IssueTracker

Could you CC the reviewers to this bug so that they can access it - just so we can get the relevant people involved.

Also is it possible to attach the patch to this bug report so we can see what is involved on the clang side?

adding Chandler, who will have useful opinions on landing mitigations for embargoed vulnerabilities in the LLVM tree

In the past (e.g. when Intel disclosed LVI) our approach was to have patches ready to go and pre-reviewed by appropriate (and appropriately read-in) code owners but not post the patches "for real" until the embargo lifted. Usually this was part of a larger comms strategy where announcements were made in other forums.

Is there an entity beyond security@kernel.org that's coordinating this disclosure?

(re-reading, my second paragraph just repeats what you already laid out. Good independent verification but apologies for not reading the dates more carefully.)

I don't have permission to CC folks it seems, but it would be worth adding:

* Aaron Ballman <aaron@aaronballman.com> (a code owner for clang who has already reviewed my patch off list)
* Craig Topper <craig.topper@gmail.com> (a code owner for the x86 backend who has already reviewed my patch off list)

x86 is the only confirmed architecture affected. ARM has confirmed they're not affected for their micro-architectures. Not all x86 micro-architectures are affected.  Not seeing one particular x86 vendor represented in the LLVM Security Group is...concerning.

> Also is it possible to attach the patch to this bug report so we can see what is involved on the clang side?

Yes, but just note that the LLVM code is somewhat a giveaway of what's going on here.  GCC has had a similar feature for years; they did not publish the patch under embargo but rather did so publicly back when various spectre and meltdown mitigations were being tested before the development of retpoline.  The very first comment on the GCC mailing list was along the lines of "What is this?"  I'd like to avoid that here if possible; the name of the game is to not spill the beans to too wide an audience prematurely.  Doing so would lose LLVM their (lone) seat at the table for Linux kernel vulnerability disclosures such as this.  So we need to be super careful about keeping this need to know.

> Is there an entity beyond security@kernel.org that's coordinating this disclosure?

The encrypted kernel mailing list I'm referring to that is coordinating is not that specific email address.  It's more controlled than even that list and members of that list (security@kernel.org) aren't even considered need to know for this one. I don't know whether linux-distros@vs.openwall.org has even been contacted yet; the kernel patch set is up to ~45 patches and growing, and backports will be painful.

@oliver: my understanding of the patch is that it is not messing up with the call stack, just using a trampoline. So I assume it would be nice to have the trampoline target in a hot code section as it's likely to be shared by a lot of functions, but that's it, right?

I have reviewed the backend portion and you can see some comments in https://crbug.com/llvm/33#c9. Those comments were very minor. I'm happy with the backend portion. I will be around on Jul 12 and can approve quickly as well.

Thanks Craig!

Righto

Updated with Craig's latest comments.

> is replacing ret with a jmp absolutely necessary

I think so; it might ultimately not be, but it is how Linux kernel developers have decided to mitigate the vulnerability for the time being. It's not my call though, I was just asked to implement -mfunction-return=/__attribute__((function_return(""))) like GCC has already had now for years.  In order for clang to be useful as a drop in replacement for GCC, clang needs to match command line flag, function attribute, and codegen ABI frequently.

> my experience in other domains suggests that messing with the x86 call stack cache does pretty terrible things to performance.

Yep, the performance overhead of this isn't great for sure.  An additional set of kernel patches are in the works to try to claw back some performance lost to this approach, but they're not pretty and haven't been vetted quite yet.  Time will tell if this is the ultimate solution to this issue, but for now it's what we've got.

> If it is, do we know if this is actually x86 specific?

Not all x86 uArchs are effected.  The exploit is specific to uArch's the speculate return addresses in a specific way, and how they behave under specific circumstances wrt. kernel vs userspace privilege boundaries.  But there are at least two x86 vendors effected.

ARM commented that their micro architectures were not affected.  I'm guessing that they can't vouch for their architectural licensees micro architectures though.  That said, I can ask on the encrypted list about architectural licensees, and whether the reporters have tested other architectures or uArchs or contacted other vendors.

> zero-daying every other architecture is also not a super great outcome.

I agree but again it's not my call and there's no stopping the train now; regardless of my toolchain patch the embargo will lift July 12.  The researchers that reported the vulnerability may not have access to every uArch under the sun, and I don't know who they have or have not contacted about this vulnerability.

