Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

[PATCH v4 00/10] prevent bounds-check bypass via speculative execution · Dan Williams <hidden> · 2018-01-19
[PATCH v4 01/10] Documentation: document array_ptr · Dan Williams <hidden> · 2018-01-19
[PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Dan Williams <hidden> · 2018-01-19
Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Jann Horn <jannh@google.com> · 2018-01-19
Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Linus Torvalds <torvalds@linux-foundation.org> · 2018-01-19
Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Dan Williams <hidden> · 2018-01-19
Re: [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Cyril Novikov <hidden> · 2018-01-25
Re: [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references · Dan Williams <hidden> · 2018-01-25
[PATCH v4 03/10] x86: implement array_ptr_mask() · Dan Williams <hidden> · 2018-01-19
[PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence · Dan Williams <hidden> · 2018-01-19
[PATCH v4 05/10] x86, __get_user: use __uaccess_begin_nospec · Dan Williams <hidden> · 2018-01-19
[PATCH v4 06/10] x86, get_user: use pointer masking to limit speculation · Dan Williams <hidden> · 2018-01-19
[PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Dan Williams <hidden> · 2018-01-19
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Jiri Slaby <hidden> · 2018-01-24
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Luis Henriques <hidden> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Dan Williams <hidden> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Dan Williams <hidden> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Andy Lutomirski <luto@kernel.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Dan Williams <hidden> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-06
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Dan Williams <hidden> · 2018-02-07
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Linus Torvalds <torvalds@linux-foundation.org> · 2018-02-07
Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation · Luis Henriques <hidden> · 2018-02-06
[PATCH v4 08/10] vfs, fdtable: prevent bounds-check bypass via speculative execution · Dan Williams <hidden> · 2018-01-19
[PATCH v4 10/10] nl80211: sanitize array index in parse_txq_params · Dan Williams <hidden> · 2018-01-19
Re: [PATCH v4 10/10] nl80211: sanitize array index in parse_txq_params · Johannes Berg <johannes@sipsolutions.net> · 2018-01-21
[PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation · Dan Williams <hidden> · 2018-01-19
Re: [PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation · Paolo Bonzini <pbonzini@redhat.com> · 2018-01-19
Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution · Dan Williams <hidden> · 2018-01-20
Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution · Alexei Starovoitov <hidden> · 2018-01-20
Re: [PATCH v4 00/10] prevent bounds-check bypass via speculative execution · Alexei Starovoitov <hidden> · 2018-01-20

From: Luis Henriques <hidden>
Date: 2018-02-06 22:51:32
Also in: lkml

On Tue, Feb 06, 2018 at 11:48:45AM -0800, Dan Williams wrote:

On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques [off-list ref] wrote:

quoted

On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote:

quoted

The syscall table base is a user controlled function pointer in kernel
space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds
speculation. While retpoline prevents speculating into the user
controlled target it does not stop the pointer de-reference, the concern
is leaking memory relative to the syscall table base.

This patch seems to cause a regression.  An easy way to reproduce what
I'm seeing is to run the samples/statx/test-statx.  Here's what I see
when I have this patchset applied:

# ./test-statx /tmp
statx(/tmp) = -1
/tmp: Bad file descriptor

Reverting this single patch seems to fix it.

Just to clarify, when you say "this patch" you mean:

     2fbd7af5af86 x86/syscall: Sanitize syscall table de-references
under speculation

...not this early MASK_NOSPEC version of the patch, right?

*sigh*

Looks like I spent some good amount of time hunting a non-issue just
because I have enough old branches hanging around to confusing me :-(

Sorry for the noise.

Cheers,

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help