Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp8734037rwi;
        Tue, 25 Oct 2022 10:07:39 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM4ofP2w7g84pPdwCMqj8b0ze7a8tRb+04Rm3VKhZk6nA3jiN1+pLMCiLUBSH7FKCbDU6EjI
X-Received: by 2002:aa7:c054:0:b0:453:98c6:f6c4 with SMTP id k20-20020aa7c054000000b0045398c6f6c4mr36496168edo.2.1666717658969;
        Tue, 25 Oct 2022 10:07:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666717658; cv=none;
        d=google.com; s=arc-20160816;
        b=W3NdYhFsLdbIuzfBsoVOhfpZ6x0nPY5fzkdJjIbTtP6qsdaWSaqn5pAC6Zmqia3TA2
         hJ85uRQf1FIwbWP3pgvmn8Gf0XFjUEsusbCdYPYyFt5wOLTFcgygLXlQcNsqoE5MppaH
         w3Ehpm0yOLCEim55ZaMk2oswTXCbmkv1z00DEcE+UqtnJlpCjvd07P8wzOC6OuVxYg5/
         HQuj0r26RcntHbBYocWERpaTAPStB+ECKgPgFqOIfarnRDA5XrlAkwFt+pDiym7H/tPh
         y2LG/vAptEHxQ/cN25nCmWc7vtNtiz44CirPYSBpfK0Ul/HeZtAqUzkLDHFMVC86h4sd
         JmUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=PTYesaVYLFPDVd8R/uTnASR0v0PE9kXHB002/A6jq1A=;
        b=RCv8zGOx0YXiHyQ+SRHi4NHj7R3j0GOB53OFa+/56JdKgrbC2YB0ymEJS1l5lRnm5p
         0IFDeMJADCgQc7IaODUC87bcT/zvrnDUAh8nlxkiGdzx1rKGyRwO5vijuqQEN3MHQ1LR
         fPTA3K9WXr2eiEwr7xELNtX+0Fdp6XzCxGaxmGwvkg4PV4Rx1DTVqlAWBFInfs3UyG7v
         1yeP5pTApFAxRA62vnPWI5ulIBb0DcHhRcvDB+j400Ot+QdwMdJTDYBWrHAa2iu6yBhW
         venFoETvOoO+bFEaQoM7+wiwKs7RhtbkzeJsKPWaoWR3PhuVEm5SYXoxH32ksrU2Bc5U
         fqSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=MYK6PFQL;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id gw2-20020a170906f14200b0078d426c2844si2989912ejb.213.2022.10.25.10.06.53;
        Tue, 25 Oct 2022 10:07:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel.com header.s=Intel header.b=MYK6PFQL;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232038AbiJYQ4Y (ORCPT <rfc822;mudongliangabcd@gmail.com>
        + 65 others); Tue, 25 Oct 2022 12:56:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46320 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232243AbiJYQz6 (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 25 Oct 2022 12:55:58 -0400
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 261ECDDA36;
        Tue, 25 Oct 2022 09:55:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1666716957; x=1698252957;
  h=date:from:to:cc:subject:message-id:references:
   mime-version:in-reply-to;
  bh=njjboqv4Bsu1ZVUFPFBzTeovN/+xYByVQGTT3Ez9mqw=;
  b=MYK6PFQLigSfzfRwipCeDiLAM9UvirtynRiVlhRXkCPl9gYtddRGEk8F
   Gn+udxTwQZyl5i0mzMi5JVwUkCdj0FsdEnfTHayLPLFX7qrsC9eGQKHin
   Um+DWaOv8ksr/+yifJZE61QGG6ur8OVKnHT3QgHBjw2al1i+yeVmBwXYV
   LdGqdVd8Ach9Ztd/4PuXCb49nn0UMByK0xIVq5+/qkesq+EWXj9JyN3KT
   6p6tK9ZPAKOYz253c3MNSAmvkGHuXJ/jXsyKQlzp/4DpqassITl1QezAe
   CCuffwMQMFV/B2FFr3eqhgImBQqlWPFetnf72CK6C7mIxRxSTUAAlfcRM
   Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="394045966"
X-IronPort-AV: E=Sophos;i="5.95,212,1661842800"; 
   d="scan'208";a="394045966"
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 09:55:56 -0700
X-IronPort-AV: E=McAfee;i="6500,9779,10511"; a="631699786"
X-IronPort-AV: E=Sophos;i="5.95,212,1661842800"; 
   d="scan'208";a="631699786"
Received: from swatthag-mobl1.amr.corp.intel.com (HELO desk) ([10.209.27.104])
  by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2022 09:55:55 -0700
Date:   Tue, 25 Oct 2022 09:55:54 -0700
From:   Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To:     Greg KH <gregkh@linuxfoundation.org>
Cc:     scott.d.constable@intel.com, daniel.sneddon@linux.intel.com,
        Jakub Kicinski <kuba@kernel.org>, dave.hansen@intel.com,
        Johannes Berg <johannes@sipsolutions.net>,
        Paolo Abeni <pabeni@redhat.com>,
        antonio.gomez.iglesias@linux.intel.com,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
        x86@kernel.org, netdev@vger.kernel.org
Subject: Re: [RFC PATCH 2/2] minstrel_ht: Mitigate BTI gadget
 minstrel_ht_get_expected_throughput()
Message-ID: <20221025165554.7zfykwejjyv2olcc@desk>
References: <cover.1666651511.git.pawan.kumar.gupta@linux.intel.com>
 <ceb2bcdc79f1494151e85734fa7bdc639df275bb.1666651511.git.pawan.kumar.gupta@linux.intel.com>
 <Y1eSGK5vylNmBbVp@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <Y1eSGK5vylNmBbVp@kroah.com>
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Tue, Oct 25, 2022 at 09:36:56AM +0200, Greg KH wrote:
>On Mon, Oct 24, 2022 at 03:57:47PM -0700, Pawan Gupta wrote:
>> Static analysis indicate that indirect target
>> minstrel_ht_get_expected_throughput() could be used as a disclosure
>> gadget for Intra-mode Branch Target Injection (IMBTI) and Branch History
>> Injection (BHI).
>
>You define these new TLAs here, but the code comment below does not,
>making this code now impossible to understand :(

