From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: ARC-Seal: i=1; a=rsa-sha256; t=1516395309; cv=none; d=google.com; s=arc-20160816; b=gP0qcQEg8woM65dbK8TuL+8TkT/Ni/JhRQfIvccjHbn68GhoU9lS2/l8g6aX90GLSD Qb4lW+ca5Ht1sxjxmTUoxW11PkmD3ayxtpoGJgXj0mopLM3k4O62TFFU29f4i+sBXXXI tGJrFatl4igNX7iJPq++lysqvhRGtBhcfHTSDLgdiojJvYm8tqiwR7u3PVeQlFJ+DKBY y9S4gMMsl8MToBWse+qP8vNBn8K2h5pmarihvAGKLoONUwa6SoZpavMkK+2EMelp5brg O8UVPV8E/HqGGYwKCxXsHeXhJkOOOI59oD3tU2dEerthAUfULiFoVymgzyFA5bABc6hw flzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:dkim-signature:arc-authentication-results; bh=27GMlpxOc/cKgWIlpAto0cuQgN9eeZnQFLBOajpznSI=; b=jPX2/eE9RRPtTP480pssHWs1MDHMjbXFi6V2qsI71s9SBizHQWYrflmDDwp5uq++nR /Gn209lRfUatuoKX2iiZEyh/aMPFk4zqw2X4dfAy376CU/0LdQjdVrBB5qrR92h8m/8A pFt6e0cXkl6HLCroUhf6nJigjiz327zUsjjRkSt1NAtP97rR5wHGE/ov/U+FEx2HPpfg FFwjLQjhK8CUk3MHqQjRoW9Eg42Y655QTJx1NBBSeHqGYMECclPxJxd5SlK+WH8UileJ MFhzpH1S3bX26FyyVtymWg/Qw7UZWKiV2VnutxMq7RpY5XXV0b4TC+h2lBlgIYW/Vr+T t0lw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=GL+aXYwS; spf=pass (google.com: domain of dan.j.williams@intel.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=GL+aXYwS; spf=pass (google.com: domain of dan.j.williams@intel.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=dan.j.williams@intel.com X-Google-Smtp-Source: ACJfBosy5VbRHurVIJCSl9M0cGjBVGwxZjwpVWBF0euMEVgOq95hCH1Stxdhuw05Z1TuFDJEWdeZot+dEKVw3N4RLwo= MIME-Version: 1.0 In-Reply-To: References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632010687.21271.12004432287640499992.stgit@dwillia2-desk3.amr.corp.intel.com> From: Dan Williams Date: Fri, 19 Jan 2018 12:55:08 -0800 Message-ID: Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references To: Linus Torvalds Cc: Jann Horn , kernel list , linux-arch , Kernel Hardening , Catalin Marinas , "the arch/x86 maintainers" , Will Deacon , Russell King , Ingo Molnar , Greg Kroah-Hartman , "H. Peter Anvin" , Thomas Gleixner , Andrew Morton , Alan Cox Content-Type: text/plain; charset="UTF-8" X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1589977446378237360?= X-GMAIL-MSGID: =?utf-8?q?1590055727909853422?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Fri, Jan 19, 2018 at 10:18 AM, Linus Torvalds wrote: > On Fri, Jan 19, 2018 at 2:20 AM, Jann Horn wrote: >>> + \ >>> + __u._ptr = _arr + (_i & _mask); \ >>> + __u._bit &= _mask; \ >> >> AFAICS, if `idx` is out of bounds, you first zero out the index >> (`_i & _mask`) and then immediately afterwards zero out >> the whole pointer (`_u._bit &= _mask`). >> Is there a reason for the `_i & _mask`, and if so, can you >> add a comment explaining that? > > I think that's just leftovers from my original (untested) thing that > also did the access itself. So that __u._bit masking wasn't masking > the pointer, it was masking the value that was *read* from the > pointer, so that you could know that an invalid access returned > 0/NULL, not just the first value in the array. Yes, the index masking can be dropped since we're returning a sanitized array element pointer now.