From: Dan Williams <dan.j.williams@intel.com>
To: Adam Sampson <ats@offog.org>
Cc: Jann Horn <jannh@google.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Catalin Marinas <catalin.marinas@arm.com>,
"the arch/x86 maintainers" <x86@kernel.org>,
Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Alan Cox <alan@linux.intel.com>,
Alexei Starovoitov <ast@kernel.org>
Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references
Date: Fri, 19 Jan 2018 10:12:47 -0800 [thread overview]
Message-ID: <CAPcyv4iEZMkU-K14vTcFSjAy=12QHPJjMGc8Uu7xUVakHfqOyQ@mail.gmail.com> (raw)
In-Reply-To: <y2afu71pwob.fsf@offog.org>
[ adding Alexei back to the cc ]
On Fri, Jan 19, 2018 at 9:48 AM, Adam Sampson <ats@offog.org> wrote:
> Jann Horn <jannh@google.com> writes:
>
>>> +/*
>>> + * If idx is negative or if idx > size then bit 63 is set in the mask,
>>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
>>> + * failed, array_ptr will return NULL.
>>> + */
>>> +#ifndef array_ptr_mask
>>> +static inline unsigned long array_ptr_mask(unsigned long idx,
>>> unsigned long sz)
>>> +{
>>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);
>>> +}
>>> +#endif
>>
>> Nit: Maybe add a comment saying that this is equivalent to
>> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"?
>
> That's only true when sz < LONG_MAX, which is documented below but not
> here; it's also different from the asm version, which doesn't do the idx
> <= LONG_MAX check. So making the constraint explicit would be a good idea.
>
> From a bit of experimentation, when the top bit of sz is set, this
> expression, the C version and the assembler version all have different
> behaviour. For example, with 32-bit unsigned long:
>
> index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff
> index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff
> index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
> index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
> index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff
>
> It may be worth noting that:
>
> return 0 - ((long) (idx < sz));
>
> causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb
> sequence as in Linus's asm. Are there architectures where this form
> would allow speculation?
We're operating on the assumption that compilers will not try to
introduce branches where they don't exist in the code, so if this is
producing identical assembly I think we should go with it and drop the
x86 array_ptr_mask.
next prev parent reply other threads:[~2018-01-19 18:12 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-19 0:01 [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` Dan Williams
2018-01-19 0:01 ` [PATCH v4 01/10] Documentation: document array_ptr Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 10:20 ` Jann Horn
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 18:12 ` Dan Williams [this message]
2018-01-19 18:18 ` Will Deacon
2018-01-19 18:18 ` Will Deacon
2018-01-19 18:26 ` [kernel-hardening] " Dan Williams
2018-01-19 18:18 ` Linus Torvalds
2018-01-19 18:18 ` Linus Torvalds
2018-01-19 20:55 ` [kernel-hardening] " Dan Williams
2018-01-25 7:09 ` Cyril Novikov
2018-01-25 7:09 ` [kernel-hardening] " Cyril Novikov
2018-01-25 22:37 ` Dan Williams
2018-01-25 22:37 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 03/10] x86: implement array_ptr_mask() Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 05/10] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 06/10] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-24 14:40 ` Jiri Slaby
2018-01-24 14:40 ` [kernel-hardening] " Jiri Slaby
2018-02-06 19:29 ` Luis Henriques
2018-02-06 19:48 ` Dan Williams
2018-02-06 20:26 ` Linus Torvalds
2018-02-06 20:37 ` Dan Williams
2018-02-06 20:42 ` Linus Torvalds
2018-02-06 20:43 ` Linus Torvalds
2018-02-06 20:49 ` Andy Lutomirski
2018-02-06 20:58 ` Linus Torvalds
2018-02-06 21:37 ` Dan Williams
2018-02-06 22:52 ` Linus Torvalds
2018-02-07 0:33 ` Dan Williams
2018-02-07 1:23 ` Linus Torvalds
2018-02-06 22:51 ` Luis Henriques
2018-02-06 22:51 ` Luis Henriques
2018-01-19 0:02 ` [PATCH v4 08/10] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 8:42 ` Paolo Bonzini
2018-01-19 8:42 ` [kernel-hardening] " Paolo Bonzini
2018-01-19 0:02 ` [PATCH v4 10/10] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-21 10:37 ` Johannes Berg
2018-01-21 10:37 ` [kernel-hardening] " Johannes Berg
2018-01-21 10:37 ` Johannes Berg
2018-01-20 6:58 ` [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-20 6:58 ` [kernel-hardening] " Dan Williams
2018-01-20 6:58 ` Dan Williams
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 16:56 ` [kernel-hardening] " Alexei Starovoitov
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
2018-01-20 17:07 ` [kernel-hardening] " Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPcyv4iEZMkU-K14vTcFSjAy=12QHPJjMGc8Uu7xUVakHfqOyQ@mail.gmail.com' \
--to=dan.j.williams@intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=ast@kernel.org \
--cc=ats@offog.org \
--cc=catalin.marinas@arm.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.