I will expand the TLAs in the comment.

>> ASM generated by compilers indicate a construct of a typical disclosure
>> gadget, where an adversary-controlled register contents can be used to
>> transiently access an arbitrary memory location.
>
>If you have an "adveraray-controlled register contents", why would you
>waste that on a mere speculation attack and not do something better,
>like get root instead?

In the non-transient path those registers can contain system call
arguments that are checked for illegal accesses, thus are harmless. But
when executing transiently those registers could be interpreted as
(completely unrelated) arguments of a disclosure gadget.

>> Although there are no known ways to exploit this, but to be on safer
>> side mitigate it by adding a speculation barrier.
>>
>> Reported-by: Scott D. Constable <scott.d.constable@intel.com>
>> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
>> ---
>>  net/mac80211/rc80211_minstrel_ht.c | 9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
>> index 3d91b98db099..7cf90666a865 100644
>> --- a/net/mac80211/rc80211_minstrel_ht.c
>> +++ b/net/mac80211/rc80211_minstrel_ht.c
>> @@ -11,6 +11,7 @@
>>  #include <linux/moduleparam.h>
>>  #include <linux/ieee80211.h>
>>  #include <linux/minmax.h>
>> +#include <linux/nospec.h>
>>  #include <net/mac80211.h>
>>  #include "rate.h"
>>  #include "sta_info.h"
>> @@ -1999,6 +2000,14 @@ static u32 minstrel_ht_get_expected_throughput(void *priv_sta)
>>  	struct minstrel_ht_sta *mi = priv_sta;
>>  	int i, j, prob, tp_avg;
>>
>> +	/*
>> +	 * Protect against IMBTI/BHI.
>
>This makes no sense here, right?

I will expand those and add some more explanation.

>And you are NOT following the proper networking comment style, didn't
>checkpatch complain about this?

checkpatch did complain, but I noticed that this file is following
regular commenting style everywhere. I can changed that to networking
style but it will differ from the rest of the file.

>> +	 *
>> +	 * Transiently executing this function with an adversary controlled
>> +	 * argument may disclose secrets. Speculation barrier prevents that.
>> +	 */
>> +	barrier_nospec();
>
>So how much did you just slow down the normal use of the system?

I don't have data for this. As I understand this function is not called
frequently, so perf impact is not expected to be significant.

>> +
>>  	i = MI_RATE_GROUP(mi->max_tp_rate[0]);
>>  	j = MI_RATE_IDX(mi->max_tp_rate[0]);
>
>These are all internal structures, can't you just bounds-prevent the
>speculation instead of the hard barrier?

The valid bound in this case is large enough (bits 15:6 IIRC) to still
pose a risk. As this function is not called frequently adding a
speculation barrier looks to be the best choice.