[Bug libc/25436] New: Mitigating speculative execution beyond SVC

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] New: Mitigating speculative execution beyond SVC

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

            Bug ID: 25436
           Summary: Mitigating speculative execution beyond SVC
           Product: glibc
           Version: 2.32
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: asteinhauser at google dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 12223
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12223&action=edit
Description of the CPU vulnerability

aarch64 CPUs speculate past the SVC instruction creating Spectre-like effects.
The equivalent behavior of the ERET instruction was already fixed in Linux,
FreeBSD, OpenBSD and Optee OS:
https://github.com/torvalds/linux/commit/679db70801da9fda91d26caf13bf5b5ccc74e8e8
https://github.com/freebsd/freebsd/commit/29fb48ace4186a41c409fde52bcf4216e9e50b61
https://github.com/openbsd/src/commit/3a08873ece1cb28ace89fd65e8f3c1375cc98de2
https://github.com/OP-TEE/optee_os/commit/abfd092aa19f9c0251e3d5551e2d68a9ebcfec8a

The full report of the vulnerability is in the attachment. The mitigation
requires just appending a DSB NSH, ISB sequence after the SVC instruction. That
should not bring an additional performance penalty, because the change of
exception levels is serializing anyway.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] Mitigating speculative execution beyond SVC

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

--- Comment #1 from Anthony Steinhauser <asteinhauser at google dot com> ---
Created attachment 12224
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12224&action=edit
Patch

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] Mitigating speculative execution beyond SVC

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] aarch64: Mitigating speculative execution beyond SVC

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Mitigating speculative      |aarch64: Mitigating
                   |execution beyond SVC        |speculative execution
                   |                            |beyond SVC

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] aarch64: Mitigating speculative execution beyond SVC

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

Szabolcs Nagy <nsz at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
                 CC|                            |nsz at gcc dot gnu.org
         Resolution|---                         |INVALID

--- Comment #2 from Szabolcs Nagy <nsz at gcc dot gnu.org> ---
i waited for some time on the libc-alpha thread but there
does not seem to be an explanation what we should mitigate,
the proposed fix does not solve the problem described, has
significant performance impact and there seems to be no
privilege escalation or information leak that glibc might
care about. please open a new bug with relevant information
if there is something to be done.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] aarch64: Mitigating speculative execution beyond SVC

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Is this related to CVE-2020-13844?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25436] aarch64: Mitigating speculative execution beyond SVC

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25436

--- Comment #4 from Anthony Steinhauser <asteinhauser at google dot com> ---
Yes, it is.

On Tue, Jun 16, 2020 at 9:15 AM fweimer at redhat dot com
<[hidden email]> wrote:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=25436
>
> --- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
> Is this related to CVE-2020-13844?
>
> --
> You are receiving this mail because:
> You reported the bug.

--
You are receiving this mail because:
You are on the CC list for the bug.