mbox series

[0/2] arm64: spectre-v1 write fixes (CVE-2018-3693)

Message ID 20180710180123.56461-1-mark.rutland@arm.com
Headers show
Series arm64: spectre-v1 write fixes (CVE-2018-3693) | expand

Message

Mark Rutland July 10, 2018, 6:01 p.m. UTC 
These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the
same mitigation applied to existing spectre-v1-read gadgets.

This issue is also known as CVE-2018-3693, or "bounds check bypass store".
More details can be found in the Arm Cache Speculation Side-channels
whitepaper, available from the Arm security updates site [1].

Thanks,
Mark.

[1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Mark Rutland (2):
  arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
  KVM: arm/arm64: vgic: fix possible spectre-v1 write in
    vgic_mmio_write_apr()

 arch/arm64/kernel/ptrace.c       | 19 +++++++++++--------
 virt/kvm/arm/vgic/vgic-mmio-v2.c |  3 +++
 2 files changed, 14 insertions(+), 8 deletions(-)

-- 
2.11.0

Comments

Alan J. Wylie July 10, 2018, 7:28 p.m. UTC | #1 
Mark Rutland <mark.rutland@arm.com> writes:

> These patches inhibit spectre-v1-write gadgets found in arch/arm64, using the

> same mitigation applied to existing spectre-v1-read gadgets.

>

> This issue is also known as CVE-2018-3693, or "bounds check bypass store".

> More details can be found in the Arm Cache Speculation Side-channels

> whitepaper, available from the Arm security updates site [1].


> [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability


From that web page:

| Variant 1: bounds check bypass store (CVE-2017-5753) and bounds check
| bypass store (CVE-2018-3693)

Isn't -5753 a "read" vulnerability, not "store"?

-- 
Alan J. Wylie                                          https://www.wylie.me.uk/

Dance like no-one's watching. / Encrypt like everyone is.
Security is inversely proportional to convenience