Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok

From: Alexei Starovoitov
Date: Sun Jan 07 2018 - 21:09:14 EST


On Sun, Jan 07, 2018 at 11:08:24AM +0100, Thomas Gleixner wrote:
> On Sat, 6 Jan 2018, Alexei Starovoitov wrote:
> > which clearly states that bpf_tail_call() was used in the attack.
> > Yet none of the intel nor arm patches address speculation in
> > this bpf helper!
> > It means that:
> > - gpz didn't share neither exploit nor the detailed description
> > of the POC with cpu vendors until now
> > - coverity rules used to find all these places in the kernel
> > failed to find bpf_tail_call
> > - cpu vendors were speculating what variant 1 can actually do
>
> You forgot to mention that there might be other attacks than the public POC
> which are not covered by a simple AND ....

if above statement is not a pure speculation please share CVE number.
For varaint[123] they've been reserved for months.

> For spectre_v1/2 we face the same problem simply because we got informed so
> much ahead of time and we were all twiddling thumbs, enjoying our christmas
> vacation and having a good time.

right. they were informed in a way that they failed to address
variant1 with pre-embargo and public patches.

> The exploits are out in the wild and they are observed already, so we

this statement contradicts with everything that was publicly stated.
Or you're referring to 'exploit' at the end of spectre paper?

> want to discuss the right way to fix it for the next 3 month and leave all
> doors open until the last bit of performance is squeezed out.

Let's look at facts:
- Linus explains his array_access() idea
- lfence proponents quickly point out that it needs gcc to be smart
enough to emit setbe and go back to lfence patches
- I spent half an hour to tweak array_access() to be generic
on all archs and compiler indepedent
- lfence proponets point out that AND with a variable somehow
won't work, yet after further discussion it's actually fine due to
the nature of variant1 attack that needs to train predictor with in-bounds
access to mispredict with out-of-bounds speculative load
- then lfence proponets claim 'non public POC' not covered by AND
- it all in the matter of 2 days.
- and now the argument that it will take 3 month to discuss a solution
without lfence, yet still no performance numbers for lfence
though 'people in the know' were twiddling thumbs for months.

That's just not cool.