Received: by 10.223.176.5 with SMTP id f5csp1099842wra;
        Tue, 6 Feb 2018 12:38:58 -0800 (PST)
X-Google-Smtp-Source: AH8x226QIu+q/XwyGB2J6sIaZZgM2Y/dF7XeCoPBIrQU9DLyHOUyWEM/lUN9fHsdtVgHrYAgiFBB
X-Received: by 10.99.96.216 with SMTP id u207mr2903336pgb.167.1517949537945;
        Tue, 06 Feb 2018 12:38:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517949537; cv=none;
        d=google.com; s=arc-20160816;
        b=t5A4CcMRNXigspBrr9LmoqK61TckyYY4gQ2lfG3GeRxVviUzop6gZ1mht07AIc5RCB
         HPzA8OShSe5LENy8cNnsYHQxUjd2vL4xzXXwb2+3sXjAxLdAURdbJ+3Rr2OfYgAvhMX8
         8+oMpb2epNmnaotdnmuU5YKnR8pHYOBkfy8fg1PdeHckDS88c4L9nWMtf7bmRKDmtPTF
         4Z92c69LUc+G0Sx/s8urmaLXhFmx+lLpiHktKaZyjfUkr2yKEfBJb8QZfNXUqDJk2kiQ
         3G43VPcRW/IzvMvmO41xLyLzvMrEpQLS2xW3NxX7elv9AUz75c8vE3T2cKrsfN+M4NFS
         cHwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Rxy08JbyKtC7xlgnpg2Kf/+M+z0wpW92HzSevrixELk=;
        b=UYknFuTCiqjFFlg2pSjxcJdoaG867ugMgqXVizwh/u/iyNU0Zt9LrE573yMIbl5jLw
         XQAH56UBDkyboOzDM2Hvrp9iIft0HFwFJoowk5adAX1M4158kW04hevvLOQjxTp/l3Jz
         n0Y3aV3Ee+vK1StIxzvfZCq5fLS7wMiQ6GmaDG4V9H+Hj8Af19aGMaN/8MFVGgSrKlhs
         P07oYnZQL+NibBpyWW/y1KaIC0kOm1/ino8rEagwtTAn+IfN9OeRSjS6iO48GWtpgiHc
         7WexvJDWvjwd/OlTgf8fJ+WtEph5M0bgkltLqkqI3RQx7wvIkMVXN/+gEgwUqymXEy6g
         xaNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=nrX5CXux;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n26si5526309pge.266.2018.02.06.12.38.43;
        Tue, 06 Feb 2018 12:38:57 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=nrX5CXux;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753245AbeBFUh5 (ORCPT <rfc822;linux.htchiang@gmail.com>
        + 99 others); Tue, 6 Feb 2018 15:37:57 -0500
Received: from mail-ot0-f195.google.com ([74.125.82.195]:43096 "EHLO
        mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752514AbeBFUhz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Feb 2018 15:37:55 -0500
Received: by mail-ot0-f195.google.com with SMTP id q12so3018852otg.10
        for <linux-kernel@vger.kernel.org>; Tue, 06 Feb 2018 12:37:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Rxy08JbyKtC7xlgnpg2Kf/+M+z0wpW92HzSevrixELk=;
        b=nrX5CXuxOew5AMRPYs2Ms0vxOwQFhZZgr8OH9cGn59f0IH1U2sXjblHQy6n2Ra+dU0
         jFpIgSeugN9aTCYE+usoawQy/IdWgkYnNF39P8ZqqSaZGA59dlqzQNxjTmG3Jo+bHkv5
         tYa4z7QIteTmHbwb7u7CLghkZ9eD0fislmLK7GyjmtqsLF6O4KOBz2HRq7hJeMyQEvKV
         //AvKngqWJsFxRx1rl3KOmwpPq/1JCnEgWTTf3/B7J+V4dIT7I7GU0i47LQB+9VvEnJc
         RxPb4EwfLhgpf4UP8AM1tWUl5QPcf8J9herwiyikJqdByoH282R27XG3o+mvVXEfIP8e
         gqSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Rxy08JbyKtC7xlgnpg2Kf/+M+z0wpW92HzSevrixELk=;
        b=L0lXHH2MtOV4oVi8JbNYh7iWLEkj/YQGLMpgGnGOzkOhjy5bsMS0x+KCTDsV+YXhng
         QA5uUwPnoZSKhmFGi/sjR2A6pBj6R19+5VXaXd8299GlSye4SZ2Q2oNXxXHpWJsMBF6Z
         iHZZfPKzefiX3fA86IJGMTXI8W3rLmXDjjCSVokwUYR8804gBaXzfUqWRPiRkGI8bst2
         ftkRjwoeNMbw/RHRQzpQ/c2074Fg61GjSpDVS2JRVtzSvM0uJ9bEd5ZqRdDdOdLAckEB
