Hi,
Although when detect it is misprediction and drop the execution, but
it can not drop all the effects of speculative execution, like the
cache state. During the speculative execution, the:
rlim = tsk->signal->rlim + resource; // use resource as index
...
*old_rlim = *rlim;
may read some secret data into cache.
and then the attacker can use side-channel attack to find out what the
secret data is.
Virtually any observable effect of speculatively executed code can be
leveraged to create the covert channel that leaks sensitive
information[1].
A general form of spectre v1 would be[1]:
if (x < array1_size) {
y = array1[x];
// do something using y that is
// observable when speculatively
// executed
}
[1] https://spectreattack.com/spectre.pdf
Cyrill Gorcunov <gorcu...@gmail.com> 于2019年5月28日周二 下午3:10写道:
>
> On Tue, May 28, 2019 at 10:37:10AM +0800, Dianzhang Chen wrote:
> > Hi,
> > Because when i reply your email,i always get 'Message rejected' from
> > gmail(get this rejection from all the recipients). I still don't know
> > how to deal with it, so i reply your email here:
>
> Hi! This is weird. Next time simply reply to LKML (I CC'ed it back).
>
> > Because of speculative execution, the attacker can bypass the bound
> > check `if (resource >= RLIM_NLIMITS)`.
>
> And then misprediction get detected and execution is dropped. So I
> still don't see a problem here, since we don't leak info even in
> such case.
>
> That said I don't mind for this patch but rather in a sake of
> code clarity, not because of spectre issue since it has
> nothing to do here.
>
> > as for array_index_nospec(index, size), it will clamp the index within
> > the range of [0, size), and attacker can't exploit speculative
> > execution to make the index out of range [0, size).
> >
> >
> > For more detail, please check the link below:
> >
> > https://github.com/torvalds/linux/commit/f3804203306e098dae9ca51540fcd5eb700d7f40
