Re: [PATCH 00/18] prevent bounds-check bypass via speculative execution
From: Josh Poimboeuf
Date: Tue Jan 09 2018 - 15:56:20 EST
On Tue, Jan 09, 2018 at 11:44:05AM -0800, Dan Williams wrote:
> On Tue, Jan 9, 2018 at 11:34 AM, Jiri Kosina <jikos@xxxxxxxxxx> wrote:
> > On Fri, 5 Jan 2018, Dan Williams wrote:
> >
> > [ ... snip ... ]
> >> Andi Kleen (1):
> >> x86, barrier: stop speculation for failed access_ok
> >>
> >> Dan Williams (13):
> >> x86: implement nospec_barrier()
> >> [media] uvcvideo: prevent bounds-check bypass via speculative execution
> >> carl9170: prevent bounds-check bypass via speculative execution
> >> p54: prevent bounds-check bypass via speculative execution
> >> qla2xxx: prevent bounds-check bypass via speculative execution
> >> cw1200: prevent bounds-check bypass via speculative execution
> >> Thermal/int340x: prevent bounds-check bypass via speculative execution
> >> ipv6: prevent bounds-check bypass via speculative execution
> >> ipv4: prevent bounds-check bypass via speculative execution
> >> vfs, fdtable: prevent bounds-check bypass via speculative execution
> >> net: mpls: prevent bounds-check bypass via speculative execution
> >> udf: prevent bounds-check bypass via speculative execution
> >> userns: prevent bounds-check bypass via speculative execution
> >>
> >> Mark Rutland (4):
> >> asm-generic/barrier: add generic nospec helpers
> >> Documentation: document nospec helpers
> >> arm64: implement nospec_ptr()
> >> arm: implement nospec_ptr()
> >
> > So considering the recent publication of [1], how come we all of a sudden
> > don't need the barriers in ___bpf_prog_run(), namely for LD_IMM_DW and
> > LDX_MEM_##SIZEOP, and something comparable for eBPF JIT?
> >
> > Is this going to be handled in eBPF in some other way?
> >
> > Without that in place, and considering Jann Horn's paper, it would seem
> > like PTI doesn't really lock it down fully, right?
>
> Here is the latest (v3) bpf fix:
>
> https://patchwork.ozlabs.org/patch/856645/
>
> I currently have v2 on my 'nospec' branch and will move that to v3 for
> the next update, unless it goes upstream before then.
That patch seems specific to CONFIG_BPF_SYSCALL. Is the bpf() syscall
the only attack vector? Or are there other ways to run bpf programs
that we should be worried about?
--
Josh