[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] [v2] xen: hypercall: fix out-of-bounds memcpy

On Mon, Feb 5, 2018 at 4:14 PM, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
> On 05/02/18 15:03, Arnd Bergmann wrote:
> Snipping deleted code to make things clearer:
>> +     if (cmd > ARRAY_SIZE(physdevop_len))
>> +             return -ENOSYS;
>> +     len = physdevop_len[cmd];
>> +     memcpy(&op.u, arg, len);
> You'll want an array_nospec() or whatever its called these days.  This
> code is SP1-leaky.

Maybe the best solution would be to remove the file completely. From
looking at the Xen git history, we only need this to run on Xen 3.0.2
or earlier, those early Xen releases (according to Wikipedia) never
even supported running modern kernel versions anyway, so the code
appears to be completely pointless here.

However, aside from this driver, I wonder if we should be worried about
Spectre type 1 attacks on similar code, when gcc-8 turns a switch/case
statement into an array lookup behind our back, e.g. in an ioctl handler.
Has anybody got this on their radar?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.