From: Adam Sampson <ats@offog.org>
To: Jann Horn <jannh@google.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Catalin Marinas <catalin.marinas@arm.com>,
"the arch\/x86 maintainers" <x86@kernel.org>,
Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
alan@linux.intel.com
Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references
Date: Fri, 19 Jan 2018 17:48:04 +0000 [thread overview]
Message-ID: <y2afu71pwob.fsf@offog.org> (raw)
In-Reply-To: <CAG48ez0Y97-gyzWBmcVbUyLuzUG42To=Mm8PAKuzWma6XbFmew@mail.gmail.com> (Jann Horn's message of "Fri, 19 Jan 2018 11:20:48 +0100")
Jann Horn <jannh@google.com> writes:
>> +/*
>> + * If idx is negative or if idx > size then bit 63 is set in the mask,
>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
>> + * failed, array_ptr will return NULL.
>> + */
>> +#ifndef array_ptr_mask
>> +static inline unsigned long array_ptr_mask(unsigned long idx,
>> unsigned long sz)
>> +{
>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);
>> +}
>> +#endif
>
> Nit: Maybe add a comment saying that this is equivalent to
> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"?
That's only true when sz < LONG_MAX, which is documented below but not
here; it's also different from the asm version, which doesn't do the idx
<= LONG_MAX check. So making the constraint explicit would be a good idea.
>From a bit of experimentation, when the top bit of sz is set, this
expression, the C version and the assembler version all have different
behaviour. For example, with 32-bit unsigned long:
index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff
index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff
index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff
It may be worth noting that:
return 0 - ((long) (idx < sz));
causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb
sequence as in Linus's asm. Are there architectures where this form
would allow speculation?
Thanks,
--
Adam Sampson <ats@offog.org> <http://offog.org/>
WARNING: multiple messages have this Message-ID (diff)
From: Adam Sampson <ats@offog.org>
To: Jann Horn <jannh@google.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Catalin Marinas <catalin.marinas@arm.com>,
the arch/x86 maintainers <x86@kernel.org>,
Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
alan@linux.intel.com
Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references
Date: Fri, 19 Jan 2018 17:48:04 +0000 [thread overview]
Message-ID: <y2afu71pwob.fsf@offog.org> (raw)
In-Reply-To: <CAG48ez0Y97-gyzWBmcVbUyLuzUG42To=Mm8PAKuzWma6XbFmew@mail.gmail.com> (Jann Horn's message of "Fri, 19 Jan 2018 11:20:48 +0100")
Jann Horn <jannh@google.com> writes:
>> +/*
>> + * If idx is negative or if idx > size then bit 63 is set in the mask,
>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
>> + * failed, array_ptr will return NULL.
>> + */
>> +#ifndef array_ptr_mask
>> +static inline unsigned long array_ptr_mask(unsigned long idx,
>> unsigned long sz)
>> +{
>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);
>> +}
>> +#endif
>
> Nit: Maybe add a comment saying that this is equivalent to
> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"?
That's only true when sz < LONG_MAX, which is documented below but not
here; it's also different from the asm version, which doesn't do the idx
<= LONG_MAX check. So making the constraint explicit would be a good idea.
From a bit of experimentation, when the top bit of sz is set, this
expression, the C version and the assembler version all have different
behaviour. For example, with 32-bit unsigned long:
index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff
index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff
index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff
It may be worth noting that:
return 0 - ((long) (idx < sz));
causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb
sequence as in Linus's asm. Are there architectures where this form
would allow speculation?
Thanks,
--
Adam Sampson <ats@offog.org> <http://offog.org/>
WARNING: multiple messages have this Message-ID (diff)
From: Adam Sampson <ats@offog.org>
To: Jann Horn <jannh@google.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Catalin Marinas <catalin.marinas@arm.com>,
the arch/x86 maintainers <x86@kernel.org>,
Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
alan@linux.intel.com
Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references
Date: Fri, 19 Jan 2018 17:48:04 +0000 [thread overview]
Message-ID: <y2afu71pwob.fsf@offog.org> (raw)
Message-ID: <20180119174804.ngq0Y3Er2lE5OY0421QntnGpkQmg-sSlnAPbZEP0bIA@z> (raw)
In-Reply-To: <CAG48ez0Y97-gyzWBmcVbUyLuzUG42To=Mm8PAKuzWma6XbFmew@mail.gmail.com> (Jann Horn's message of "Fri, 19 Jan 2018 11:20:48 +0100")
Jann Horn <jannh@google.com> writes:
>> +/*
>> + * If idx is negative or if idx > size then bit 63 is set in the mask,
>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
>> + * failed, array_ptr will return NULL.
>> + */
>> +#ifndef array_ptr_mask
>> +static inline unsigned long array_ptr_mask(unsigned long idx,
>> unsigned long sz)
>> +{
>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);
>> +}
>> +#endif
>
> Nit: Maybe add a comment saying that this is equivalent to
> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"?
That's only true when sz < LONG_MAX, which is documented below but not
here; it's also different from the asm version, which doesn't do the idx
<= LONG_MAX check. So making the constraint explicit would be a good idea.
