Received: by 10.223.176.5 with SMTP id f5csp1108980wra; Tue, 6 Feb 2018 12:50:59 -0800 (PST) X-Google-Smtp-Source: AH8x224u4LH+4H/sH/ocEhComxm84eZQ7c8qbCIIrZVlesfxUR4btVsG2RhSDKGgOzwCoSXOuzTM X-Received: by 10.101.90.193 with SMTP id d1mr2915050pgt.366.1517950259306; Tue, 06 Feb 2018 12:50:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517950259; cv=none; d=google.com; s=arc-20160816; b=FqL0iPHCBRSkHrQvWI3R8+H2zigv6kHaiZH782tH2ejmRZuczESMlrr7Zu6Jc/RQSA zQwvaTMGw0VrR11s8btT6IGvhgtPLFFuE770Y6BD3NvsiYXyBNNYGz56Vd11crTJhf+t sxbzE9UVcQG2gzXj4f9rJaHN4v/ETyfBroQedHB9ALu7hC7ezYtDk+saqZwq44CtZGrc sYW+FbAr8xYfXO4XYYjDwpl6HnXinp7hQH3aY/GZLaBDXKostRXLTH5qB5z+rFnpGVd9 WfEUJKkQYFafnE6Myrs+3sDryzIeJCbkOH1YAxr88jsPr7y33U3ayOqPRy5zaVeayo68 mlCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=nqTrhbuLlL3a8qX2YbigiL7uDL3wnGGFW4MF2X3vcMs=; b=WAI5f971oaXsTgrfMNwXscSaIMPBmKUfY+5MHz80T4t+912gF44MLldnqqukQXY4Ni jHJxwADti15ua020BfVF+utu6oL0JToWJvq77QsvXUBgK15zGmD2foDaXfIt53TgkwbO 5pwldvLv5WzPDqFZ7zXHmel7XFzmJ0+dKtUaFw7ExDp9O4jmtaASFHUqHuvvO8ogELSv Sq0FuJ86JifaY8gy2IsjmBcLbYaalbA6cArJNcn8A4D+vDrsA6v7h2GUDj4C8lPch/tg VlpzZJsWlgi/lGei9i8HNQf+wMP1oirxRtVpf+kxDIny4w9J2kur/frDnviIWkzI/Vpp QSwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l91-v6si7132585plb.266.2018.02.06.12.50.44; Tue, 06 Feb 2018 12:50:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753560AbeBFUuC (ORCPT + 99 others); Tue, 6 Feb 2018 15:50:02 -0500 Received: from mail.kernel.org ([198.145.29.99]:45998 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751632AbeBFUuB (ORCPT ); Tue, 6 Feb 2018 15:50:01 -0500 Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9516E21738 for ; Tue, 6 Feb 2018 20:50:00 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9516E21738 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f170.google.com with SMTP id z6so3921244iob.11 for ; Tue, 06 Feb 2018 12:50:00 -0800 (PST) X-Gm-Message-State: APf1xPA/nUlsRhlzewg/z0qcf4QDGNQRPFQA11uQw4pNcp9l2wTqE99z z+FmxtLLvEt7oGGy0/V54S9jEe24KQ9JTMFZ93oKkQ== X-Received: by 10.107.170.132 with SMTP id g4mr4333662ioj.183.1517950200015; Tue, 06 Feb 2018 12:50:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.84 with HTTP; Tue, 6 Feb 2018 12:49:39 -0800 (PST) In-Reply-To: References: <151632009605.21271.11304291057104672116.stgit@dwillia2-desk3.amr.corp.intel.com> <151632014097.21271.16980532033566583357.stgit@dwillia2-desk3.amr.corp.intel.com> <20180206192925.qkmghwsbaysr4iv2@hermes.olymp> From: Andy Lutomirski Date: Tue, 6 Feb 2018 20:49:39 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation To: Linus Torvalds Cc: Dan Williams , Luis Henriques , Linux Kernel Mailing List , linux-arch , Kernel Hardening , Greg KH , X86 ML , Ingo Molnar , Andy Lutomirski , "H. Peter Anvin" , Thomas Gleixner , Andrew Morton , Alan Cox Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 6, 2018 at 8:42 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 12:37 PM, Dan Williams wrote: >> >> Are there any compilers that would miscompile: >> >> mask = 0 - (index < size); >> >> That might be a way to improve the assembly. > > Sadly, that is *very* easy to miscompile. In fact, I'd be very > surprised indeed if any compiler worth its name wouldn't combine the > comparison with the conditional branch it accompanies, and just turn > that into a constant. IOW, you'd get > > mask = 0 - (index < size); > if (index <= size) { > ... use mask .. > > and the compiler would just turn that into > > if (index <= size) { > mask = -1; > > and be done with it. > > Linus Can you use @cc to make an asm statement that outputs both the masked array index and the "if" condition? I can never remember the syntax, but something like: asm ("cmp %[limit], %[index]\n\tcmovae %[zero], %[index]" : [index] "+" (index), "@ccb" (result)); Then you shove this into a statement expression macro so you can do: if (index_mask_nospec(&nr, NR_syscalls)) { ... sys_call_table[nr] ..; } (Caveat emptor: I can also *ever* remember which way the $*!& AT&T syntax cmp instruction goes.) A down side is that nr actually ends up containing zero outside the if. *That* could be avoided with jump labels. --Andy