Re: [PATCH 00/18] prevent bounds-check bypass via speculative execution

Josh Poimboeuf <jpoimboe@xxxxxxxxxx> · Tue, 9 Jan 2018 14:55:49 -0600

On Tue, Jan 09, 2018 at 11:44:05AM -0800, Dan Williams wrote:
> On Tue, Jan 9, 2018 at 11:34 AM, Jiri Kosina <jikos@xxxxxxxxxx> wrote:
> > On Fri, 5 Jan 2018, Dan Williams wrote:
> >
> > [ ... snip ... ]
> >> Andi Kleen (1):
> >>       x86, barrier: stop speculation for failed access_ok
> >>
> >> Dan Williams (13):
> >>       x86: implement nospec_barrier()
> >>       [media] uvcvideo: prevent bounds-check bypass via speculative execution
> >>       carl9170: prevent bounds-check bypass via speculative execution
> >>       p54: prevent bounds-check bypass via speculative execution
> >>       qla2xxx: prevent bounds-check bypass via speculative execution
> >>       cw1200: prevent bounds-check bypass via speculative execution
> >>       Thermal/int340x: prevent bounds-check bypass via speculative execution
> >>       ipv6: prevent bounds-check bypass via speculative execution
> >>       ipv4: prevent bounds-check bypass via speculative execution
> >>       vfs, fdtable: prevent bounds-check bypass via speculative execution
> >>       net: mpls: prevent bounds-check bypass via speculative execution
> >>       udf: prevent bounds-check bypass via speculative execution
> >>       userns: prevent bounds-check bypass via speculative execution
> >>
> >> Mark Rutland (4):
> >>       asm-generic/barrier: add generic nospec helpers
> >>       Documentation: document nospec helpers
> >>       arm64: implement nospec_ptr()
> >>       arm: implement nospec_ptr()
> >
> > So considering the recent publication of [1], how come we all of a sudden
> > don't need the barriers in ___bpf_prog_run(), namely for LD_IMM_DW and
> > LDX_MEM_##SIZEOP, and something comparable for eBPF JIT?
> >
> > Is this going to be handled in eBPF in some other way?
> >
> > Without that in place, and considering Jann Horn's paper, it would seem
> > like PTI doesn't really lock it down fully, right?
> 
> Here is the latest (v3) bpf fix:
> 
> https://patchwork.ozlabs.org/patch/856645/
> 
> I currently have v2 on my 'nospec' branch and will move that to v3 for
> the next update, unless it goes upstream before then.

That patch seems specific to CONFIG_BPF_SYSCALL.  Is the bpf() syscall
the only attack vector?  Or are there other ways to run bpf programs
that we should be worried about?

-- 
Josh