lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 25 Jan 2018 18:50:27 -0800 (PST)
From:   Liran Alon <liran.alon@...cle.com>
To:     <dave.hansen@...el.com>
Cc:     <labbott@...hat.com>, <luto@...nel.org>,
        <Janakarajan.Natarajan@....com>, <torvalds@...ux-foundation.org>,
        <bp@...e.de>, <asit.k.mallick@...el.com>, <rkrcmar@...hat.com>,
        <karahmed@...zon.de>, <hpa@...or.com>, <mingo@...hat.com>,
        <jun.nakajima@...el.com>, <x86@...nel.org>, <ashok.raj@...el.com>,
        <arjan.van.de.ven@...el.com>, <tim.c.chen@...ux.intel.com>,
        <pbonzini@...hat.com>, <ak@...ux.intel.com>,
        <linux-kernel@...r.kernel.org>, <dwmw2@...radead.org>,
        <peterz@...radead.org>, <tglx@...utronix.de>,
        <gregkh@...uxfoundation.org>, <mhiramat@...nel.org>,
        <arjan@...ux.intel.com>, <thomas.lendacky@....com>,
        <dan.j.williams@...el.com>, <joro@...tes.org>,
        <kvm@...r.kernel.org>, <aarcange@...hat.com>
Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict
 Indirect Branch Speculation


----- dave.hansen@...el.com wrote:

> On 01/25/2018 06:11 PM, Liran Alon wrote:
> > It is true that attacker cannot speculate to a kernel-address, but
> it
> > doesn't mean it cannot use the leaked kernel-address together with
> > another unrelated vulnerability to build a reliable exploit.
> 
> The address doesn't leak if you can't execute there.  It's the same
> reason that we don't worry about speculation to user addresses from
> the
> kernel when SMEP is in play.

Maybe I misunderstand BTB & BHB internals. Will be glad if you could pinpoint my error.

Google P0 blog-post (https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-memory-with-side.html) claims that BTB & BHB only use <31 low bits of the address of the source instruction to lookup into the BTB. In addition, it claims that the higher bits of the predicated destination change together with the higher bits of the source instruction.

Therefore, it should be possible to leak the low bits of high predicition-mode code BTB/BHB entries from low prediction-mode code. Because the predicted destination address will reside in user-space.

What am I missing?

Thanks,
-Liran

Powered by blists - more mailing lists