[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

To: 'Andrew Cooper' <andrew.cooper3@xxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
From: David Laight <David.Laight@xxxxxxxxxx>
Date: Mon, 5 Feb 2018 15:28:23 +0000
Accept-language: en-GB, en-US
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Delivery-date: Mon, 05 Feb 2018 15:27:51 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thread-index: AQHTnpTDsMW5KYPYZ0CHi4ZlpEvwv6OV7SDw
Thread-topic: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

From: Andrew Cooper
> Sent: 05 February 2018 15:14
> 
> On 05/02/18 15:03, Arnd Bergmann wrote:
> 
> Snipping deleted code to make things clearer:
> 
> > +   if (cmd > ARRAY_SIZE(physdevop_len))
> > +           return -ENOSYS;
> >
> > +   len = physdevop_len[cmd];
> > +   memcpy(&op.u, arg, len);
> 
> You'll want an array_nospec() or whatever its called these days.  This
> code is SP1-leaky.
> 
> Userspace controls cmd and can retrieve len by timing how many adjacent
> cache lines were pulled in my memcpy().

Well, maybe it can read beyond the bounds of physdevop_len[].
I doubt that the memcpy() will pull in many cache lines so you
can probably only determine whether the value is 0..63, 64..127 or 128+
Not likely to be much use.

        David

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH] x86/boot: Make alternative patching NMI-safe
Next by Date: Re: [Xen-devel] [PATCH] xen: Improvements to domain_crash_sync()
Previous by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Next by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.