| commit | 69e9094e11c16853fd40e3b00ca25aa041ca8733 | |
| author | Dan Carpenter <dan.carpenter@oracle.com> | |
| Wed, 18 Apr 2018 11:33:15 +0000 (18 14:33 +0300) | ||
| committer | Dan Carpenter <dan.carpenter@oracle.com> | |
| Wed, 18 Apr 2018 11:37:24 +0000 (18 14:37 +0300) | ||
| tree | c8d3c4150b6ac8f6b31e418d46d97c80b8eb685a | treesnapshot (tar.gz zip) |
| parent | 03e80606674ea76b560d9f570edf4ce68d347dc1 | commitdiff |
spectre: warn about potential spectre vulnerabilities
I'm not the world's leading expert in spectre (understatement), my
understanding is that the issue is that the user supplied an invalid array
offset and the computer reads from it speculatively, and only later does
the check to say "Oh, this is an invalid offset, let's return -EINVAL;"
But the problem is that traces of the read remain so we can use it to
figure out what was in the invalid offset.
The problem is that how vulnerable you are to Spectre depends on the CPU.
Some CPUs speculatively execute up to 200 instructions in advance. Smatch
has no concept of instructions.
The kernel has an array_index_nospec() macro to turn off speculation for
a specific variable.
So what this check does is warn about where we're reading from an array and
the offset is controlled by the user, and we haven't used the
array_index_nospec() macro. There is a sort of lazy attempt to say, "If
we've recently compared this offset to something, well that something was
probably the array limit so it's probably under the 200 instruction
barrier".
I get hundreds of warnings, on yesterday's linux-next:
488 warn: potential spectre issue ''
258 warn: potential spectre issue '' (local cap)
There are about 7 places which use the array_index_nospec() macro.
Logically, you would have expected those numbers to be closer together so
it probably indicates this test is very flawed.
Anyway, this is a first draft...
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
I'm not the world's leading expert in spectre (understatement), my
understanding is that the issue is that the user supplied an invalid array
offset and the computer reads from it speculatively, and only later does
the check to say "Oh, this is an invalid offset, let's return -EINVAL;"
But the problem is that traces of the read remain so we can use it to
figure out what was in the invalid offset.
The problem is that how vulnerable you are to Spectre depends on the CPU.
Some CPUs speculatively execute up to 200 instructions in advance. Smatch
has no concept of instructions.
The kernel has an array_index_nospec() macro to turn off speculation for
a specific variable.
So what this check does is warn about where we're reading from an array and
the offset is controlled by the user, and we haven't used the
array_index_nospec() macro. There is a sort of lazy attempt to say, "If
we've recently compared this offset to something, well that something was
probably the array limit so it's probably under the 200 instruction
barrier".
I get hundreds of warnings, on yesterday's linux-next:
488 warn: potential spectre issue ''
258 warn: potential spectre issue '' (local cap)
There are about 7 places which use the array_index_nospec() macro.
Logically, you would have expected those numbers to be closer together so
it probably indicates this test is very flawed.
Anyway, this is a first draft...
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
| check_list.h | diffblobblamehistory | |
| check_nospec.c | [new file with mode: 0644] | blob |
| check_spectre.c | [new file with mode: 0644] | blob |
| smatch.h | diffblobblamehistory |