[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0f6cfd45286247a3b69d46db1bc87fb5@AcuMS.aculab.com>
Date: Mon, 5 Feb 2018 15:28:23 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Andrew Cooper' <andrew.cooper3@...rix.com>,
Arnd Bergmann <arnd@...db.de>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>
CC: "xen-devel@...ts.xenproject.org" <xen-devel@...ts.xenproject.org>,
"Dan Carpenter" <dan.carpenter@...cle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
From: Andrew Cooper
> Sent: 05 February 2018 15:14
>
> On 05/02/18 15:03, Arnd Bergmann wrote:
>
> Snipping deleted code to make things clearer:
>
> > + if (cmd > ARRAY_SIZE(physdevop_len))
> > + return -ENOSYS;
> >
> > + len = physdevop_len[cmd];
> > + memcpy(&op.u, arg, len);
>
> You'll want an array_nospec() or whatever its called these days. This
> code is SP1-leaky.
>
> Userspace controls cmd and can retrieve len by timing how many adjacent
> cache lines were pulled in my memcpy().
Well, maybe it can read beyond the bounds of physdevop_len[].
I doubt that the memcpy() will pull in many cache lines so you
can probably only determine whether the value is 0..63, 64..127 or 128+
Not likely to be much use.
David
Powered by blists - more mailing lists