| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42258ad55dac4191813d258e43a44e0e@AcuMS.aculab.com>
Date: Fri, 9 Feb 2018 14:13:14 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Arnd Bergmann' <arnd@...db.de>,
Andrew Cooper <andrew.cooper3@...rix.com>
CC: Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Juergen Gross <jgross@...e.com>,
xen-devel <xen-devel@...ts.xenproject.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Kees Cook <keescook@...omium.org>,
"Dan Williams" <dan.j.williams@...el.com>,
David Woodhouse <dwmw@...zon.co.uk>
Subject: RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
From: Arnd Bergmann
> Sent: 09 February 2018 12:58
...
> However, aside from this driver, I wonder if we should be worried about
> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
> statement into an array lookup behind our back, e.g. in an ioctl handler.
> Has anybody got this on their radar?
The canonical code for a switch statement is to jump indirect on an array
of code pointers.
ioctl handlers probably use a series of compares because the values are
sparse.
Also remember that gcc-8 will convert dense switch statements that just
load a value into a data array lookup.
I guess both those jump tables are potential attack vectors.
Not quite sure how they might be used to leak info though.
David
Powered by blists - more mailing lists