Re: [PATCH v3] hwrng: virtio: clamp device-reported used.len at copy_data()

Next message: Kunwu Chan: "[PATCH] rcu: Use task_state_to_char() in stall-warning prints"
Previous message: E Shattow: "Re: [PATCH] riscv: dts: spacemit: k3-pico-itx: Fix non-functional ethernet TX timing"
In reply to: Herbert Xu: "Re: [PATCH v3] hwrng: virtio: clamp device-reported used.len at copy_data()"
Next in thread: Herbert Xu: "Re: [PATCH v3] hwrng: virtio: clamp device-reported used.len at copy_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael S. Tsirkin

Date: Thu Jun 11 2026 - 03:31:39 EST

On Thu, Jun 11, 2026 at 12:43:09PM +0800, Herbert Xu wrote:
> On Sun, May 31, 2026 at 10:22:51AM -0400, Michael Bommarito wrote:
> >
> > + size = min_t(unsigned int, size, avail - vi->data_idx);
> > + idx = array_index_nospec(vi->data_idx, sizeof(vi->data));
> > + memcpy(buf, vi->data + idx, size);
>
> I don't see how nospec can help here. Please enlighten me.

All the "malicious device" things are confusing. Spectre things -
doubly so.

So if an access is speculated then CPU might speculate feeding a kernel
secret into RNG. And then the speculated RNG value maybe can be also
speculatively be used by some kernel code as an index
to trigger a cache access, finally leaking the secret?

Maybe?

> Thanks,
> --
> Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt