[resend as plaintext, apparently mobile gmail will send HTML mails] On Thu, Feb 22, 2018 at 3:20 AM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Wed, Feb 21, 2018 at 01:13:03PM +0100, Florian Westphal wrote: >> >> Obvious candidates are: meta, numgen, limit, objref, quota, reject. >> >> We should probably also consider removing >> CONFIG_NFT_SET_RBTREE and CONFIG_NFT_SET_HASH and just always >> build both too (at least rbtree since that offers interval). >> >> For the indirect call issue we can use direct calls from eval loop for >> some of the more frequently used ones, similar to what we do already >> for nft_cmp_fast_expr. > > nft_cmp_fast_expr and other expressions mentioned above made me thinking... > > do we have the same issue with nft interpreter as we had with bpf one? > bpf interpreter was used as part of spectre2 attack to leak > information via cache side channel and let VM read hypervisor memory. > Due to that issue we removed bpf interpreter from the kernel code. > That's what CONFIG_BPF_JIT_ALWAYS_ON for... > but we still have nft interpreter in the kernel that can also > execute arbitrary nft expressions. > > Jann's exploit used the following bpf instructions: [...] > > and a gadget to jump into __bpf_prog_run with insn pointing > to memory controlled by the guest while accessible > (at different virt address) by the hypervisor. > > It seems possible to construct similar sequence of instructions > out of nft expressions and use gadget that jumps into nft_do_chain(). [...] > Obviously such exploit is harder to do than bpf based one. > Do we need to do anything about it ? > May be it's easier to find gadgets in .text of vmlinux > instead of messing with interpreters? > > Jann, > can you comment on removing interpreters in general? > Do we need to worry about having bpf and/or nft interpreter > in the kernel? I think that for Spectre V2, the presence of interpreters isn't a big problem. It simplifies writing attacks a bit, but I don't expect it to be necessary if an attacker invests some time into finding useful gadgets. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
