On Wed, May 29, 2019 at 10:39:52AM +0800, Dianzhang Chen wrote: > Hi, > > Although when detect it is misprediction and drop the execution, but > it can not drop all the effects of speculative execution, like the > cache state. During the speculative execution, the: > > > rlim = tsk->signal->rlim + resource; // use resource as index > > ... > > *old_rlim = *rlim; > > > may read some secret data into cache. > > and then the attacker can use side-channel attack to find out what the > secret data is.
This code works after check_prlimit_permission call, which means you already should have a permission granted. And you implies that misprediction gonna be that deep which involves a number of calls/read/writes/jumps/locks-rb-wb-flushes and a bunch or other instructions, moreover all conditions are "mispredicted". This is very bold and actually unproved claim! Note that I pointed the patch is fine in cleanup context but seriously I don't see how this all can be exploitable in sense of spectre.
