From: Rich Freeman <rich0@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed
Date: Wed, 31 Jan 2018 09:34:07 -0500 [thread overview]
Message-ID: <CAGfcS_=+33Q9GRwDDT0wTeGAV5TXmdifojPCa5j4qeHhBTX42g@mail.gmail.com> (raw)
In-Reply-To: <p4sbci$st2$1@blaine.gmane.org>
On Wed, Jan 31, 2018 at 7:07 AM, Nikos Chantziaras <realnc@gmail.com> wrote:
>
> I was under the impression that it's the function that performs the call
> that needs protection. The called function doesn't need protection, because
> if it ends up being actually called, then it's too late already.
>
> For example, if sandboxed, untrusted code wants to speculatively execute a
> memcpy(), then the sandbox would need to call it on behalf of the untrusted
> code. But if the sandbox is protected, the memcpy() call would never be made
> speculatively, since retpoline will trap it. So memcpy() itself doesn't need
> protection. If memcpy() ends up being called, then it's too late. Protecting
> memcpy() doesn't do anything to prevent memcpy() from being called, as it's
> been called already.
>
I think there is some confusion here because in your scenario there
are actually 3 calls being made, and the sandbox is both being called,
and issuing a call.
In your scenario the code executing inside the sandbox calls an API in
the sandbox which in turn calls memcpy.
Code can be vulnerable to Spectre even if it doesn't call anything at
all (variant 2 of Spectre in particular does require a call, variant 1
does not, and who knows what other variants will be discovered in the
future).
In any case, the issue is that your untrusted code inside the sandbox
is calling trusted code via the sandbox API, and it is the sandbox API
that requires protection, as this is where there is a privilege
boundary.
Again, Spectre is not limited to code running in sandboxes. Your ssh
server could be vulnerable to an incoming ssh client connection if the
client is colluding with another process on the same physical CPU,
assuming your ssh server contains vulnerable code. Sandboxes are just
a particularly nasty and obvious target of this attack since they
routinely execute untrusted code on the same hardware as the software
being protected from the code.
However, this isn't a reason to just go rebuilding everything with
gcc-7.3 and assuming all is fine. The maintainers of the upstream
projects really need to assess their code for vulnerabilities, and
treat gcc as a tool that might help solve things.
--
Rich
next prev parent reply other threads:[~2018-01-31 14:34 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-29 9:11 [gentoo-user] gcc 7.3 + kernel 4.15 = spectre_v2 fixed Adam Carter
2018-01-29 17:50 ` [gentoo-user] " Ian Zimmerman
2018-01-29 18:35 ` Alexander Kapshuk
2018-01-30 21:20 ` Ian Zimmerman
2018-01-29 18:35 ` Mike Gilbert
2018-01-29 18:56 ` Mick
2018-01-29 19:32 ` Mike Gilbert
2018-01-29 22:36 ` [gentoo-user] " Henry Kohli
2018-01-30 4:35 ` [gentoo-user] " Nikos Chantziaras
2018-01-30 21:43 ` Rich Freeman
2018-01-31 9:16 ` Nikos Chantziaras
2018-01-31 9:48 ` Taiidan
2018-01-31 10:22 ` Nikos Chantziaras
2018-01-31 11:30 ` Martin Vaeth
2018-01-31 12:04 ` Mick
2018-01-31 12:20 ` Nikos Chantziaras
2018-01-31 12:38 ` Mick
2018-02-02 11:19 ` Mick
2018-02-03 8:14 ` Nikos Chantziaras
2018-01-31 11:17 ` Martin Vaeth
2018-01-31 12:07 ` Nikos Chantziaras
2018-01-31 13:23 ` Martin Vaeth
2018-01-31 14:34 ` Rich Freeman [this message]
2018-01-31 14:24 ` Rich Freeman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGfcS_=+33Q9GRwDDT0wTeGAV5TXmdifojPCa5j4qeHhBTX42g@mail.gmail.com' \
--to=rich0@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox