lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <cover.1666651511.git.pawan.kumar.gupta@linux.intel.com>
Date:   Mon, 24 Oct 2022 15:57:45 -0700
From:   Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
To:     scott.d.constable@...el.com, daniel.sneddon@...ux.intel.com,
        Jakub Kicinski <kuba@...nel.org>, dave.hansen@...el.com,
        Johannes Berg <johannes@...solutions.net>,
        Paolo Abeni <pabeni@...hat.com>,
        antonio.gomez.iglesias@...ux.intel.com,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>
Cc:     linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
        x86@...nel.org, gregkh@...uxfoundation.org, netdev@...r.kernel.org
Subject: [RFC PATCH 0/2] Branch Target Injection (BTI) gadget in minstrel

Hi,

There is a theoretical possibility of using
minstrel_ht_get_expected_throughput() as a disclosure gadget for Branch
History Injection (BHI)/Intra-mode Branch Target Injection (IMBTI) [1].
Requesting feedback on the couple of patches that mitigates this.

First patch adds a generic speculation barrier. Second patch uses the
speculation barrier to mitigate BHI/IMBTI.

The other goal of this series is to start a discussion on whether such
hard to exploit, but theoretical possible attacks deems to be mitigated.

In general Branch Target Injection class of attacks involves an adversary
controlling an indirect branch target to misspeculate to a disclosure gadget.
For a successful attack an adversary also needs to control the register
contents used by the disclosure gadget.

Assuming preconditions are met, a disclosure gadget would transiently do
below:

  1. Loads an attacker chosen data from memory.
  2. Based on the data, modifies cache state that is observable by an attacker.

Although both these operations are architecturally invisible, the cache state
changes could be used to infer the data.

Disclosure gadget is mitigated by adding a speculation barrier.

Thanks,
Pawan

[1] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

Pawan Gupta (2):
  nospec: Add a generic barrier_nospec()
  minstrel_ht: Mitigate BTI gadget minstrel_ht_get_expected_throughput()

 include/linux/nospec.h             | 4 ++++
 net/mac80211/rc80211_minstrel_ht.c | 9 +++++++++
 2 files changed, 13 insertions(+)

-- 
2.37.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