RE: [PATCH] x86/uaccess: Use pointer masking to limit uaccess speculation

From: David Laight
Date: Tue Sep 01 2020 - 11:01:00 EST


From: Josh Poimboeuf
> Sent: 01 September 2020 15:27
>
> On Tue, Sep 01, 2020 at 08:32:20AM +0000, David Laight wrote:
> > > Yes, it would make sense to put the masking in access_ok() somehow. But
> > > to do it properly, I think we'd first need to make access_ok() generic.
> > > Maybe that's do-able, but it would be a much bigger patch set.
> > >
> > > First I'd prefer to just fix x86, like my patch does. Then we could do
> > > an access_ok() rework.
> >
> > If you do a modified access_ok() you get to (slowly) collect all
> > the important paths.
> > No point replicating the same test.
> >
> > A lot of the access_ok() can be deleted - maybe remove some __
> > from the following functions.
> > Or change to the variants that enable user-space accesses.
>
> Well, yes, but that's a much bigger job which can be done later.

Isn't this all rather difficult to exploit though?
(Unlike the original Spectre which trivially let kernel
memory be read.)
Don't you need to manage to 'preset' the branch predictor and BTB
to the right state and then manage some kind of timing attack
on L1 cache?

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)