Return-path: Received: from mail-oi0-f67.google.com ([209.85.218.67]:45168 "EHLO mail-oi0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752213AbeAFThE (ORCPT ); Sat, 6 Jan 2018 14:37:04 -0500 Received: by mail-oi0-f67.google.com with SMTP id x20so5122225oix.12 for ; Sat, 06 Jan 2018 11:37:04 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> From: Dan Williams Date: Sat, 6 Jan 2018 11:37:03 -0800 Message-ID: (sfid-20180106_203728_709564_1753E00D) Subject: Re: [PATCH 00/18] prevent bounds-check bypass via speculative execution To: Linux Kernel Mailing List Cc: Mark Rutland , Peter Zijlstra , Alan Cox , Srinivas Pandruvada , Will Deacon , Solomon Peachy , "H. Peter Anvin" , Christian Lamparter , Elena Reshetova , linux-arch@vger.kernel.org, Andi Kleen , "James E.J. Bottomley" , linux-scsi , Jonathan Corbet , X86 ML , Ingo Molnar , Alexey Kuznetsov , Zhang Rui , "Linux-media@vger.kernel.org" , Arnd Bergmann , Jan Kara , Eduardo Valentin , Al Viro , qla2xxx-upstream@qlogic.com, Thomas Gleixner , Mauro Carvalho Chehab , Arjan van de Ven , Kalle Valo , Alan Cox , "Martin K. Petersen" , Hideaki YOSHIFUJI , Greg KH , linux-wireless@vger.kernel.org, "Eric W. Biederman" , Netdev , Linus Torvalds , "David S. Miller" , Laurent Pinchart Content-Type: text/plain; charset="UTF-8" Sender: linux-wireless-owner@vger.kernel.org List-ID: On Fri, Jan 5, 2018 at 5:09 PM, Dan Williams wrote: > Quoting Mark's original RFC: > > "Recently, Google Project Zero discovered several classes of attack > against speculative execution. One of these, known as variant-1, allows > explicit bounds checks to be bypassed under speculation, providing an > arbitrary read gadget. Further details can be found on the GPZ blog [1] > and the Documentation patch in this series." > > This series incorporates Mark Rutland's latest api and adds the x86 > specific implementation of nospec_barrier. The > nospec_{array_ptr,ptr,barrier} helpers are then combined with a kernel > wide analysis performed by Elena Reshetova to address static analysis > reports where speculative execution on a userspace controlled value > could bypass a bounds check. The patches address a precondition for the > attack discussed in the Spectre paper [2]. > > A consideration worth noting for reviewing these patches is to weigh the > dramatic cost of being wrong about whether a given report is exploitable > vs the overhead nospec_{array_ptr,ptr} may introduce. In other words, > lets make the bar for applying these patches be "can you prove that the > bounds check bypass is *not* exploitable". Consider that the Spectre > paper reports one example of a speculation window being ~180 cycles. > > Note that there is also a proposal from Linus, array_access [3], that > attempts to quash speculative execution past a bounds check without > introducing an lfence instruction. That may be a future optimization > possibility that is compatible with this api, but it would appear to > need guarantees from the compiler that it is not clear the kernel can > rely on at this point. It is also not clear that it would be a > significant performance win vs lfence. > > These patches also will also be available via the 'nospec' git branch > here: > > git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux nospec It appears that git.kernel.org has not mirrored out the new branch. In the meantime here's an alternative location: https://github.com/djbw/linux.git nospec If there are updates to these patches they will appear in nospec-v2, nospec-v3, etc... branches.