Re: [PATCH] mm/slab_common.c: fix possible spectre-v1 in kmalloc_slab()
From: Dianzhang Chen
Date: Thu May 30 2019 - 03:05:14 EST
On Thu, May 30, 2019 at 2:24 PM Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> I understand the general mechanism of spectre v1. What I was asking for
> is an example of where userspace directly controls the allocation size
> as this is usually bounded to an in kernel object size. I can see how
> and N * sizeof(object) where N is controlled by the userspace could be
> the target. But calling that out explicitly would be appreciated.
In the syscall call poll, the user can control the `nfds`,
when call the function `do_sys_poll` it can pass the nfds to function
`do_sys_poll`, and pass to variable `len`,
although there exit compare instruction llike `len = min_t(unsigned
int, nfds, N_STACK_PPS)`, `len = min(todo, POLLFD_PER_PAGE);`,
but it can also bypass by speculation, as the speculation windows are large,
and in the next `size = sizeof(struct poll_list) + sizeof(struct pollfd) * len`,
which can indirect control the size.
> Please mention that in the changelog as well.
ok, thanks for suggestion.