[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Arnd Bergmann <arnd@xxxxxxxx>
Date: Fri, 9 Feb 2018 13:57:44 +0100
Cc: Juergen Gross <jgross@xxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, David Laight <David.Laight@xxxxxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Delivery-date: Fri, 09 Feb 2018 12:57:52 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
> On 05/02/18 15:03, Arnd Bergmann wrote:
>
> Snipping deleted code to make things clearer:
>
>> +     if (cmd > ARRAY_SIZE(physdevop_len))
>> +             return -ENOSYS;
>>
>> +     len = physdevop_len[cmd];
>> +     memcpy(&op.u, arg, len);
>
> You'll want an array_nospec() or whatever its called these days.  This
> code is SP1-leaky.

Maybe the best solution would be to remove the file completely. From
looking at the Xen git history, we only need this to run on Xen 3.0.2
or earlier, those early Xen releases (according to Wikipedia) never
even supported running modern kernel versions anyway, so the code
appears to be completely pointless here.

However, aside from this driver, I wonder if we should be worried about
Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
statement into an array lookup behind our back, e.g. in an ioctl handler.
Has anybody got this on their radar?

       Arnd

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: David Laight

References:
- [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH v4 01/28] Xen/doc: Add Xen virtual IOMMU doc
Next by Date: Re: [Xen-devel] [PATCH] libxl: do not fail device removal if backend domain is gone
Previous by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Next by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.