Received: by 10.223.176.46 with SMTP id f43csp1367291wra; Fri, 19 Jan 2018 10:28:15 -0800 (PST) X-Google-Smtp-Source: ACJfBotgG1hdU59YBXpS0Df04yROT4+EvwIBpFY5qP0uW+UUFtQeO43RvhDFzj68G0MhXfmuNtcn X-Received: by 10.99.4.216 with SMTP id 207mr24846207pge.45.1516386495377; Fri, 19 Jan 2018 10:28:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516386495; cv=none; d=google.com; s=arc-20160816; b=RNdpAbDsQktX5d/rODz+yMUYw2lmTofRP5FVLgqBKze7/jqo+K67t5y0x0NpFYPhIJ JhyG3VF3pMDUiK4/le7fExNP8ls8EttncjLshhVR/W+hkzK75bsb4uKxdE6k2RL2IUfo yVpSL+ns4fFAqofbvSI2L+cWmqcMqnk+Hb5I9kiGa5TdmboUb0YtLAPoOIqPTFUTZbJg A6RIb974I/EMQhd89dFhsPsn83Ra22NBhtjD2KjnBE2w/IfvCRigzY8sNHhoV2k/ULj0 bxdIV9gDjHY8hqUJyPovXjf0T7XsyI0C3tP9OeetJ/zPghbJrXKWrzZFGmoreO5JaGVK DEDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=NbS8k5pPBxneeMdlPKhq/BYLDkkq8nfb4I+c8EzkOC8=; b=l9tUvx/I+CL6TRg29coDOXDtOGG76xpAMtvcLNJn31X+R1wPGQsz2LnOurkoWqjhDo bm4znlezYBkwor2LbP5zS164r9loZx0X252U2PwvSbAbYC8tdD43clMTo85iE1odoDB2 G5G4MvBn1ETGY2fK4xOfhLfeadWkWEfqBLeSosC0oIjA1eQmwXhrJJgQ+FY1SIsI0rSg V7TE/3ihKzGH4tXPMsK/epMjvgW9LddX0ee7YsUeyATzhWdIB4DtEMHnT/Vu35CxIJVl UOI/cGDqBSV+ldTr1xa7BP0mrHGwabvOJ0o0zqzuem6vRJqOKuJLiDJA0bAqnjoiHVud pAQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=r+Uezuio; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q10si8795002pgd.331.2018.01.19.10.28.01; Fri, 19 Jan 2018 10:28:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=r+Uezuio; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756186AbeASS0W (ORCPT + 99 others); Fri, 19 Jan 2018 13:26:22 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:40389 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755830AbeASS0P (ORCPT ); Fri, 19 Jan 2018 13:26:15 -0500 Received: by mail-ot0-f194.google.com with SMTP id x4so2174248otg.7 for ; Fri, 19 Jan 2018 10:26:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NbS8k5pPBxneeMdlPKhq/BYLDkkq8nfb4I+c8EzkOC8=; b=r+UezuiotrQWsOr2YVFQtpi/FBgZkQyDbJCm1lDrV8g0ZLwXt3/gFPVsv2pwceR0FQ Zv6+nYTvoppP2bF4etPivruZklH9TrytLQWqq/3fLJPe3tXKgEwVp7tsiNn0OpF+HGkq sflxzaiLx3qeoXiMxwdbnsJhtaBpSRVNP4H7rwb6GgFvUYOGOJ79aoE9RaIpQMovrIU1 2fqB6UtCxQSNOxruMZ13ekcfLKQ9i4dba3SruuYpM7zxwjPBO81Yd386/Ou2ujCgmgHu bRiny/3uRsaQVMFOymGmxXPoV8qSqwDqglyhd3a13zKIZ3i4Qri2A5qiwNcJRbL4OQEb YsxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NbS8k5pPBxneeMdlPKhq/BYLDkkq8nfb4I+c8EzkOC8=; b=jNdJNlilXriwD/CWygxekWeRD+OjPbqQrm/f8YcTmDkAMkDmwKqO2ikXtL18myUj1k x0L5EdS4bWas9yQM+KoLfTEtaR98dHy7PzsCdEk8FhOWDyga99S38QgE1c23irx4i4r0 K11b+1J7SIAd2GRO1hwSVdPQb5oD4YCGwAv/2ZftCtwj/R0KfX/voCkd6y0viMmlztg3 8iWmhkcebaEx2kL/dxTh07Ih9qQFQGlkOmcxZ1zpsBYEONQshTYQ6WRER1m/TW5F+O7e CUKTdQ8dOPioTtu05Cr8ExRnPt6DnJ36JPSP1DNiBB4rsLUexLlVzz/vNQciBiBP3rZB ifwg== X-Gm-Message-State: AKwxytfNszTFMNO0obAx+ZP2FirwbN5FPmRLHfkpD3SB8n2t13J6xRaU oWpFjC/MVpmgfaynpW84SIzbhrdyRZ18xYVsu/EKnA== X-Received: by 10.157.42.104 with SMTP id t95mr5936914ota.39.1516386373825; Fri, 19 Jan 2018 10:26:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.62.72 with HTTP; Fri, 19 Jan 2018 10:26:13 -0800 (PST) In-Reply-To: <20180119181833.GA1878@arm.com> References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632010687.21271.12004432287640499992.stgit@dwillia2-desk3.amr.corp.intel.com> <20180119181833.GA1878@arm.com> From: