Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965461AbeAMAPU (ORCPT + 1 other); Fri, 12 Jan 2018 19:15:20 -0500 Received: from mail-qt0-f195.google.com ([209.85.216.195]:44242 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965312AbeAMAPO (ORCPT ); Fri, 12 Jan 2018 19:15:14 -0500 X-Google-Smtp-Source: ACJfBovHDbnuCxc2J9J3jRAcmFVLkPhX2K97MX2wkXPjKTohVEDTN6GPz7VkYKXSe7UUCdfTMjelF9n2VtluoqmEnC8= MIME-Version: 1.0 In-Reply-To: References: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> From: Tony Luck Date: Fri, 12 Jan 2018 16:15:12 -0800 Message-ID: Subject: Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution To: Linus Torvalds Cc: Dan Williams , Linux Kernel Mailing List , Mark Rutland , kernel-hardening@lists.openwall.com, Peter Zijlstra , Alan Cox , Will Deacon , Alexei Starovoitov , Solomon Peachy , "H. Peter Anvin" , Christian Lamparter , Elena Reshetova , "linux-arch@vger.kernel.org" , Andi Kleen , "James E.J. Bottomley" , Linux SCSI List , Jonathan Corbet , "the arch/x86 maintainers" , Russell King , Ingo Molnar , Catalin Marinas , Alexey Kuznetsov , Linux Media Mailing List , Tom Lendacky , Kees Cook , Jan Kara , Al Viro , qla2xxx-upstream@qlogic.com, Thomas Gleixner , Mauro Carvalho Chehab , Kalle Valo , Alan Cox , "Martin K. Petersen" , Hideaki YOSHIFUJI , Greg KH , Linux Wireless List , "Eric W. Biederman" , Network Development , Andrew Morton , "David S. Miller" , Laurent Pinchart Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, Jan 11, 2018 at 5:19 PM, Linus Torvalds wrote: > Should the array access in entry_SYSCALL_64_fastpath be made to use > the masking approach? That one has a bounds check for an inline constant. cmpq $__NR_syscall_max, %rax so should be safe. The classic Spectre variant #1 code sequence is: int array_size; if (x < array_size) { something with array[x] } which runs into problems because the array_size variable may not be in cache, and while the CPU core is waiting for the value it speculates inside the "if" body. The syscall entry is more like: #define ARRAY_SIZE 10 if (x < ARRAY_SIZE) { something with array[x] } Here there isn't any reason for speculation. The core has the value of 'x' in a register and the upper bound encoded into the "cmp" instruction. Both are right there, no waiting, no speculation. -Tony