From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Josh Poimboeuf" <jpoimboe@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Dan Williams" <dan.j.williams@intel.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
linux-arch@vger.kernel.org,
"David Woodhouse" <dwmw2@infradead.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Dave Hansen" <dave.hansen@linux.intel.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Borislav Petkov" <bp@alien8.de>,
"Arjan van de Ven" <arjan@linux.intel.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Will Deacon" <will.deacon@arm.com>,
"Andy Lutomirski" <luto@kernel.org>
Subject: [PATCH 3.16 69/76] nospec: Kill array_index_nospec_mask_check()
Date: Mon, 12 Mar 2018 03:06:12 +0000 [thread overview]
Message-ID: <lsq.1520823972.229464947@decadent.org.uk> (raw)
In-Reply-To: <lsq.1520823971.5976735@decadent.org.uk>
3.16.56-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit 1d91c1d2c80cb70e2e553845e278b87a960c04da upstream.
There are multiple problems with the dynamic sanity checking in
array_index_nospec_mask_check():
* It causes unnecessary overhead in the 32-bit case since integer sized
@index values will no longer cause the check to be compiled away like
in the 64-bit case.
* In the 32-bit case it may trigger with user controllable input when
the expectation is that should only trigger during development of new
kernel enabling.
* The macro reuses the input parameter in multiple locations which is
broken if someone passes an expression like 'index++' to
array_index_nospec().
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arch@vger.kernel.org
Link: http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/nospec.h | 22 +---------------------
1 file changed, 1 insertion(+), 21 deletions(-)
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -30,26 +30,6 @@ static inline unsigned long array_index_
#endif
/*
- * Warn developers about inappropriate array_index_nospec() usage.
- *
- * Even if the CPU speculates past the WARN_ONCE branch, the
- * sign bit of @index is taken into account when generating the
- * mask.
- *
- * This warning is compiled out when the compiler can infer that
- * @index and @size are less than LONG_MAX.
- */
-#define array_index_mask_nospec_check(index, size) \
-({ \
- if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \
- "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \
- _mask = 0; \
- else \
- _mask = array_index_mask_nospec(index, size); \
- _mask; \
-})
-
-/*
* array_index_nospec - sanitize an array index after a bounds check
*
* For a code sequence like:
@@ -67,7 +47,7 @@ static inline unsigned long array_index_
({ \
typeof(index) _i = (index); \
typeof(size) _s = (size); \
- unsigned long _mask = array_index_mask_nospec_check(_i, _s); \
+ unsigned long _mask = array_index_mask_nospec(_i, _s); \
\
BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
next prev parent reply other threads:[~2018-03-12 3:06 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 3:06 [PATCH 3.16 00/76] 3.16.56-rc1 review Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 28/76] x86/retpoline/hyperv: Convert assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 21/76] x86: Clean up current_stack_pointer Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 38/76] x86/pti: Document fix wrong index Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 34/76] x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 63/76] x86/retpoline: Avoid retpolines for built-in __init functions Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 17/76] x86/cpu/AMD: Make LFENCE a serializing instruction Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 06/76] x86/cpu, x86/pti: Do not enable PTI on AMD processors Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 54/76] x86: Introduce barrier_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 05/76] x86/cpufeatures: Add X86_BUG_CPU_INSECURE Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 14/76] x86/alternatives: Fix ALTERNATIVE_2 padding generation properly Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 31/76] x86/retpoline/irq32: Convert assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 49/76] x86/cpu/bugs: Make retpoline module warning conditional Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 01/76] kvm: vmx: Scrub hardware GPRs at VM-exit Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 44/76] KVM: x86: Make indirect calls in emulator speculation safe Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 42/76] x86/cpu: Change type of x86_cache_size variable to unsigned int Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 59/76] x86/spectre: Report get_user mitigation for spectre_v1 Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 71/76] x86: reorganize SMAP handling in user space accesses Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 56/76] x86/syscall: Sanitize syscall table de-references under speculation Ben Hutchings
2018-03-12 7:32 ` Jiri Slaby
2018-03-19 0:59 ` Ben Hutchings
