lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260106152008.GZ3707891@noisy.programming.kicks-ass.net>
Date: Tue, 6 Jan 2026 16:20:08 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Andrew Cooper <andrew.cooper3@...rix.com>
Cc: LKML <linux-kernel@...r.kernel.org>, Xin Li <xin@...or.com>,
	"H. Peter Anvin" <hpa@...or.com>, Andy Lutomirski <luto@...nel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
	Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org
Subject: Re: [PATCH] x86/fred: Correct speculative safety in fred_extint()

On Tue, Jan 06, 2026 at 01:15:04PM +0000, Andrew Cooper wrote:
> array_index_nospec() is no use if the result gets spilled to the stack, as
> it makes the believed safe-under-speculation value subject to memory
> predictions.
> 
> For all practical purposes, this means array_index_nospec() must be used in
> the expression that accesses the array.
> 
> As the code currently stands, it's the wrong side of irqentry_enter(), and
> 'index' is put into %ebp across the function call.
> 
> Remove the index variable and reposition array_index_nospec(), so it's
> calculated immediately before the array access.
> 
> Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
> Signed-off-by: Andrew Cooper <andrew.cooper3@...rix.com>

I suppose I can go stick this in x86/urgent or so.

> This is why we have array_access_nospec() in Xen, so you can't separate the
> safety calculation from the array access.
> 
> The observant reader might notice that the result of reading sysvec_table[] is
> also subject to memory predictions.  Aren't CPUs wonderful...
> 
> In practice, even having array_index_nospec() part of the array access
> expression is no guarantee of avoiding spilling to the stack.  KASAN is liable
> to hide a function call behind the scenes, while UBSAN is very good at
> inserting it's own unsafe range checks around objects it knows the size of.
> Aren't compilers wonderful...

Yeah, then again nobody should be running *SAN kernels in production,
right ;-)

> ---
>  arch/x86/entry/entry_fred.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/entry/entry_fred.c b/arch/x86/entry/entry_fred.c
> index 94e626cc6a07..4fc5b176d3ed 100644
> --- a/arch/x86/entry/entry_fred.c
> +++ b/arch/x86/entry/entry_fred.c
> @@ -159,8 +159,6 @@ void __init fred_complete_exception_setup(void)
>  static noinstr void fred_extint(struct pt_regs *regs)
>  {
>  	unsigned int vector = regs->fred_ss.vector;
> -	unsigned int index = array_index_nospec(vector - FIRST_SYSTEM_VECTOR,
> -						NR_SYSTEM_VECTORS);
>  
>  	if (WARN_ON_ONCE(vector < FIRST_EXTERNAL_VECTOR))
>  		return;
> @@ -169,7 +167,8 @@ static noinstr void fred_extint(struct pt_regs *regs)
>  		irqentry_state_t state = irqentry_enter(regs);
>  
>  		instrumentation_begin();
> -		sysvec_table[index](regs);
> +		sysvec_table[array_index_nospec(vector - FIRST_SYSTEM_VECTOR,
> +						NR_SYSTEM_VECTORS)](regs);
>  		instrumentation_end();
>  		irqentry_exit(regs, state);
>  	} else {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