That said, there are non-Linux-kernel vendors participating in the encrypted list IIUC.  It might be worthwhile for security representatives at various organizations to get involved.
https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html

There's also other non-Linux operating system vendors on the linux-distros mailing list, which also has early access to embargo'd vuln reports+fixes:
https://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists

FLOSS projects have a catch-22 of needing to develop mitigations behind closed doors, without publishing mitigations before embargo lift (similar to what we're doing here but for the toolchain). Those are the methods open source operating system developers have converged on, and made available to folks developing proprietary operating systems to participate in.

Nick, for us distribution packager to prepare, can you give us an hint whether this patch impacts BPF, which (if I'm not mistaken) always requires LLVM, even for GCC-built Linux?

From my understanding of the Linux kernel mitigation patches, which I have access to but cannot share outside the encrypted mailing list (much to the dismay of my employer), BPF programs are affected BUT it's the BPF JIT's x86 backend within the Linux kernel which is affected, not the BPF interpreter or the programs themselves. So I don't expect that BPF programs will need to be recompiled; instead distributions may need to either ship kernels with up to date mitigations, or consider disabling the BPF JIT.

That said, it may be better to ask on the linux-distros list once the kernel mitigations are published there (I don't know if they are, please don't spill the beans otherwise!).  Once the patches are public, I can point to any formal recommendations they may have.

But right now, it looks like Patch 10/45 addresses the x86 BPF JIT in the corresponding (and unpublished) Linux kernel patches.

My toolchain patch is orthogonal to the x86 BPF JIT.  BPF programs aren't expected to be compiled with -mfunction-return, use __attribute__((function_return(""))), or rely on my compiler patch at all.  BPF JIT backends may need to call the same runtime hooks that this toolchain patch generates jmps to, as provided by the runtime environment (in this case, the Linux kernel).

Also, it looks like work has started on backporting the kernel patches to the 5.18.y, 5.17.y, and 5.15.y branches of the LTS stable kernel tree.
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
(Not pushed publicly, just pointing where that tree is)
Requests have been made for 5.14.y and 4.19.y but it's not clear to me that work has started yet on those branches, or that it will.  Distros shipping kernels based on older branches will be encouraged to move to something newer, and something based off LTS (as usual)(some distros DON'T use LTS).

Thanks Nick for the details!

Thanks for reporting this to us in advance!

I'm representing Rust here, and from what I gather these mitigations are only going to be needed by the Linux kernel. In that case there shouldn't be a need to make a security point release of rustc, as Rust is not yet used in mainline Linux. Is my reading here correct?

> only going to be needed by the Linux kernel

For the time being, yes.  Other operating systems may choose to mitigate the issue similarly, or not at all.  I guess there could be another OS, written in Rust, that wants to mitigate the issue using this feature. But I'd perhaps wait for such a feature request from such theoretical developers if such a scenario exists.

> there shouldn't be a need to make a security point release of rustc, as Rust is not yet used in mainline Linux

The rust-for-linux folks might be interested in this eventually, but rustc would need feature development since the LLVM IR function attributes added here are controlled by command line flags and function attributes from clang and the C/C++ code respectively. Rust support isn't in the kernel yet, though I am hopeful it will be, and have been providing review upstream on their patch series.

So without the corresponding front end work to rustc, rolling my llvm+clang change out in a point release wouldn't be useful at this time, IMO.

Sounds good, thanks for the clarification! We'll avoid preparing a Rust point release then, unless after the embargo other OS vendors express interest in such a release.

> Sounds good, thanks for the clarification!

Thanks for checking, our Rust team had pretty much the exact same question.

> zero-daying every other architecture is also not a super great outcome.

So I reached out to ARM folks on the encrypted mailing list, as well as the reporters.  I heard back from both.

ARM re-iterated that they cannot comment on competing uArch implementations. They recommended the researchers contact Apple directly.  ARM mentioned they do "brief" architectural licensees, but don't necessarily share the researchers' whitepaper.  They also mentioned the same mailing lists be joined that I mentioned in https://crbug.com/llvm/33#c18.

This is second hand paraphrasing from me though; I don't speak on behalf of ARM in any capacity.

The researchers mentioned they have not tested their exploit on m1/m2 macs, or researched other architectures.

I can endeavor to prod people and/or forward anything to SEAR if I'm given something to forward. Researchers are free to email me and have me forward to people if they feel the public facing email is a blackhole.

