Date: Tue, 30 Jan 2018 20:27:28 +0000 From: "Van De Ven, Arjan" <arjan.van.de.ven@...el.com> To: "Williams, Dan J" <dan.j.williams@...el.com>, Linus Torvalds <torvalds@...ux-foundation.org> CC: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...nel.org>, linux-arch <linux-arch@...r.kernel.org>, Cyril Novikov <cnovikov@...x.com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Peter Zijlstra <peterz@...radead.org>, Catalin Marinas <catalin.marinas@....com>, X86 ML <x86@...nel.org>, Will Deacon <will.deacon@....com>, Russell King <linux@...linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Greg KH <gregkh@...uxfoundation.org>, "H. Peter Anvin" <hpa@...or.com>, Alan Cox <alan@...ux.intel.com>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org> Subject: RE: [PATCH v5 02/12] array_idx: sanitize speculative array de-references > > Anyway, I do think the patches I've seen so far are ok, and the real > > reason I'm writing this email is actually more about future patches: > > do we have a good handle on where these array index sanitations will > > be needed? the obvious cases are currently obviously being discussed. but to be realistic, the places people will find will go on for the next two+ years, and the distros will also end up needing to backport those for the next two years. (v1 is like "buffer overflow", it's a class of issues. buffer overflows were not fixed in one patch or overnight) > > Also, while array limit checking was obviously the official > > "spectre-v1" issue, I do wonder if there are possible other issues > > where mispredicted conditional branches can end up leaking > > information? there's obviously many things one can do to leak things, for example the v1 paper talks about using the cache as a mechanism to leak, but you can trivially construct something that uses the TLBs as the channel to leak (thankfully KPTI cuts that side off) but other variations are possible. I suspect many maser thesis projects got redirected in the last few months ;-) > > IOW, is there some work on tooling/analysis/similar? Not asking for > > near-term, but more of a "big picture" question.. short term there was some extremely rudimentary static analysis done. clearly that has extreme limitations both in insane rate of false positives, and missing cases. the real case is to get things like compiler plugins and the like to identify suspect cases. but we also need to consider changing the kernel a bit. Part of what makes fixing V1 hard is that security checks on user data are spread in many places across drivers and subsystems. If we do the security checks more concentrated we cut off many attacks. For example, we are considering doing a copy_from_user_struct(*dst, *src, type, validation_function) where the validation function gets auto-generated from the uapi headers (with some form of annotation) and if anything fails or the copy faults partway through, the dst is zeroed. such a beast can do the basic security checks on the user data inside that function(wrapper), and that greatly limits the number of places we need to take care of. bonus is that this also will improve the situation of drivers being sloppy with input validation and where the current rootholes are happening
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.