| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+55aFz3Z6jYnG9mCG2UMDqvg5bv7k7gKO3pZc36BrNSwfmUnQ@mail.gmail.com>
Date: Thu, 4 Jan 2018 10:33:04 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Pavel Machek <pavel@....cz>
Cc: Andi Kleen <andi@...stfloor.org>, tglx@...uxtronix.de,
Greg Kroah-Hartman <gregkh@...ux-foundation.org>,
David Woodhouse <dwmw@...zon.co.uk>,
Tim Chen <tim.c.chen@...ux.intel.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Dave Hansen <dave.hansen@...el.com>
Subject: Re: Avoid speculative indirect calls in kernel
On Thu, Jan 4, 2018 at 3:26 AM, Pavel Machek <pavel@....cz> wrote:
> On Wed 2018-01-03 15:51:35, Linus Torvalds wrote:
>>
>> A *competent* CPU engineer would fix this by making sure speculation
>> doesn't happen across protection domains. Maybe even a L1 I$ that is
>> keyed by CPL.
>
> Would that be enough?
No, you'd need to add the CPL to the branch target buffer itself, not the I$ L1.
And as somebody pointed out, that only helps the user space messing
with the kernel. It doesn't help the "one user context fools another
user context to mispredict". (Where the user contexts might be a
JIT'ed JS vs the rest of the web browser).
So you really would want to just make sure the full address is used to
index (or at least verify) the BTB lookup, and even then you'd then
need to invalidate the BTB on context switches so that one context
can't fill in data for another context.
Linus
Powered by blists - more mailing lists