Spectre (bounds check bypass / speculative execution leakage)

PoC outline (high-level):\n\nBackground: On LoongArch, the syscall dispatch path reads the function pointer from sys_call_table[nr] when a user-space process makes a system call. If an attacker can influence speculative execution to access an out-of-bounds entry before the bounds check is observed, information could be leaked from kernel memory via a side channel.\n\nBefore the fix (vulnerable behavior):\n- Code path: do_syscall(regs) -> if (nr < NR_syscalls) { syscall_fn = sys_call_table[nr]; ... }\n- Speculation: The CPU may speculatively execute the memory load sys_call_table[nr] even when nr >= NR_syscalls, causing a leakage of a byte/word from the underlying memory if coupled with a cache timing side channel.\n\nProof-of-concept (high-level, not a drop-in exploit):\n1) Prepare a user-space probe array cache_probe[256], aligned to cache lines. Each index i maps to a cache line that encodes the value i.\n2) Train the branch predictor to believe nr < NR_syscalls for a specific out-of-range nr, by issuing many legitimate syscall invocations with nr slightly below NR_syscalls.\n3) Trigger a syscall with nr set to a crafted out-of-bounds value (nr >= NR_syscalls). While the kernel still guards by a check, speculative execution could access sys_call_table[array_index_nospec(nr, NR_syscalls)], leaking a byte from the kernel memory pointed to by that slot into the cache line corresponding to that byte value.\n4) Use a user-space timing attack (Prime+Probe or Flush+Reload) on cache_probe to read the leaked byte value from the kernel memory address that was speculatively accessed.\n\nPost-fix expectation:\n- The speculation uses array_index_nospec to clamp the index to a safe value during speculative execution, preventing the out-of-bounds access and thus preventing the leakage via the cache side channel.\n\nImportant notes:\n- Implementing a reliable PoC requires a LoongArch environment and kernel with and without the patch; this outline is meant to illustrate the attack surface and the mitigation mechanism.

diff --git a/arch/loongarch/kernel/syscall.c b/arch/loongarch/kernel/syscall.c index 1249d82c1cd0ac..dac435c3274337 100644 --- a/arch/loongarch/kernel/syscall.c +++ b/arch/loongarch/kernel/syscall.c @@ -9,6 +9,7 @@ #include <linux/entry-common.h> #include <linux/errno.h> #include <linux/linkage.h> +#include <linux/nospec.h> #include <linux/objtool.h> #include <linux/randomize_kstack.h> #include <linux/syscalls.h> @@ -74,7 +75,7 @@ void noinstr __no_stack_protector do_syscall(struct pt_regs *regs) add_random_kstack_offset(); if (nr < NR_syscalls) { - syscall_fn = sys_call_table[nr]; + syscall_fn = sys_call_table[array_index_nospec(nr, NR_syscalls)]; regs->regs[4] = syscall_fn(regs->orig_a0, regs->regs[5], regs->regs[6], regs->regs[7], regs->regs[8], regs->regs[9]); }