Received: by 10.223.185.116 with SMTP id b49csp2066468wrg; Thu, 15 Feb 2018 06:07:05 -0800 (PST) X-Google-Smtp-Source: AH8x226XbcvpcNFYh3VwLc4T7/3Fv7d3R4wsieQs1q+N8f4ouIUqcfKIr0hpZp0Bntwe1yYaHKMI X-Received: by 10.101.72.199 with SMTP id o7mr2313261pgs.303.1518703625448; Thu, 15 Feb 2018 06:07:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518703625; cv=none; d=google.com; s=arc-20160816; b=PuN1gjF5mXzzRWVNF+JDmjX/voD/0TliEg55nfmRXrCyFK1o+aJMw6U16Cr/hG84zN vPpN+IofMigKjs7NrFYI/pkjmZEYC5WLjjt02oxgwjwgY3T5AWEsCYLPkGX/EysAjn3l GcAeOdMHz1+Uk72Vx1kgVm0OUaOk05ygu8eiZ0LgF+gIn+IcsvxKf4lYdhV/D8mdixzH XCE37q0xvwIwcuR+sdjrLVO1KNhWNHDL1DC3SSpqQiSifD3BMY7/TXrGxqyrSS5Nx7SQ 11Qy2BzjBk9qznuNHMqLz99aLy2XTK9miXrdmE9fstDM3KA3ibqGUNzJkn43koSK/2zZ 3w+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=F0mpWxBSUL/bc1P4fwCE/IPvjmz2v+OtgMY4PWU7UnM=; b=lz0ch3/80rZGOqbBmYybx4L1J3+9xlQEJjMBswCuSDCblvjjVko+hOzG06eG6ZlhR4 56sW/yn7NUKTAbaeaucDGqhFcH67XwvmZImipOfnZVuTMGYfvWaryiPwr1yI4aqrLw9u VQlYwDOSnlgKDZrM8p+xSzWVpaPDuoywKqLlDXIrWHTY3Tp+27SC0lp2tyf/wZvj5sXN 0eJ24X/R+TtiP8Gy9UwAA5CdMPX8Xoqflo1FC1T4Fmzd54xj/s3SKvnidub3KzSPfQXg rPKspowr90YHyhprawO2eslXBzd1/lwFH+bxrLYmdthBqL5iNvXQTvOWtJiLsvP6RBK2 ySKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@prevas.dk header.s=ironport2 header.b=pI56v3gv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si7140114plj.456.2018.02.15.06.06.51; Thu, 15 Feb 2018 06:07:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@prevas.dk header.s=ironport2 header.b=pI56v3gv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1033108AbeBOOF0 (ORCPT + 99 others); Thu, 15 Feb 2018 09:05:26 -0500 Received: from mail02.prevas.se ([62.95.78.10]:7909 "EHLO mail02.prevas.se" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1032283AbeBOOFZ (ORCPT ); Thu, 15 Feb 2018 09:05:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prevas.dk; i=@prevas.dk; l=1868; q=dns/txt; s=ironport2; t=1518703525; x=1550239525; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to:content-transfer-encoding; bh=hH061yt5VbZF6mHaIkLWfLU09WqQseVKe2ckv7hGQFQ=; b=pI56v3gvXIuKXEwVQKVgHUqDo2COpFfXzVPX9RycL+VIUr3lgr4O0Eze e3sikHfeEEgByvwTACZaeraDOAJFX+cw6uLilSXP5+XKky4RF3l9oXcLB qxnQPLIBfY3N1dUj4zXZZX/WTkUlzprDlRmsuBCsoNK8+xeruaCptOcOG Y=; X-IronPort-AV: E=Sophos;i="5.46,517,1511823600"; d="scan'208";a="3070565" Received: from vmprevas4.prevas.se (HELO smtp.prevas.se) ([172.16.8.104]) by ironport2.prevas.se with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Feb 2018 15:05:21 +0100 Received: from [172.16.11.22] (172.16.8.31) by smtp.prevas.se (172.16.8.104) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 15 Feb 2018 15:05:20 +0100 Subject: Re: [PATCH] posix-timers: Protect posix clock array access against speculation To: Thomas Gleixner , LKML CC: Ingo Molnar , Linus Torvalds , David Woodhouse , Dan Williams , Greg KH References: From: Rasmus Villemoes Message-ID: <45f8dece-e235-0831-4fe5-89ee7d27b959@prevas.dk> Date: Thu, 15 Feb 2018 15:05:08 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [172.16.8.31] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-02-15 14:27, Thomas Gleixner wrote: > The (clock) id argument of clockid_to_kclock() comes straight from user > space via various syscalls and is used as index into the posix_clocks > array. > > Protect it against spectre v1 array out of bounds speculation. > > Signed-off-by: Thomas Gleixner > Cc: stable@vger.kernel.org > --- > kernel/time/posix-timers.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > --- a/kernel/time/posix-timers.c > +++ b/kernel/time/posix-timers.c > @@ -50,6 +50,7 @@ > #include > #include > #include > +#include > > #include "timekeeping.h" > #include "posix-timers.h" > @@ -1346,11 +1347,14 @@ static const struct k_clock * const posi > > static const struct k_clock *clockid_to_kclock(const clockid_t id) > { > + clockid_t idx = id; > + > if (id < 0) > return (id & CLOCKFD_MASK) == CLOCKFD ? > &clock_posix_dynamic : &clock_posix_cpu; > > if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id]) > return NULL; > - return posix_clocks[id]; > + > + return posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))]; > } > Stupid questions from someone trying to learn what the rules for when and how to apply these _nospec macros: (1) why introduce the idx var? There's no assignment to it other than the initialization. Is it some magic in array_index_nospec that prevents the use of a const-qualified expression? (2) The line "if (id >= ARRAY_SIZE(posix_clocks) || !posix_clocks[id])" still seems to allow speculatively accessing posix_clocks[id]. Is that ok, and even if so, wouldn't it be cleaner to elide the !posix_clocks[id] check and just return the NULL safely fetched from the array in the following line? Rasmus