Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation
From: Luis Henriques
Date: Tue Feb 06 2018 - 17:51:38 EST
On Tue, Feb 06, 2018 at 11:48:45AM -0800, Dan Williams wrote:
> On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques <lhenriques@xxxxxxxx> wrote:
> > On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote:
> >> The syscall table base is a user controlled function pointer in kernel
> >> space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds
> >> speculation. While retpoline prevents speculating into the user
> >> controlled target it does not stop the pointer de-reference, the concern
> >> is leaking memory relative to the syscall table base.
> >
> > This patch seems to cause a regression. An easy way to reproduce what
> > I'm seeing is to run the samples/statx/test-statx. Here's what I see
> > when I have this patchset applied:
> >
> > # ./test-statx /tmp
> > statx(/tmp) = -1
> > /tmp: Bad file descriptor
> >
> > Reverting this single patch seems to fix it.
>
> Just to clarify, when you say "this patch" you mean:
>
> 2fbd7af5af86 x86/syscall: Sanitize syscall table de-references
> under speculation
>
> ...not this early MASK_NOSPEC version of the patch, right?
*sigh*
Looks like I spent some good amount of time hunting a non-issue just
because I have enough old branches hanging around to confusing me :-(
Sorry for the noise.
Cheers,
--
Luís