lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.1908152140460.1908@nanos.tec.linutronix.de>
Date:   Thu, 15 Aug 2019 22:04:18 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Kernel User <linux-kernel@...eup.net>
cc:     LKML <linux-kernel@...r.kernel.org>, mhocko@...e.com,
        x86@...nel.org
Subject: Re: /sys/devices/system/cpu/vulnerabilities/ doesn't show all known
 CPU vulnerabilities

On Thu, 15 Aug 2019, Kernel User wrote:
> On Thu, 15 Aug 2019 11:03:35 +0200 (CEST) Thomas Gleixner wrote:
> 
> > It's used to denote vulnerability classes and their mitigations:
> > 
> >   - Spectre v1
> >   - Spectre v2
> >   - Meltdown
> >   - SSB
> >   - L1TF
> >   - MDS
> 
> In the Wikipedia article there are:
> 
> + Bounds Check Bypass (Spectre, Variant 1)
> + Branch Target Injection (Spectre, Variant 2)
> + Rogue Data Cache Load (Meltdown, Variant 3)
> - Rogue System Register Read (Spectre-NG, Variant 3a)

Is a subclass of Meltdown, but cannot be mitigated in software and we don't
know whether the micro-code contains a fix or not unless the CPU/microcode
tells us that Meltdown is fixed, which includes 3a. We report that
correctly.

It's also not a really spectacular issue. The only valuable data you might
get out of it is info to break KASLR, but there are a gazillion other ways
to do so.

> + Speculative Store Bypass (Spectre-NG, Variant 4)
> - Lazy FP state restore (Spectre-NG)

The kernel is not using lazy restore. Dead kernels did, but they got
patched and no longer allow the lazy mode. So, nothing to see here.

> - Bounds Check Bypass Store (Spectre-NG)

Is a subclass of Spectre V1 similar to the recently published SWAPGS issue.

> + Foreshadow
> - Spoiler

Spoiler cannot be mitigated by any means. It's like Rowhammer. Nothing we
can do about and nothing to show.

> + Microarchitectural Data Sampling
> 
> I have marked with '+' those which I recognize in the list you provided
> and with '-' those which are not.
> 
> > We are not tracking subclasses and their individual CVEs.
> 
> Why do you say that? In your list only L1TF and MDS are not subclasses,
> i.e. subclasses are in the list. So why not have the others? Also
> Spoiler seems to be a separate class.

What? Spectre V1, V2 and Meltdown and SSB are different classes despite the
variant 1,2,3,4 enumeration. They are different classes because they
utilize different parts of the whole speculative execution machinery and
need very different mitigation mechanisms.

Just because Wikipedia has a list of some sort does not mean that we have
to blindly follow it.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