If they're super paranoid, they can also use iMessage: oliver@nerget.com 

iMessage is secure, I worked on the crypto myself, trust me :D

I've shared your two email addresses with the researcher:
- ohunt@apple.com
- oliver@nerget.com

Otherwise, I believe their email address is:
Johannes Wikner <kwikner@ethz.ch>

So I've talked to Johannes, and it sounds like they're happy to upload details to the google bug tracker, however I have no familiarity with the system so don't know how to grant the required access.
If someone from Google knows, would they be able to?

[Empty comment from Monorail migration]

Trying to CC johannes.wikner@gmail.com as that's associated with a google account. Being a person who works with technology, has worked on browsers, etc I failed to notice the CC field.

Hi there,

I'll hand you our paper and the pocs we made for Intel (Skylake-like), AMD (fam 17h, but likely 15h,16h,18h too) and ARM ThunderX2. As you will find, however, we don't mention ARM at all in the paper. The only ARM machine we have in our lab is a ThunderX2, and it seems to be vulnerable to all kinds of BTI Spectres under this user--kernel threat model. Because these CPUs don't seem have (or use?) the necessary SMC workaround or CSV2 feature, we assumed that they could not be representative for ARM.

As for the AMD and Intel ones, the end-to-end exploits are made specifically for the kernel build we carried out the research on, which was the latest ubuntu/focal kernel available at the time (5.8.0-63-generic).

Sorry Johannes, I missed the above update. I've got this tracked internally as rdar://96815394. It includes your ETH contact + PGP information, so theoretically Product Security should reach out to you reasonably quickly (it is 2am PST however so the people I can prod are still asleep :) ). If you haven't heard anything by I guess around 2am tomorrow in Swiss time.

I have landed my patch.
https://reviews.llvm.org/D129572
https://reviews.llvm.org/rG2240d72f15f3b7b9d9fb65450f9bf635fd310f6f

Thanks again to the LLVM Security Group members, Researchers, and Aaron and Craig.

The embargo has now lifted.

Any concern with making this thread public from either the researchers side or the Apple side?

I'd be ok with keeping this thread embargoed until we have a confirmation from Oliver that we would not be zero-daying Apple.

There's no concern on the Apple side, thanks all!

Patch is reviewed+landed, so it seems like the security bug did its job on coordination. Echo Nick's thanks to everyone who came together to make sure we had a good response.

Given above messages, and more than a week with no objections, I'm derestricting.

This issue was migrated from crbug.com/llvm/33?no_tracker_redirect=1

[Auto-CCs applied]

Sean: for that, you might want to hit "Me too!" in be https://issuetracker.google.com/35827225 as well.

This critical for us :(

+1 StackOverflow:
https://stackoverflow.com/questions/16023571/google-places-api-restaurant-types

+1

Is there any other solution to this?

now that google have increased the cost for API access.... can we have this very basic feature?

+1

+1

+1

+2 StackOverflow:
https://stackoverflow.com/questions/40305984/google-places-detail-api-categories-not-returning-same-value-as-on-webpage

https://stackoverflow.com/questions/45785672/how-to-get-place-description-from-google-places-api

+1

Assigning to new Places PM

+1. This would be extremely helpful.

+1.
A must have. The info is there, should be simple to expose it.
This is actually a deal breaker for me, since this is crucial part of what I need.

Could really use this feature

+1

Any updates?

+1
From that standpoint the Foursquare API is superior and provides specific categories (+ icons) for each venue type

I would love for the Google Place API to provide similar info. The current Place Types list remains very high level, and an awful lot of venues' primary categories are filed as "point of interest". That's currently the single weakness of the API that is keeping us away from using it vs. Foursquare.

Considering that the Google My Business API already supports a much more specific list of place types than the Place API, it is hard to understand why the same list is not made available in the Place API.

Detailed info on the hours of operation and reviews, but no short description of what the place actually is. Incongruent, to say the least.

+1

+1

+1

Can we get an official response to this issue? it has been open for 5.5 years now.

Please!!!

Hahaha!
Two years have passed but nothing.
Keep it up, google!

+1

+1

+1

+1

+1

Really need this feature in the place API!

+1

+1

+1

+1

+1

+1

+1

+1

+1

+1

+1

+1

As mentioned before, a clear negative vs Foursquare. We are about to decide which API to use for our Product (Google Places vs Foursquare) and this feature alone will probably tip the balance...

+1

+1

+1

+1 StackOverflow:
https://stackoverflow.com/questions/57711408/google-maps-api-not-returning-category-from-search

anyone have an update on this? I could really use this in the places API.

