| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jan 2018 02:55:07 +0000
From: "Van De Ven, Arjan" <arjan.van.de.ven@...el.com>
To: Liran Alon <liran.alon@...cle.com>,
"Hansen, Dave" <dave.hansen@...el.com>
CC: "labbott@...hat.com" <labbott@...hat.com>,
"luto@...nel.org" <luto@...nel.org>,
"Janakarajan.Natarajan@....com" <Janakarajan.Natarajan@....com>,
"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
"bp@...e.de" <bp@...e.de>,
"Mallick, Asit K" <asit.k.mallick@...el.com>,
"rkrcmar@...hat.com" <rkrcmar@...hat.com>,
"karahmed@...zon.de" <karahmed@...zon.de>,
"hpa@...or.com" <hpa@...or.com>,
"mingo@...hat.com" <mingo@...hat.com>,
"Nakajima, Jun" <jun.nakajima@...el.com>,
"x86@...nel.org" <x86@...nel.org>,
"Raj, Ashok" <ashok.raj@...el.com>,
"tim.c.chen@...ux.intel.com" <tim.c.chen@...ux.intel.com>,
"pbonzini@...hat.com" <pbonzini@...hat.com>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"dwmw2@...radead.org" <dwmw2@...radead.org>,
"peterz@...radead.org" <peterz@...radead.org>,
"tglx@...utronix.de" <tglx@...utronix.de>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"mhiramat@...nel.org" <mhiramat@...nel.org>,
"arjan@...ux.intel.com" <arjan@...ux.intel.com>,
"thomas.lendacky@....com" <thomas.lendacky@....com>,
"Williams, Dan J" <dan.j.williams@...el.com>,
"joro@...tes.org" <joro@...tes.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"aarcange@...hat.com" <aarcange@...hat.com>
Subject: RE: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
Indirect Branch Speculation
> -----Original Message-----
> From: Liran Alon [mailto:liran.alon@...cle.com]
> Sent: Thursday, January 25, 2018 6:50 PM
> To: Hansen, Dave <dave.hansen@...el.com>
> Cc: labbott@...hat.com; luto@...nel.org; Janakarajan.Natarajan@....com;
> torvalds@...ux-foundation.org; bp@...e.de; Mallick, Asit K
> <asit.k.mallick@...el.com>; rkrcmar@...hat.com; karahmed@...zon.de;
> hpa@...or.com; mingo@...hat.com; Nakajima, Jun
> <jun.nakajima@...el.com>; x86@...nel.org; Raj, Ashok <ashok.raj@...el.com>;
> Van De Ven, Arjan <arjan.van.de.ven@...el.com>; tim.c.chen@...ux.intel.com;
> pbonzini@...hat.com; ak@...ux.intel.com; linux-kernel@...r.kernel.org;
> dwmw2@...radead.org; peterz@...radead.org; tglx@...utronix.de;
> gregkh@...uxfoundation.org; mhiramat@...nel.org; arjan@...ux.intel.com;
> thomas.lendacky@....com; Williams, Dan J <dan.j.williams@...el.com>;
> joro@...tes.org; kvm@...r.kernel.org; aarcange@...hat.com
> Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect
> Branch Speculation
>
>
> Google P0 blog-post
> (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory-
> with-side.html) claims that BTB & BHB only use <31 low bits of the address of
> the source instruction to lookup into the BTB. In addition, it claims that the
> higher bits of the predicated destination change together with the higher bits of
> the source instruction.
>
> Therefore, it should be possible to leak the low bits of high predicition-mode
> code BTB/BHB entries from low prediction-mode code. Because the predicted
> destination address will reside in user-space.
>
> What am I missing?
I thought this email thread was about the RSB...
Powered by blists - more mailing lists