[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

To: 'Arnd Bergmann' <arnd@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: David Laight <David.Laight@xxxxxxxxxx>
Date: Fri, 9 Feb 2018 14:13:14 +0000
Accept-language: en-GB, en-US
Cc: Juergen Gross <jgross@xxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Delivery-date: Fri, 09 Feb 2018 14:12:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thread-index: AQHToaW2hAmOQzi7s0y/ZNGjmF+sSaOcGtMw
Thread-topic: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

From: Arnd Bergmann
> Sent: 09 February 2018 12:58
...
> However, aside from this driver, I wonder if we should be worried about
> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
> statement into an array lookup behind our back, e.g. in an ioctl handler.
> Has anybody got this on their radar?

The canonical code for a switch statement is to jump indirect on an array
of code pointers.
ioctl handlers probably use a series of compares because the values are
sparse.

Also remember that gcc-8 will convert dense switch statements that just
load a value into a data array lookup.

I guess both those jump tables are potential attack vectors.
Not quite sure how they might be used to leak info though.

        David

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann

References:
- [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann

Prev by Date: [Xen-devel] [PATCH v3 06/17] x86: allow per-domain mappings without NX bit or with specific mfn
Next by Date: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Previous by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Next by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.