+1

+1

Was this implemented? The issue was opened in 2013.

+1

+1 me gustaría que se aplicara esa función

+1 any update?

This was not found in the PLACE API.
Does anyone know how to find in any other API?

+1

+1

+1 does anyone know if this has been added yet?

+1

Looks like this still hasn't been added after all these +1s. I'd really love for this feature to be added to the API. So....plus 1 for me too.

+10086

+1 StackOverflow:
https://stackoverflow.com/questions/60119470/how-to-retrieve-the-occupation-name-from-google-places-api

+1

+1

+1

+1 StackOverflow:
https://stackoverflow.com/questions/60637844/google-places-web-page-has-more-details-than-api-query

+1

This is really needed in the nearby search response

+1

+1 pls google overlords

+1 StackOverflow:
https://stackoverflow.com/questions/61327638/google-places-api-getting-type-of-restaurant

+1 how come it still hasn't been added...

+1

+1

+1 FIVE YEARS LATER and still not implemented?!

In 5 years we've had 3 different messaging apps, but we can't get this basic functionality?!

+1

+1

+1

Unbelievable that Google does not care about the places API but  still raises the prices drastically. I'm out ;)

How has this not been added to the API yet? This is insane

+1

https://stackoverflow.com/questions/63196982/how-can-i-get-exact-sub-category-name-about-a-place-from-google-places-api-in-an/63228579#63228579

+1

+1 StackOverflow:
https://stackoverflow.com/questions/63829655/is-it-possible-to-get-the-google-maps-rating-category-through-the-google-places

+1 Previous stack overflow post has been removed because it is a duplicate of this stackoverflow question. https://stackoverflow.com/questions/45785672/how-to-get-place-description-from-google-places-api

+1
Otherwise we have to try via OSM.

I'd like to add that it would be nice about restaurants not just to mention which types of restaurant it is (Italian, Chinese, ...), but also if it fits some people's eating-lifestyle.
For example Kosher, Halal, vegan, ...

Any update?
+1

+1

+1

+1

+1

+1.  Google team.. It is pretty crazy that this has not been added to the API / documentation yet.  Please let us know how this is looking on the roadmap in 2020!
Thanks.

+1

+1

+1

+1

+1

+ 1

+1

+1

+1

Nearly 8 years? +1

+2

+1

+1

+1

+1

+1

+1

+1

+1000

Hi Support,

Cloud you please help to add a business management consultant place type for our business?

We saw the business management consultant place type is available in Google Maps.
But We search for "synpulse hong kong limited" by Place AutoComplete API.
We only see both types "point_of_interest" and "establishment" from the Api's response.
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=synpulse%20hong%20kong%20limited&key=<PLACE_YOUR_KEY>

Thanks for your help!

Hi Support,

We also want to request to add another cell phone store place type for our business.
We saw the cell phone store place type is also available in Google Maps.
But We search for "Chrisbanks Gsm Center" by Place AutoComplete API.
We saw there are three types "point_of_interest", "store", and "establishment" from the Api's response.
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Chrisbanks%20Gsm%20Center&key=<PLACE_YOUR_KEY>

Thanks for your help!

+1

Abdi Seid

On Fri, Jul 23, 2021, 6:22 AM <buganizer-system@google.com> wrote:

Abdi Seid

On Fri, Jul 23, 2021, 6:19 AM <buganizer-system@google.com> wrote:

Interesting one

Abdi Seid

On Fri, Jul 23, 2021, 5:36 AM <buganizer-system@google.com> wrote:

+1

Abdi Seid

On Thu, Aug 19, 2021, 7:10 PM <buganizer-system@google.com> wrote:

+1

+1

Would love this. Thank you!

Its amazing how Google ignored this request. Seems there is something else going on that Google would not like us to know.

add this already omg

7 years of requesting for the same update, yet no change

My guess/assumption is that Google does't wish to share this level of detail (unless maybe we're paying for it) because it might help others compete with Google themselves in the supply of detailed / specialist search directories.

I would absolutely love this feature. +100

just tell us Google, you want money for this info. Take it...

+++

+++

Interesting I'm glad I came here wont waste my time ill find a competitor.

Will google ever Acknowledge this (it makes it much more difficult to query each everytime) i figure its a easy field to add in the PlacesAPI (types)

from a food perspective.
category = sushi / steakhouse

+1

+1 :)

+1 :)

+1

+1

+1