Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()
From: Dianzhang Chen
Date: Tue May 28 2019 - 22:43:29 EST
Hi,
Although when detect it is misprediction and drop the execution, but
it can not drop all the effects of speculative execution, like the
cache state. During the speculative execution, the:
rlim = tsk->signal->rlim + resource; // use resource as index
...
*old_rlim = *rlim;
may read some secret data into cache.
and then the attacker can use side-channel attack to find out what the
secret data is.
Virtually any observable effect of speculatively executed code can be
leveraged to create the covert channel that leaks sensitive
information[1].
A general form of spectre v1 would be[1]:
if (x < array1_size) {
y = array1[x];
// do something using y that is
// observable when speculatively
// executed
}
[1] https://spectreattack.com/spectre.pdf
Cyrill Gorcunov <gorcunov@xxxxxxxxx> ä2019å5æ28æåä äå3:10åéï
>
> On Tue, May 28, 2019 at 10:37:10AM +0800, Dianzhang Chen wrote:
> > Hi,
> > Because when i reply your emailïi always get 'Message rejected' from
> > gmail(get this rejection from all the recipients). I still don't know
> > how to deal with it, so i reply your email here:
>
> Hi! This is weird. Next time simply reply to LKML (I CC'ed it back).
>
> > Because of speculative execution, the attacker can bypass the bound
> > check `if (resource >= RLIM_NLIMITS)`.
>
> And then misprediction get detected and execution is dropped. So I
> still don't see a problem here, since we don't leak info even in
> such case.
>
> That said I don't mind for this patch but rather in a sake of
> code clarity, not because of spectre issue since it has
> nothing to do here.
>
> > as for array_index_nospec(index, size), it will clamp the index within
> > the range of [0, size), and attacker can't exploit speculative
> > execution to make the index out of range [0, size).
> >
> >
> > For more detail, please check the link below:
> >
> > https://github.com/torvalds/linux/commit/f3804203306e098dae9ca51540fcd5eb700d7f40