Gentoo Archives: gentoo-user

From: mad.scientist.at.large@××××××××.com
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: some spectre v1 code in 4.15.2
Date: Tue, 13 Feb 2018 21:50:40
Message-Id: L5G8Ran--3-0@tutanota.com
In Reply to: Re: [gentoo-user] Re: some spectre v1 code in 4.15.2 by Mick
1 That is specious reasoning at best.  The jit option requires that you allow mixed instructions/data in memory, which leaves you open to a lot more than spectre.  The problem is you've (Red Hat) sold people a bill of goods with java jit, the solution is for people to write proper code and corporations to not tolerate bad code that ignores everything that's been learned about security.
2
3 Besides, there's no reason to think, particularly given it's sloppy, sloppy coding that the jit option has fewer security holes in general.
4
5 This is the same type of CRAP that has led to systemD (for Dumb Ass) and other bloat wear like gnome3.  If i wanted bad security, unreliability, bloatware and the destruction of the illusion of "high speed data processing" i'd use winblows.
6
7 seriously, can we try to keep these corporate schills the hell off the list?
8
9 Yes, i hate red hat, google, chrome, and now firefox. 
10
11 It's not so much that we've produced a generation of bad coders who don't know better, the problem is no one cares about anything other than $$$ in america any more.  I'm ashamed of my fellow "citizens".
12
13 If you are going to blatently lie and obfuscate please do it on fox news!
14
15 mad.scientist.at.large (a good madscientist)
16 --
17 God bless the rich, the greedy and the corrupt politicians they have put into office.   God bless them for helping me do the right thing by giving the rich my little pile of cash.  After all, the rich know what to do with money.
18
19
20 13. Feb 2018 02:48 by michaelkintzios@×××××.com:
21
22
23 > On Tuesday, 13 February 2018 02:18:33 GMT Nikos Chantziaras wrote:
24 >> On 13/02/18 03:31, Ian Zimmerman wrote:
25 >> > On 2018-02-13 03:13, Nikos Chantziaras wrote:
26 >> >> Apparently, and contrary to what people (me included) wrote here in
27 >> >> the past, BPF JIT is the secure option, and the interpreter is the
28 >> >> insecure one.
29 >> >
30 >> > Do you have a reference for this? It sounds strange indeed.
31 >>
32 >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i
33 >> d=290af86629b25ffd1ed6232c4e9107da031705cb
34 >>
35 >> "The BPF interpreter has been used as part of the spectre 2 attack
36 >> CVE-2017-5715.
37 >> [...]
38 >> To make attacker job harder introduce BPF_JIT_ALWAYS_ON config
39 >> option that removes interpreter from the kernel in favor of JIT-only mode."
40 >
41 > Thanks for sharing this Nikos.
42 >
43 > Perhaps I'm reading the referenced post wrong. If the BPF interpreter has
44 > been used for spectre2, then disabling CONFIG_BPF_SYSCALL does away with it
45 > altogether, rather than turning it on and then setting BPF_JIT_ALWAYS_ON to
46 > guard against its inherent vulnerability by using JIT-only mode? Is there
47 > some overriding benefit of having BPF enabled at all in the first place?
48 >
49 > PS. I don't remotely assume I properly understand the BPF mechanism, I just
50 > want to test my understanding above.
51 > --
52 > Regards,
53 > Mick

Replies

Subject Author
[gentoo-user] Re: some spectre v1 code in 4.15.2 Ian Zimmerman <itz@××××××××××××.org>
Re: [gentoo-user] Re: some spectre v1 code in 4.15.2 Peter Humphrey <peter@××××××××××××.uk>