lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Apr 2018 13:21:29 +0200 From: Peter Zijlstra <peterz@...radead.org> To: Dan Carpenter <dan.carpenter@...cle.com> Cc: Mauro Carvalho Chehab <mchehab@...nel.org>, "Gustavo A. R. Silva" <gustavo@...eddedor.com>, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 01/11] media: tm6000: fix potential Spectre variant 1 On Tue, Apr 24, 2018 at 12:36:09PM +0200, Peter Zijlstra wrote: > > Then usespace probes which part of the descr[] array is now in cache and > from that it can infer the initial out-of-bound value. Just had a better look at v4l_fill_fmtdesc() and actually read the comment. The code cannot be compiled as a array because it is big and sparse. But the log(n) condition tree is a prime candidate for the branchscope side-channel, which would be able to reconstruct a significant number of bits of the original value. A denser tree gives more bits etc.
Powered by blists - more mailing lists