Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Dan Williams
On Fri, Feb 9, 2018 at 6:21 AM, Arnd Bergmann wrote: > On Fri, Feb 9, 2018 at 3:13 PM, David Laight wrote: >> From: Arnd Bergmann >>> Sent: 09 February 2018 12:58 >> ... >>> However, aside from this driver, I wonder if we should be worried about >>>

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Dan Williams
On Fri, Feb 9, 2018 at 6:21 AM, Arnd Bergmann wrote: > On Fri, Feb 9, 2018 at 3:13 PM, David Laight wrote: >> From: Arnd Bergmann >>> Sent: 09 February 2018 12:58 >> ... >>> However, aside from this driver, I wonder if we should be worried about >>> Spectre type 1 attacks on similar code, when

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Arnd Bergmann
On Fri, Feb 9, 2018 at 3:13 PM, David Laight wrote: > From: Arnd Bergmann >> Sent: 09 February 2018 12:58 > ... >> However, aside from this driver, I wonder if we should be worried about >> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case >>

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Arnd Bergmann
On Fri, Feb 9, 2018 at 3:13 PM, David Laight wrote: > From: Arnd Bergmann >> Sent: 09 February 2018 12:58 > ... >> However, aside from this driver, I wonder if we should be worried about >> Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case >> statement into an array lookup

RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread David Laight
From: Arnd Bergmann > Sent: 09 February 2018 12:58 ... > However, aside from this driver, I wonder if we should be worried about > Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case > statement into an array lookup behind our back, e.g. in an ioctl handler. > Has anybody got

RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread David Laight
From: Arnd Bergmann > Sent: 09 February 2018 12:58 ... > However, aside from this driver, I wonder if we should be worried about > Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case > statement into an array lookup behind our back, e.g. in an ioctl handler. > Has anybody got

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Arnd Bergmann
On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper wrote: > On 05/02/18 15:03, Arnd Bergmann wrote: > > Snipping deleted code to make things clearer: > >> + if (cmd > ARRAY_SIZE(physdevop_len)) >> + return -ENOSYS; >> >> + len = physdevop_len[cmd]; >> +

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-09 Thread Arnd Bergmann
On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper wrote: > On 05/02/18 15:03, Arnd Bergmann wrote: > > Snipping deleted code to make things clearer: > >> + if (cmd > ARRAY_SIZE(physdevop_len)) >> + return -ENOSYS; >> >> + len = physdevop_len[cmd]; >> + memcpy(, arg, len); > >

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Arnd Bergmann
On Mon, Feb 5, 2018 at 4:14 PM, Jan Beulich wrote: On 05.02.18 at 16:03, wrote: >> int xen_event_channel_op_compat(int cmd, void *arg) >> { >> - struct evtchn_op op; >> + struct evtchn_op op = { .cmd = cmd, }; >> + size_t len; >> int rc;

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Arnd Bergmann
On Mon, Feb 5, 2018 at 4:14 PM, Jan Beulich wrote: On 05.02.18 at 16:03, wrote: >> int xen_event_channel_op_compat(int cmd, void *arg) >> { >> - struct evtchn_op op; >> + struct evtchn_op op = { .cmd = cmd, }; >> + size_t len; >> int rc; >> >> - op.cmd = cmd; >> -

RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread David Laight
From: Andrew Cooper > Sent: 05 February 2018 15:14 > > On 05/02/18 15:03, Arnd Bergmann wrote: > > Snipping deleted code to make things clearer: > > > + if (cmd > ARRAY_SIZE(physdevop_len)) > > + return -ENOSYS; > > > > + len = physdevop_len[cmd]; > > + memcpy(, arg, len); > >

RE: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread David Laight
From: Andrew Cooper > Sent: 05 February 2018 15:14 > > On 05/02/18 15:03, Arnd Bergmann wrote: > > Snipping deleted code to make things clearer: > > > + if (cmd > ARRAY_SIZE(physdevop_len)) > > + return -ENOSYS; > > > > + len = physdevop_len[cmd]; > > + memcpy(, arg, len); > >

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Andrew Cooper
On 05/02/18 15:03, Arnd Bergmann wrote: Snipping deleted code to make things clearer: > + if (cmd > ARRAY_SIZE(physdevop_len)) > + return -ENOSYS; > > + len = physdevop_len[cmd]; > + memcpy(, arg, len); You'll want an array_nospec() or whatever its called these days. 

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Andrew Cooper
On 05/02/18 15:03, Arnd Bergmann wrote: Snipping deleted code to make things clearer: > + if (cmd > ARRAY_SIZE(physdevop_len)) > + return -ENOSYS; > > + len = physdevop_len[cmd]; > + memcpy(, arg, len); You'll want an array_nospec() or whatever its called these days. 

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Jan Beulich
>>> On 05.02.18 at 16:03, wrote: > int xen_event_channel_op_compat(int cmd, void *arg) > { > - struct evtchn_op op; > + struct evtchn_op op = { .cmd = cmd, }; > + size_t len; > int rc; > > - op.cmd = cmd; > - memcpy(, arg, sizeof(op.u)); > - rc =

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

2018-02-05 Thread Jan Beulich
>>> On 05.02.18 at 16:03, wrote: > int xen_event_channel_op_compat(int cmd, void *arg) > { > - struct evtchn_op op; > + struct evtchn_op op = { .cmd = cmd, }; > + size_t len; > int rc; > > - op.cmd = cmd; > - memcpy(, arg, sizeof(op.u)); > - rc = _hypercall1(int,