On Thu, May 30, 2019 at 2:24 PM Michal Hocko wrote:
> I understand the general mechanism of spectre v1. What I was asking for
> is an example of where userspace directly controls the allocation size
> as this is usually bounded to an in kernel object size. I can see how
> and N * sizeof(object) wh
[Please do not top-post]
On Thu 30-05-19 13:20:01, Dianzhang Chen wrote:
> It is possible that a CPU mis-predicts the conditional branch, and
> speculatively loads size_index[size_index_elem(size)], even if size >192.
> Although this value will subsequently be discarded,
> but it can not drop all
thanks, i think your suggestion is ok.
in my previous method is easy to understand for spectre logic,
but your suggestion is more sense to use of array_index_nospec.
On Thu, May 30, 2019 at 3:48 AM Matthew Wilcox wrote:
>
> On Wed, May 29, 2019 at 08:37:28PM +0800, Dianzhang Chen wrote:
> > Th
It is possible that a CPU mis-predicts the conditional branch, and
speculatively loads size_index[size_index_elem(size)], even if size >192.
Although this value will subsequently be discarded,
but it can not drop all the effects of speculative execution,
such as the presence or absence of data in c
On Wed, May 29, 2019 at 11:31:06PM +0300, Alexey Dobriyan wrote:
> > I think it makes more sense to sanitize size in size_index_elem(),
> > don't you?
>
> > - return (bytes - 1) / 8;
> > + return array_index_nospec((bytes - 1) / 8, ARRAY_SIZE(size_index));
>
> I think it should be fixed in po
> I think it makes more sense to sanitize size in size_index_elem(),
> don't you?
> - return (bytes - 1) / 8;
> + return array_index_nospec((bytes - 1) / 8, ARRAY_SIZE(size_index));
I think it should be fixed in poll.
Literally every small variable kmalloc call is going through this funct
On Wed, May 29, 2019 at 08:37:28PM +0800, Dianzhang Chen wrote:
> The `size` in kmalloc_slab() is indirectly controlled by userspace via
> syscall: poll(defined in fs/select.c), hence leading to a potential
> exploitation of the Spectre variant 1 vulnerability.
> The `size` can be controlled from
On Thu 30-05-19 00:39:53, Dianzhang Chen wrote:
> It's come from `192+1`.
>
>
> The more code fragment is:
>
>
> if (size <= 192) {
>
> if (!size)
>
> return ZERO_SIZE_PTR;
>
> size = array_index_nospec(size, 193);
>
> index = size_index[size_index_elem(size)];
>
> }
O
It's come from `192+1`.
The more code fragment is:
if (size <= 192) {
if (!size)
return ZERO_SIZE_PTR;
size = array_index_nospec(size, 193);
index = size_index[size_index_elem(size)];
}
Sine array_index_nospec(index, size) can clamp the index within the
range of [0, s
On Wed 29-05-19 20:37:28, Dianzhang Chen wrote:
[...]
> @@ -1056,6 +1057,7 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t
> flags)
> if (!size)
> return ZERO_SIZE_PTR;
>
> + size = array_index_nospec(size, 193);
> index = size_
10 matches
Mail list logo
