Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()

From: Dianzhang Chen
Date: Thu May 30 2019 - 03:05:14 EST

Next message: Nick Hu: "[PATCH v3] riscv: Fix udelay in RV32."
Previous message: Michal Hocko: "Re: [RFC 6/7] mm: extend process_madvise syscall to support vector arrary"
In reply to: Michal Hocko: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Next in thread: Matthew Wilcox: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 30, 2019 at 2:24 PM Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> I understand the general mechanism of spectre v1. What I was asking for
> is an example of where userspace directly controls the allocation size
> as this is usually bounded to an in kernel object size. I can see how
> and N * sizeof(object) where N is controlled by the userspace could be
> the target. But calling that out explicitly would be appreciated.

In the syscall call poll, the user can control the `nfds`,
when call the function `do_sys_poll` it can pass the nfds to function
`do_sys_poll`, and pass to variable `len`,
although there exit compare instruction llike `len = min_t(unsigned
int, nfds, N_STACK_PPS)`, `len = min(todo, POLLFD_PER_PAGE);`,
but it can also bypass by speculation, as the speculation windows are large,
and in the next `size = sizeof(struct poll_list) + sizeof(struct pollfd) * len`,
which can indirect control the size.

> Please mention that in the changelog as well.
ok, thanks for suggestion.

Next message: Nick Hu: "[PATCH v3] riscv: Fix udelay in RV32."
Previous message: Michal Hocko: "Re: [RFC 6/7] mm: extend process_madvise syscall to support vector arrary"
In reply to: Michal Hocko: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Next in thread: Matthew Wilcox: "Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]