| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181126133610.GB108014@gmail.com>
Date: Mon, 26 Nov 2018 14:36:10 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: Andy Lutomirski <luto@...capital.net>,
Andi Kleen <ak@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>, x86@...nel.org,
Peter Zijlstra <peterz@...radead.org>,
Andy Lutomirski <luto@...nel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jiri Kosina <jkosina@...e.cz>,
Tom Lendacky <thomas.lendacky@....com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
David Woodhouse <dwmw@...zon.co.uk>,
Tim Chen <tim.c.chen@...ux.intel.com>,
Dave Hansen <dave.hansen@...el.com>,
Casey Schaufler <casey.schaufler@...el.com>,
Asit Mallick <asit.k.mallick@...el.com>,
Arjan van de Ven <arjan@...ux.intel.com>,
Jon Masters <jcm@...hat.com>,
Waiman Long <longman9394@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Dave Stewart <david.c.stewart@...el.com>,
Kees Cook <keescook@...omium.org>
Subject: Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB
in switch_mm()
* Thomas Gleixner <tglx@...utronix.de> wrote:
> On Sun, 25 Nov 2018, Andy Lutomirski wrote:
> > > On Nov 25, 2018, at 2:20 PM, Thomas Gleixner <tglx@...utronix.de> wrote:
> > > On Sun, 25 Nov 2018, Andi Kleen wrote:
> > >
> > >>> The current check whether two tasks belong to the same context is using the
> > >>> tasks context id. While correct, it's simpler to use the mm pointer because
> > >>> it allows to mangle the TIF_SPEC_IB bit into it. The context id based
> > >>> mechanism requires extra storage, which creates worse code.
> > >>
> > >> [We tried similar in some really early versions, but it was replaced
> > >> with the context id later.]
> > >>
> > >> One issue with using the pointer is that the pointer can be reused
> > >> when the original mm_struct is freed, and then gets reallocated
> > >> immediately to an attacker. Then the attacker may avoid the IBPB.
> > >>
> > >> Given it's probably hard to generate any reasonable leak bandwidth with
> > >> such a complex scenario, but it still seemed better to close the hole.
> > >
> > > Sorry, but that's really a purely academic exercise.
> >
> > I would guess that it’s actually very easy to force mm_struct* reuse.
> > Don’t the various allocators try to allocate hot memory? There’s nothing
> > hotter than a just-freed allocation of the same size.
>
> Sure, but this is about a indirect branch predictor attack against
> something which reuses the mm.
>
> So you'd need to pull off:
>
> P1 poisons branch predictor
> P1 exit
>
> P2 starts and resuses mm(P1) and uses the poisoned branch predictor
>
> the only thing between P1 and P2 is either idle or some other kernel
> thread, but no other user task. If that happens then the code would not
> issue IBPB as it assumes to switch back to the same process.
>
> Even if you can pull that off the speculation would hit the startup code of
> P2, which is truly a source of secret information. Creating a valuable
> attack based on mm reuse is really less proabable than a lottery jackpot.
>
> So using mm is really good enough and results in better assembly code which
> is surely more valuable than addressing some hypothetical hole.
OTOH we could probably close even this with very little cost if we added
an IBPB to non-threaded fork() and vfork()+exec() paths? Those are really
slow paths compared to all the context switch paths we are trying to
optimize here.
Alternatively we could IBPB on the post-exit() final task struct freeing,
which too is a relative slow path compared to the context switch paths.
But no strong opinion.
Thanks,
Ingo
Powered by blists - more mailing lists