WARNING: multiple messages have this Message-ID (diff)
From: Adam Sampson <ats@offog.org>
To: Jann Horn <jannh@google.com>
Cc: Dan Williams <dan.j.williams@intel.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Catalin Marinas <catalin.marinas@arm.com>,
the arch/x86 maintainers <x86@kernel.org>,
Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
Ingo Molnar <mingo@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
alan@linux.intel.com
Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references
Date: Fri, 19 Jan 2018 17:48:04 +0000 [thread overview]
Message-ID: <y2afu71pwob.fsf@offog.org> (raw)
In-Reply-To: <CAG48ez0Y97-gyzWBmcVbUyLuzUG42To=Mm8PAKuzWma6XbFmew@mail.gmail.com> (Jann Horn's message of "Fri, 19 Jan 2018 11:20:48 +0100")
Jann Horn <jannh@google.com> writes:
>> +/*
>> + * If idx is negative or if idx > size then bit 63 is set in the mask,
>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
>> + * failed, array_ptr will return NULL.
>> + */
>> +#ifndef array_ptr_mask
>> +static inline unsigned long array_ptr_mask(unsigned long idx,
>> unsigned long sz)
>> +{
>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);
>> +}
>> +#endif
>
> Nit: Maybe add a comment saying that this is equivalent to
> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"?
That's only true when sz < LONG_MAX, which is documented below but not
here; it's also different from the asm version, which doesn't do the idx
<= LONG_MAX check. So making the constraint explicit would be a good idea.
>From a bit of experimentation, when the top bit of sz is set, this
expression, the C version and the assembler version all have different
behaviour. For example, with 32-bit unsigned long:
index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff
index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff
index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff
index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff
It may be worth noting that:
return 0 - ((long) (idx < sz));
causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb
sequence as in Linus's asm. Are there architectures where this form
would allow speculation?
Thanks,
--
Adam Sampson <ats@offog.org> <http://offog.org/>
next prev parent reply other threads:[~2018-01-19 17:48 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-19 0:01 [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` Dan Williams
2018-01-19 0:01 ` [PATCH v4 01/10] Documentation: document array_ptr Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 10:20 ` Jann Horn
2018-01-19 17:48 ` Adam Sampson [this message]
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 17:48 ` Adam Sampson
2018-01-19 18:12 ` Dan Williams
2018-01-19 18:18 ` Will Deacon
2018-01-19 18:18 ` Will Deacon
2018-01-19 18:26 ` [kernel-hardening] " Dan Williams
2018-01-19 18:18 ` Linus Torvalds
2018-01-19 18:18 ` Linus Torvalds
2018-01-19 20:55 ` [kernel-hardening] " Dan Williams
2018-01-25 7:09 ` Cyril Novikov
2018-01-25 7:09 ` [kernel-hardening] " Cyril Novikov
2018-01-25 22:37 ` Dan Williams
2018-01-25 22:37 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 03/10] x86: implement array_ptr_mask() Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:01 ` [PATCH v4 04/10] x86: introduce __uaccess_begin_nospec and ifence Dan Williams
2018-01-19 0:01 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 05/10] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 06/10] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-24 14:40 ` Jiri Slaby
2018-01-24 14:40 ` [kernel-hardening] " Jiri Slaby
2018-02-06 19:29 ` Luis Henriques
2018-02-06 19:48 ` Dan Williams
2018-02-06 20:26 ` Linus Torvalds
2018-02-06 20:37 ` Dan Williams
2018-02-06 20:42 ` Linus Torvalds
2018-02-06 20:43 ` Linus Torvalds
2018-02-06 20:49 ` Andy Lutomirski
2018-02-06 20:58 ` Linus Torvalds
2018-02-06 21:37 ` Dan Williams
2018-02-06 22:52 ` Linus Torvalds
2018-02-07 0:33 ` Dan Williams
2018-02-07 1:23 ` Linus Torvalds
2018-02-06 22:51 ` Luis Henriques
2018-02-06 22:51 ` Luis Henriques
2018-01-19 0:02 ` [PATCH v4 08/10] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` [PATCH v4 09/10] kvm, x86: fix spectre-v1 mitigation Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 8:42 ` Paolo Bonzini
2018-01-19 8:42 ` [kernel-hardening] " Paolo Bonzini
2018-01-19 0:02 ` [PATCH v4 10/10] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-19 0:02 ` [kernel-hardening] " Dan Williams
2018-01-19 0:02 ` Dan Williams
2018-01-21 10:37 ` Johannes Berg
2018-01-21 10:37 ` [kernel-hardening] " Johannes Berg
2018-01-21 10:37 ` Johannes Berg
2018-01-20 6:58 ` [PATCH v4 00/10] prevent bounds-check bypass via speculative execution Dan Williams
2018-01-20 6:58 ` [kernel-hardening] " Dan Williams
2018-01-20 6:58 ` Dan Williams
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 16:56 ` [kernel-hardening] " Alexei Starovoitov
2018-01-20 16:56 ` Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
2018-01-20 17:07 ` [kernel-hardening] " Alexei Starovoitov
2018-01-20 17:07 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=y2afu71pwob.fsf@offog.org \
--to=ats@offog.org \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=catalin.marinas@arm.com \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.