lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 21 Mar 2018 16:30:17 -0700
From:   Dave Hansen <dave.hansen@...el.com>
To:     "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>
Cc:     "H. Peter Anvin" <hpa@...or.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        KarimAllah Ahmed <karahmed@...zon.de>,
        Andi Kleen <ak@...ux.intel.com>,
        Tim Chen <tim.c.chen@...ux.intel.com>, thomas.lendacky@....com,
        x86@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/speculation: Fill the RSB on context switch also on
 non-IBPB CPUs

On 03/20/2018 04:17 AM, Maciej S. Szmigiero wrote:
> Since it is unlikely that existing RSB entries from the previous task match
> the new task call stack we can use the existing unconditional
> RSB-filling-on-context-switch infrastructure to protect against such
> userspace-to-userspace attacks.
> 
> This patch brings a change in behavior only for the following CPU types:
> * Intel pre-Skylake CPUs without updated microcode,
> * AMD Family 15h model >60h, Family 17h CPUs without updated microcode.
> 
> Other CPU types either already do the RSB filling on context switch for
> other reasons or do support IBPB for more complete userspace-to-userspace
> protection.

I think I misunderstood your reasoning a bit.  Let me see if I can
restate the problem a bit.

IBPB provides provides userspace-to-userspace protection because it
prevents all indirect branch predictions after the barrier from being
controlled by software executed before the barrier.  We only use IBPB
for KVM and when processes clear their dumpable flag.

You're saying that, even if we don't have IBPB, we can do *some*
userspace-to-userspace protection with RSB manipulation.  The RSB
manipulation obviously only helps 'RET' instructions and not JMP/CALL,
but it does do *something* useful.

Is that right?

Do you really want this behavior on all context switches?  We don't do
IBPB on all context switches, only the ones where we are switching *to*
a non-dumpable process.

Do you perhaps want to do RSB manipulation in lieu of IBPB when
switching *to* a non-dumpable process and IBPB is not available?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