On Fri, Feb 9, 2018 at 3:13 PM, David Laight <david.lai...@aculab.com> wrote: > From: Arnd Bergmann >> Sent: 09 February 2018 12:58 > ... >> However, aside from this driver, I wonder if we should be worried about >> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case >> statement into an array lookup behind our back, e.g. in an ioctl handler. >> Has anybody got this on their radar? > > The canonical code for a switch statement is to jump indirect on an array > of code pointers. > ioctl handlers probably use a series of compares because the values are > sparse.
The majority of ioctl handlers is sparse enough that a table lookup wouldn't work, but there are still subsystems that never fully adopted the _IOC() macros, e.g. tty or socket ioctls are just consecutive numbers. > Also remember that gcc-8 will convert dense switch statements that just > load a value into a data array lookup. Right, that's the case I'm interested in here. I don't know how many of those exist in the kernel, as this would again be a small subset of the switch()/case statements that use consecutive numbers. > I guess both those jump tables are potential attack vectors. > Not quite sure how they might be used to leak info though. When I tested the xen fallback code with gcc-7.3, I noticed a retpoline getting generated for pointer array, so that should be safe. Arnd