| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241024154254.c2ylwy3b7kilvoir@treble.attlocal.net> Date: Thu, 24 Oct 2024 08:42:54 -0700 From: Josh Poimboeuf <jpoimboe@...nel.org> To: "Kirill A. Shutemov" <kirill@...temov.name> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, x86@...nel.org, Andrew Cooper <andrew.cooper3@...rix.com>, Borislav Petkov <bp@...en8.de> Subject: Re: [PATCH] x86: fix user address masking non-canonical speculation issue On Thu, Oct 24, 2024 at 05:02:42PM +0300, Kirill A. Shutemov wrote: > On Wed, Oct 23, 2024 at 11:13:00PM -0700, Josh Poimboeuf wrote: > > On Wed, Oct 23, 2024 at 06:31:59PM -0700, Linus Torvalds wrote: > > > @@ -2389,6 +2390,15 @@ void __init arch_cpu_finalize_init(void) > > > + /* > > > + * Enable this when LAM is gated on LASS support > > > + if (cpu_feature_enabled(X86_FEATURE_LAM)) > > > + USER_PTR_MAX = (1ul << 63) - PAGE_SIZE; > > > + */ > > > > I'm probably missing something but once LAM is enabled, how wouldn't > > this allow non-canonical address speculation? i.e. when bit 47/56 is > > set and 63 is cleared, would it not go untouched by mask_user_address() > > and thus be speculatively interpreted by AMD as a kernel address? > > CPU with LAM enabled enforces bit 63 to be equal bit 47/56 and raises #GP > otherwise. Right, but I'm asking about the speculation bug which happens before the exception (and which prompted this patch in the first place). -- Josh
Powered by blists - more mailing lists