Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()

From: Cyrill Gorcunov
Date: Wed May 29 2019 - 08:22:04 EST

Next message: Christoph Hellwig: "Re: [PATCH 1/2] dma-mapping: truncate dma masks to what dma_addr_t can hold"
Previous message: Guenter Roeck: "Re: [PATCH] adm1275: support PMBUS_VIRT_*_SAMPLES"
In reply to: Dianzhang Chen: "Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()"
Next in thread: Dianzhang Chen: "Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 29, 2019 at 10:39:52AM +0800, Dianzhang Chen wrote:
> Hi,
>
> Although when detect it is misprediction and drop the execution, but
> it can not drop all the effects of speculative execution, like the
> cache state. During the speculative execution, the:
>
>
> rlim = tsk->signal->rlim + resource; // use resource as index
>
> ...
>
> *old_rlim = *rlim;
>
>
> may read some secret data into cache.
>
> and then the attacker can use side-channel attack to find out what the
> secret data is.

This code works after check_prlimit_permission call, which means you already
should have a permission granted. And you implies that misprediction gonna
be that deep which involves a number of calls/read/writes/jumps/locks-rb-wb-flushes
and a bunch or other instructions, moreover all conditions are "mispredicted".
This is very bold and actually unproved claim!

Note that I pointed the patch is fine in cleanup context but seriously I
don't see how this all can be exploitable in sense of spectre.

Next message: Christoph Hellwig: "Re: [PATCH 1/2] dma-mapping: truncate dma masks to what dma_addr_t can hold"
Previous message: Guenter Roeck: "Re: [PATCH] adm1275: support PMBUS_VIRT_*_SAMPLES"
In reply to: Dianzhang Chen: "Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()"
Next in thread: Dianzhang Chen: "Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]