         RAfaCLOSOD/vQ5GIZVjx2i0ZSo+bW4l7H5A5/zYAD2rcNqllqwYAyPW79a0X4cLX+0Bb
         zylg==
X-Gm-Message-State: APf1xPCzf2zg9PnWkbeZwveBpPwgy6EJFkR1Ydnurnj2rc/woGnhbdDS
        VNyY9I1FvEZ9bVgxpXnMez+EsH0j6uQ4JUZrdXj9rw==
X-Received: by 10.157.20.180 with SMTP id d49mr2904204ote.46.1517949475009;
 Tue, 06 Feb 2018 12:37:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.62.91 with HTTP; Tue, 6 Feb 2018 12:37:54 -0800 (PST)
In-Reply-To: <CA+55aFxYHX3=HN4P5M0ziSJ08WfjccyhE2T7epS-EC6ZJ6LyjQ@mail.gmail.com>
References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com>
 <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com>
 <20180206192925.qkmghwsbaysr4iv2@hermes.olymp> <CAPcyv4ihN6fy5-vBtfA0PuwXvCAj8-rMhtQmevh5sdYxbH3Yfw@mail.gmail.com>
 <CA+55aFxYHX3=HN4P5M0ziSJ08WfjccyhE2T7epS-EC6ZJ6LyjQ@mail.gmail.com>
From:   Dan Williams <dan.j.williams@intel.com>
Date:   Tue, 6 Feb 2018 12:37:54 -0800
Message-ID: <CAPcyv4i5oORdk-Fzypxw_+gCLUa8f=w1e_n0=47P7uHR-jT6GQ@mail.gmail.com>
Subject: Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read
 under speculation
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Luis Henriques <lhenriques@suse.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Greg KH <gregkh@linuxfoundation.org>, X86 ML <x86@kernel.org>,
        Ingo Molnar <mingo@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alan Cox <alan@linux.intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 6, 2018 at 12:26 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Tue, Feb 6, 2018 at 11:48 AM, Dan Williams <dan.j.williams@intel.com> wrote:
>>
>> Just to clarify, when you say "this patch" you mean:
>>
>>      2fbd7af5af86 x86/syscall: Sanitize syscall table de-references
>> under speculation
>>
>> ...not this early MASK_NOSPEC version of the patch, right?
>
> I suspect not. If that patch is broken, the system wouldn't even boot.
>
> That said, looking at 2fbd7af5af86, I do note that the code generation
> is horribly stupid.
>
> It's due to two different issues:
>
>  (a) the x86 asm constraints for that inline asm is nasty, and
> requires a register for 'size', even though an immediate works just
> fine.
>
>  (b) the "cmp" is inside the asm, so gcc can't combine it with the
> *other* cmp in the C code.
>
> Fixing (a) is easy:
>
>   +++ b/arch/x86/include/asm/barrier.h
>   @@ -43 +43 @@ static inline unsigned long
> array_index_mask_nospec(unsigned long index,
>   -                       :"r"(size),"r" (index)
>   +                       :"ir"(size),"r" (index)
>
> but fixing (b) looks fundamentally hard. Gcc generates (for do_syscall()):
>
>         cmpq    $332, %rbp      #, nr
>         ja      .L295   #,
>         cmp $333,%rbp
>         sbb %rax,%rax;   #, nr, mask
>
> note how it completely pointlessly does the comparison twice, even
> though it could have just done
>
>         cmp $333,%rbp
>         jae      .L295   #,
>         sbb %rax,%rax;   #, nr, mask
>
> Ho humm. Sad.

Are there any compilers that would miscompile:

    mask = 0 - (index < size);

That might be a way to improve the assembly.