Dan Williams Date: Fri, 19 Jan 2018 10:26:13 -0800 Message-ID: Subject: Re: [kernel-hardening] [PATCH v4 02/10] asm/nospec, array_ptr: sanitize speculative array de-references To: Will Deacon Cc: Adam Sampson , Jann Horn , kernel list , linux-arch , Kernel Hardening , Catalin Marinas , "the arch/x86 maintainers" , Russell King , Ingo Molnar , Greg Kroah-Hartman , "H. Peter Anvin" , Thomas Gleixner , Linus Torvalds , Andrew Morton , Alan Cox , Alexei Starovoitov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 19, 2018 at 10:18 AM, Will Deacon wrote: > > On Fri, Jan 19, 2018 at 10:12:47AM -0800, Dan Williams wrote: > > [ adding Alexei back to the cc ] > > > > On Fri, Jan 19, 2018 at 9:48 AM, Adam Sampson wrote: > > > Jann Horn writes: > > > > > >>> +/* > > >>> + * If idx is negative or if idx > size then bit 63 is set in the mask, > > >>> + * and the value of ~(-1L) is zero. When the mask is zero, bounds check > > >>> + * failed, array_ptr will return NULL. > > >>> + */ > > >>> +#ifndef array_ptr_mask > > >>> +static inline unsigned long array_ptr_mask(unsigned long idx, > > >>> unsigned long sz) > > >>> +{ > > >>> + return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1); > > >>> +} > > >>> +#endif > > >> > > >> Nit: Maybe add a comment saying that this is equivalent to > > >> "return ((long)idx >= 0 && idx < sz) ? ULONG_MAX : 0"? > > > > > > That's only true when sz < LONG_MAX, which is documented below but not > > > here; it's also different from the asm version, which doesn't do the idx > > > <= LONG_MAX check. So making the constraint explicit would be a good idea. > > > > > > From a bit of experimentation, when the top bit of sz is set, this > > > expression, the C version and the assembler version all have different > > > behaviour. For example, with 32-bit unsigned long: > > > > > > index=00000000 size=80000001: expr=ffffffff c=00000000 asm=ffffffff > > > index=80000000 size=80000001: expr=00000000 c=00000000 asm=ffffffff > > > index=00000000 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff > > > index=00000001 size=a0000000: expr=ffffffff c=00000000 asm=ffffffff > > > index=fffffffe size=ffffffff: expr=00000000 c=00000000 asm=ffffffff > > > > > > It may be worth noting that: > > > > > > return 0 - ((long) (idx < sz)); > > > > > > causes GCC, on ia32 and amd64, to generate exactly the same cmp/sbb > > > sequence as in Linus's asm. Are there architectures where this form > > > would allow speculation? > > > > We're operating on the assumption that compilers will not try to > > introduce branches where they don't exist in the code, so if this is > > producing identical assembly I think we should go with it and drop the > > x86 array_ptr_mask. > > Branches, perhaps, but this could easily be compiled to a conditional > select (CSEL) instruction on arm64 and that wouldn't be safe without a > CSDB. Of course, we can do our own thing in assembly to prevent that, but > it would mean that the generic C implementation would not be robust for us. > Ah, ok good to know. Likely if the current version doesn't produce a conditional instruction on ARM perhaps it also won't do that on other architectures, so it is safer.