[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

To: Arnd Bergmann <arnd@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 5 Feb 2018 15:14:29 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, David Laight <David.Laight@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Delivery-date: Mon, 05 Feb 2018 15:19:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 05/02/18 15:03, Arnd Bergmann wrote:

Snipping deleted code to make things clearer:

> +     if (cmd > ARRAY_SIZE(physdevop_len))
> +             return -ENOSYS;
>
> +     len = physdevop_len[cmd];
> +     memcpy(&op.u, arg, len);

You'll want an array_nospec() or whatever its called these days.  This
code is SP1-leaky.

Userspace controls cmd and can retrieve len by timing how many adjacent
cache lines were pulled in my memcpy().

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann
- Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: David Laight

References:
- [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
  - From: Arnd Bergmann

Prev by Date: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Next by Date: Re: [Xen-devel] [PATCH] x86/boot: Make alternative patching NMI-safe
Previous by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Next by thread: Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.