On 17/10/2024 10:55 pm, Josh Poimboeuf wrote: > At least for now, continue to assume mask_user_address() is safe on AMD > when combined with STAC/CLAC -- as get_user(), put_user() and > masked_user_access_begin() already do today.
Honestly, I find this a very worrying position to take. It's one thing not to know there's a speculative security vulnerability with how mask_user_address() is used. It's totally another to say "lets pretend that it doesn't exist so we can continue to make things faster". Even if you can get Intel and AMD to agree that STAC/CLAC are really LFENCEs (and I think you'll struggle), they'd only confer the safety you want between a real conditional that excludes the non-canonical range, and the pointer deference. Any path that genuinely deferences a non-canonical pointer is not safe, whatever serialisation you put in the way. The attacker wins the moment the load uop executes. The final hunk of patch 1 is safe (iff STAC is given extra guarantees) because it is between the conditional and the deference. Patch 4 is not safe (if the comment is correct) because it removes the conditional. Or state that you intend to disregard this non-canoncal speculation problem; that's fine(ish) too, as long as it's done transparently. ~Andrew
