Re: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()

From: Cyrill Gorcunov
Date: Wed May 29 2019 - 08:22:04 EST

On Wed, May 29, 2019 at 10:39:52AM +0800, Dianzhang Chen wrote:
> Hi,
> Although when detect it is misprediction and drop the execution, but
> it can not drop all the effects of speculative execution, like the
> cache state. During the speculative execution, the:
> rlim = tsk->signal->rlim + resource; // use resource as index
> ...
> *old_rlim = *rlim;
> may read some secret data into cache.
> and then the attacker can use side-channel attack to find out what the
> secret data is.

This code works after check_prlimit_permission call, which means you already
should have a permission granted. And you implies that misprediction gonna
be that deep which involves a number of calls/read/writes/jumps/locks-rb-wb-flushes
and a bunch or other instructions, moreover all conditions are "mispredicted".
This is very bold and actually unproved claim!

Note that I pointed the patch is fine in cleanup context but seriously I
don't see how this all can be exploitable in sense of spectre.