From owner-freebsd-security@freebsd.org Wed Jan 10 11:16:03 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F227E79A8B for ; Wed, 10 Jan 2018 11:16:03 +0000 (UTC) (envelope-from sjt.kar@gmail.com) Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B1A86EA64 for ; Wed, 10 Jan 2018 11:16:03 +0000 (UTC) (envelope-from sjt.kar@gmail.com) Received: by mail-qt0-x22d.google.com with SMTP id m59so21552285qte.11 for ; Wed, 10 Jan 2018 03:16:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Clynx0ecSwvH67XPHRqzRmRl70M7zbTQir//yFStfhA=; b=DHoA8g8XPc/K00YMyT9oXuDeQ56PV1Xqc76sEJit2/7o8+mfhpRLIT0gQLZuOy9QJ0 nqKSG075cHTdxRU8NxELqmSapSNbTqZcWsTeRYjIgJtGMrkpWsrmDz2/9WrqLFdnYY3e fjeUh/s1J5IOXTfN5p6PAP2yhKZ2HXSts6OCAGDbH7riHA/bX2GdPDXBla2OdkX3sSo/ 0HayypjiFdnsMKO9TERAYDJV5dYtHgdzBLzCu+jFmGIMBZGRH9XWyFQ6oz7vilVKjaJW 08hVAPY22VnDH9AFVOriWLD8RKEYxoQ2Cs/ukkjXw5/XsmTCtwqNN/BMnh2Aon7HOcKl Vb8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Clynx0ecSwvH67XPHRqzRmRl70M7zbTQir//yFStfhA=; b=BOx1hLEfrfplXdQgFnwXk0sJGWHcDuJoYuahgpiwPBanE+qY6eHhZ4/K6ahLfwUTP3 i8Q1iEE0QQUPWjOJbMbJfnC+NKH+3K/2QgUrg9GwcKYiqiRlnNihflfmRkGYYOvrL3pL tCOFjGKXFqyBdzqOZQAK9wBjMUQ+F3rPjRLIv7wI78ljLGT8/UDIlfUOvFlmya9Rxjmm 2Hp4yfnze2DaYAITDMcx2fHcI/YFbO6l9H1FG1z5DRTawauYdrL+fto61yZ5i2pvoeS9 /YH5zui6kNCz0cDEjhG9fDD/e6kkN60n970Xu4J4Z1uAre3uODLIjD9PJWVzxwOM4jWN JRkA== X-Gm-Message-State: AKwxytcajF7xP0WVIbn9GN1wHAgdivfmz3v1tCrz1fT24H+DhDeuqybL yQRRith98y1Kr/tkpeuTVp6EzVp2s+Lbl8Lrccs= X-Google-Smtp-Source: ACJfBovk8Ut0+u/v5PeweJOSd/+ddy3ZpA0/3pc8XiU/5PDI1clhXqUyNdBs1j5S9eteH6F12IhVA6FBmPPeJVPpoI4= X-Received: by 10.200.37.41 with SMTP id 38mr26576380qtm.306.1515582962265; Wed, 10 Jan 2018 03:16:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.52.141 with HTTP; Wed, 10 Jan 2018 03:16:01 -0800 (PST) In-Reply-To: <20180108175751.GH9701@gmail.com> References: <20180108175751.GH9701@gmail.com> From: Sujit K M Date: Wed, 10 Jan 2018 16:46:01 +0530 Message-ID: Subject: Re: Response to Meltdown and Spectre To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Wed, 10 Jan 2018 11:56:11 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2018 11:16:03 -0000 > Meltdown (CVE-2017-5754) > ~~~~~~~~~~~~~~~~~~~~~~~~ > In terms of priority, the first step is to mitigate against the Meltdown > attack (CVE-2017-5754, cited as variant 3 by Project Zero). Work for > this is ongoing, but due to the relatively large changes needed, this is > going to take a little while. We are currently targeting patches for > amd64 being dev complete this week with testing probably running into > next week. From there, we hope to give it a short bake time before > pushing it into the 11.1-RELEASE branch. Additional work will be > required to bring the mitigation to 10.3-RELEASE and 10.4-RELEASE. > > The code will be selectable via a tunable which will automatically turn > on for modern Intel processors and off for AMD processors (since they > are reportedly not vulnerable). Since the fix for Meltdown does incur a > performance hit for any transition between user space and kernel space, > this could be rather impactful depending on the workload. As such, the > tunable can also be overridden by the end-user if they are willing to > accept the risk. > > Initial work can be tracked at https://reviews.freebsd.org/D13797. > Please note this is a work in progress and some stuff is likely to be > broken. > > Spectre (CVE-2017-5753 and CVE-2017-5715) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > When it comes to the Spectre vulnerabilities, it is much harder to sort > these out. Variant 1 (CVE-2017-5753) is going to require some static > analysis to determine vulnerable use cases that will require barriers to > stop speculation from disclosing information it shouldn't. While we > haven't done the analysis to determine where we are vulnerable, the > number of cases here are supposed to be pretty small. Apparently there > have been some Coverity rules developed to help look for these, but we > are still evaluating what can be done here. > > The other half of Spectre, variant 2 (CVE-2017-5715) is a bit trickier > as it affects both normal processes and bhyve. There is a proposed patch > for LLVM (https://reviews.llvm.org/D41723) that introduces a concept > called 'retpoline' which mitigates this issue. We are likely to pull > this into HEAD and 11-STABLE once it hits the LLVM tree. Unfortunately, > the currently supported FreeBSD releases are using older versions of > LLVM for which we are not sure the LLVM project will produce patches. We > will be looking at the feasibility to backport these patches to these > earlier versions. > > There are CPU microcode fixes coming out when in concert with OS changes > would also help, but that's a bit down the road at the moment. > > > If anything significantly changes I will make additional posts to > clarify as the information becomes available. > > Best regards, > Gordon Tetlow > with security-officer hat on >From my understanding what is happening is that an array overflow is happening. Can't it be handled more generically. -- -- Sujit K M blog(http://kmsujit.blogspot.com/)