Received: by 10.223.176.46 with SMTP id f43csp1357579wra; Fri, 19 Jan 2018 10:19:16 -0800 (PST) X-Google-Smtp-Source: ACJfBovnfITLnXtG1vp5T4VVbc6M9RY00c7hWxGpkdJ08yzi9s9un2kJDdz/gOKtH7b+oVgSS3HE X-Received: by 10.99.182.12 with SMTP id j12mr2085331pgf.113.1516385956220; Fri, 19 Jan 2018 10:19:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516385956; cv=none; d=google.com; s=arc-20160816; b=0BUQ9OhsQ2lRQwSRtDzdrEkOT7l/UcFtWC+7pmUMzcO1mggZGlsrZ3xGEda7Gl91t+ yYjHm5fyevcUSj/qrcqeuPiGhqof7Ccd4aCAtmFUpcXvDfor5ongMILtghU3qPXBTAGN Oqc4CBh9hcGAk2WZeIaw/n6cUqQBj5gF/F/GzqJfoelQ188mnR+YdqNbeJ6WpIj13aQC JxON0VRYwS/TOf/u2ZudmnqYGRoWhRz04wmlvByniyp88Eh571WkI3SvbK9F+9kaeGJu DFgjoUTMPYHKSMooh4nWSQjSb3MIKepTbu5rnvIMToig+lRlNwQ5+npf+cd/umoCo3LI RjxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:organization:subject:cc:to:from :arc-authentication-results; bh=rBlTOz1PHGI5LpNteDVMYuR7NoEKncRE6hWh40QxPyw=; b=JtHy7ZYr3MYyAHmEC9jieq6awP/SD+crZQFUpvigOz8J7nrC9/qmmZuZ17EH5S+t/D K4dS3S1d3SnyRy4OAgyP/0RrbZSfIvSXaW9rT1mV8gs1z3smiR6INsaY5a9l6EGf71sK dayEY95a8tedRGQVYQrZV++agzoAK1DKNn/8FiQ+nvKp1ZruQIa/Q7263FoCN/YZOza+ NiVZey+P2ZTeuJb1o40CukwEADp+7iD45Q6+5SeCDLGFpo4Dud2hR0FOWXVmsnfmOjyk bkWDnHQAEorLUDySRdZOdNqRUxjiTkOVlI4AlvlkbaDelufWWpy+BDwUrNYnndPMhF/Y BUKg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=offog.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o76si9699092pfa.367.2018.01.19.10.19.01; Fri, 19 Jan 2018 10:19:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=offog.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932553AbeASSRT (ORCPT + 99 others); Fri, 19 Jan 2018 13:17:19 -0500 Received: from a-painless.mh.aa.net.uk ([81.187.30.51]:56129 "EHLO a-painless.mh.aa.net.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755949AbeASSRM (ORCPT ); Fri, 19 Jan 2018 13:17:12 -0500 X-Greylist: delayed 1738 seconds by postgrey-1.27 at vger.kernel.org; Fri, 19 Jan 2018 13:17:12 EST Received: from cartman.offog.org ([2001:8b0:83b:b53f::a]) by a-painless.mh.aa.net.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ecamf-0005mh-7z; Fri, 19 Jan 2018 17:48:57 +0000 Received: from ats by cartman.offog.org with local (Exim 4.90) (envelope-from ) id 1ecalo-00042W-O8; Fri, 19 Jan 2018 17:48:04 +0000 From: Adam Sampson To: Jann Horn Cc: Dan Williams , kernel list , linux-arch , Kernel Hardening , Catalin Marinas , "the arch\/x86 maintainers" , Will Deacon , Russell King , Ingo Molnar , Greg Kroah-Hartman , "H. Peter Anvin" , Thomas Gleixner , Linus Torvalds , Andrew Morton , alan@linux.intel.com Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references Organization: I'll send this message down the wire and hope that someone wise is listening References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632010687.21271.12004432287640499992.stgit@dwillia2-desk3.amr.corp.intel.com> Date: Fri, 19 Jan 2018 17:48:04 +0000 In-Reply-To: (Jann Horn's message of "Fri, 19 Jan 2018 11:20:48 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn writes: >> +/* >> + * If idx is negative or if idx > size then bit 63 is set in the mask, >> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check >> + * failed, array_ptr will return NULL. >> + */ >> +#ifndef array_ptr_mask >> +static inline unsigned long array_ptr_mask(unsigned long idx, >> unsigned long sz) >> +{ >> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1); >> +} >> +#endif > > Nit: Maybe add a comment saying that this is equivalent to > "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"? That's only true when sz < LONG_MAX, which is documented below but not here; it's also different from the asm version, which doesn't do the idx <= LONG_MAX check. So making the constraint explicit would be a good idea. From a bit of experimentation, when the top bit of sz is set, this expression, the C version and the assembler version all have different behaviour. For example, with 32-bit unsigned long: index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff It may be worth noting that: return 0 - ((long) (idx < sz)); causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb sequence as in Linus's asm. Are there architectures where this form would allow speculation? Thanks, -- Adam Sampson