+p64Z4BhcUvCOVXFxHDt0y/yzVs1yvvjFPG7dI7UW2G5uke+DMcuZEmGrFFK0j
         WN0A==
X-Gm-Message-State: AOJu0YwAb4Hk7Cd7HxTaJfKxHCakwrCtzebV4b6g9GbNgAhU5BTJZLKO
        hSwnRxhHX3ZjgrFBC9naTbvhn+cmmX06fRzCHDI=
X-Received: by 2002:adf:ce87:0:b0:317:57f0:fae with SMTP id
 r7-20020adfce87000000b0031757f00faemr9012499wrn.63.1695113853086; Tue, 19 Sep
 2023 01:57:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAADnVQJ4Fg-VQ-tVCEqsKLuozT7y_o8pZ1oM3eBW7u-Z0jOk4A@mail.gmail.com>
 <20230918112549.105846-1-gerhorst@amazon.de>
In-Reply-To: <20230918112549.105846-1-gerhorst@amazon.de>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Tue, 19 Sep 2023 01:57:21 -0700
Message-ID: <CAADnVQJZRqNZ_rKw2tUrmDpwhW7JGUge1+9x1_qtROf=OyMpHw@mail.gmail.com>
Subject: Re: [PATCH 2/3] Revert "bpf: Fix issue in verifying allow_ptr_leaks"
To:     Luis Gerhorst <gerhorst@amazon.de>
Cc:     Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Luis Gerhorst <gerhorst@cs.fau.de>,
        Hagar Gamal Halim Hemdan <hagarhem@amazon.de>,
        Hao Luo <haoluo@google.com>,
        Ilya Leoshkevich <iii@linux.ibm.com>,
        John Fastabend <john.fastabend@gmail.com>,
        Jiri Olsa <jolsa@kernel.org>, KP Singh <kpsingh@kernel.org>,
        Yafang Shao <laoar.shao@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Mykola Lysenko <mykolal@fb.com>,
        Puranjay Mohan <puranjay12@gmail.com>,
        Stanislav Fomichev <sdf@google.com>,
        Shuah Khan <shuah@kernel.org>, Song Liu <song@kernel.org>,
        Yonghong Song <yonghong.song@linux.dev>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Tue, 19 Sep 2023 01:57:50 -0700 (PDT)

On Mon, Sep 18, 2023 at 4:26=E2=80=AFAM Luis Gerhorst <gerhorst@amazon.de> =
wrote:
>
> It is true that this is not easily possible using the method most exploit=
s use,
> at least to my knowledge (i.e., accessing the same address from another c=
ore).
> However, it is still possible to evict the cacheline with skb->data/data_=
end
> from the cache in between the loads by iterating over a large map using
> bpf_loop(). Then the load of skb->data_end would be slow while skb->data =
is
> readily available in a callee-saved register.

...

> call %[bpf_loop]; \
> gadget_%=3D: \
> r2 =3D *(u32 *)(r7 + 80);   \
> if r2 <=3D r9 goto exit_%=3D; \

r9 is supposed to be available in the callee-saved register? :)
I think you're missing that it is _callee_ saved.
If that bpf_loop indeed managed to flush L1 cache the
refill of r9 in the epilogue would be a cache miss.
And r7 will be a cache miss as well.
So there is no chance cpu will execute 'if r2 <=3D r9' speculatively.

I have to agree that the above approach sounds plausible in theory
and I've never seen anyone propose to mispredict a branch
this way. Which also means that no known speculation attack
was crafted. I suspect that's a strong sign that
the above approach is indeed a theory and it doesn't work in practice.
Likely because the whole cache is flushed the subsequent misses
will spoil all speculation. For spec v1 to work you need
only one slow load in one side of that branch.
The other load and the speculative code after should not miss.
When it does the spec code won't be able to leave the breadcrumbs
of the leaked bit in the cache.
'Leak full byte' is also 'wishful thinking' imo.
I haven't seen any attack that leaks byte at-a-time.

So I will insist on seeing a full working exploit before doing
anything else here. It's good to discuss this cpu speculation
concerns, but we have to stay practical.
Even removing bpf from the picture there is so much code
in the network core that checks packet boundaries.
One can find plenty of cases of 'read past skb->end'
under speculation and I'm arguing none of them are exploitable.