2018-03-19 0:59 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 73/76] x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 07/76] x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 36/76] kprobes/x86: Blacklist indirect thunk functions for kprobes Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 47/76] x86/nospec: Fix header guards names Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 67/76] x86/spectre: Fix an error message Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 15/76] x86/alternatives: Make optimize_nops() interrupt safe and synced Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 53/76] x86: Implement array_index_mask_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 19/76] x86/asm: Make asm/alternative.h safe from assembly Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 76/76] x86: fix build warnign with 32-bit PAE Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 32/76] x86/retpoline: Fill return stack buffer on vmexit Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 65/76] x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 57/76] vfs, fdtable: Prevent bounds-check bypass via speculative execution Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 16/76] x86/alternatives: Fix optimize_nops() checking Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 58/76] nl80211: Sanitize array index in parse_txq_params Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 10/76] sysfs/cpu: Add vulnerability folder Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 41/76] x86/retpoline: Fill RSB on context switch for affected CPUs Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 12/76] sysfs/cpu: Fix typos in vulnerability documentation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 51/76] Documentation: Document array_index_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 29/76] x86/retpoline/xen: Convert Xen hypercall indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 13/76] x86/alternatives: Guard NOPs optimization Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 20/76] kconfig.h: use __is_defined() to check if MODULE is defined Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 08/76] x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 37/76] kprobes/x86: Disable optimizing on the function jumps to indirect thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 33/76] x86/retpoline: Remove compile time warning Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 09/76] x86/cpu: Merge bugs.c and bugs_64.c Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 48/76] x86/bugs: Drop one "mitigation" from dmesg Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 43/76] x86/retpoline: Remove the esp/rsp thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 02/76] x86/Documentation: Add PTI description Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 04/76] x86/cpufeatures: Make CPU bugs sticky Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 25/76] x86/retpoline/crypto: Convert crypto assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 52/76] array_index_nospec: Sanitize speculative array de-references Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 68/76] nospec: Move array_index_nospec() parameter checking into separate macro Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 74/76] x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 27/76] x86/retpoline/ftrace: Convert ftrace assembler indirect jumps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 26/76] x86/retpoline/entry: Convert entry " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 30/76] x86/retpoline/checksum32: Convert " Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings [this message]
2018-03-12 3:06 ` [PATCH 3.16 40/76] x86/cpu/intel: Introduce macros for Intel family numbers Ben Hutchings
2018-03-12 3:06 ` [3.16,40/76] " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 40/76] " Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 75/76] x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 39/76] x86/retpoline: Optimize inline assembler for vmexit_fill_RSB Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 45/76] KVM: VMX: Make indirect call speculation safe Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 03/76] x86/cpu: Factor out application of forced CPU caps Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 18/76] x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 62/76] x86/kvm: Update spectre-v1 mitigation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 35/76] retpoline: Introduce start/end markers of indirect thunk Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 72/76] x86: fix SMAP in 32-bit environments Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 24/76] x86/spectre: Add boot time option to select Spectre v2 mitigation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 61/76] x86/paravirt: Remove 'noreplace-paravirt' cmdline option Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 23/76] x86/retpoline: Add initial retpoline support Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 22/76] x86/asm: Use register variable to get stack pointer value Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 66/76] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 64/76] x86/spectre: Simplify spectre_v2 command line parsing Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 55/76] x86/get_user: Use pointer masking to limit speculation Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 70/76] nospec: Include <asm/barrier.h> dependency Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 60/76] x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" Ben Hutchings
2018-03-12 3:06 ` Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 11/76] x86/cpu: Implement CPU vulnerabilites sysfs functions Ben Hutchings
2018-03-12 3:06 ` [PATCH 3.16 46/76] module/retpoline: Warn about missing retpoline in module Ben Hutchings
2018-03-12 15:00 ` [PATCH 3.16 00/76] 3.16.56-rc1 review Guenter Roeck
2018-03-12 16:45 ` Guenter Roeck
2018-03-20 17:25 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1520823972.229464947@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@redhat.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.