Received: by 10.192.165.148 with SMTP id m20csp814450imm; Wed, 25 Apr 2018 08:05:15 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/w/mnZreQgI6R5vvtatfYjcCmuxVk7LI/DEzLnqmnpaz/Ib3zB3/UasOqbk7nDklW4RC0J X-Received: by 10.101.100.16 with SMTP id a16mr22604041pgv.75.1524668715168; Wed, 25 Apr 2018 08:05:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524668715; cv=none; d=google.com; s=arc-20160816; b=ExaOQEFkrMbG/nZ+8LyI1mSMhFM3vEeWz0vGXtFzSSvRDGjq+2+zcXKVplgjm6G9oS +QAJXBg4aird+LC4c6Cv3MBKtS3x3V1yHgdjOQvb7hESMLH4CIY+1xSR8chHCxWuPfNa Cnt7PBjLL7n8t0M02K/ju4YlDTCUp5bWwdzw6N6DAA6bZHL2XnVYSbEZ9wk73vxa8So9 k8mQeIZuYPq3zsfkZRds0+mT6HfsrpTuBn0C60rksr0xzmCggbwNEt0uxdJ8gRwzmBoa PlB53Dhr5aPHJM24dEe6xikmMiWovk9YE3OrNGkf/QBNiQGMLaBxjRwyT5KSLDltB20q Jf4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=X8tAGRDIyjYmaX9vWEc17XdlVj6eRSwbU6ro1GqFSs8=; b=hFImDA6sQNZJT/iwob9r6AbZ5RUt+8m+rQAp5yxKJOWhdhpuZbmjbrYwrEMfBxKBMT LktbA4On8OURRnINjQ37yqL/ici46q7TCsNsmcfcukTR4FlTJtbdyn/yPhpsCDMFHW3+ IU+LXGaEHFzEVv8AZUeTHzkyyFy/MhgTsCqdQeaTCithP+EVrpEYSrCJ+kWlo9lCz0ZD 1po7AJ/V3+ni5fcv+E+k9yiyvNKmhve+TiETyqozsd+flxDmLgfwQgze3Qo3GFzfjsr2 c6nI7vNf1cGWNWA904wRFZmEMzo/HLPevgTSlruoQI+DVYNXOtzjHFJ9K9Ln92PuXGNS 6GOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t5si7960726pgp.594.2018.04.25.08.05.00; Wed, 25 Apr 2018 08:05:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754846AbeDYPDX (ORCPT + 99 others); Wed, 25 Apr 2018 11:03:23 -0400 Received: from foss.arm.com ([217.140.101.70]:41046 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754586AbeDYPDW (ORCPT ); Wed, 25 Apr 2018 11:03:22 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EC7831435; Wed, 25 Apr 2018 08:03:21 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id DC52F3F487; Wed, 25 Apr 2018 08:03:20 -0700 (PDT) Date: Wed, 25 Apr 2018 16:03:15 +0100 From: Mark Rutland To: Alan Cox Cc: Dan Carpenter , linux-kernel@vger.kernel.org, Peter Zijlstra , "Gustavo A. R. Silva" Subject: Re: Smatch check for Spectre stuff Message-ID: <20180425150314.jgkm4elvoylccvfp@lakrids.cambridge.arm.com> References: <20180419051510.GA21898@mwanda> <20180425131958.hhapvc3b2i3b4pgy@lakrids.cambridge.arm.com> <20180425154852.2486f267@alans-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180425154852.2486f267@alans-desktop> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 25, 2018 at 03:48:52PM +0100, Alan Cox wrote: > > 2) Compiler transformations can elide binary operations, so we cannot > > rely on source level AND (&) or MOD (%) operations to narrow the > > range of an expression, regardless of the types of either operand. > > > > This means that source-level AND and MOD operations cannot be relied > > upon under speculation. > > You need to use volatiles and memory barriers if trying to do it > explicitly in C. The compilers will do some really quite insanely > brilliant things otherwise. That's one reason that not using fences is > really tricky and belongs wrapped in helpers. Sure thing -- the point is that source-level analysis tools must take that into account. > > I suspect this means *many* more potential spectre gadgets. :( > > I expect so as well as probably a lot of false positives - the tools in > the space are all pretty new. > > Array access isn't always needed either. Remember that something as > simple as > > x = size_table[user]; > memset(buf, 0, x); > > can speculatively reveal things, as can 'classical' side channels such as > variable length instruction timings. As discussed in the other sub-thread, the plan is to kill sequences at the first load, which should prevent the leak via a subsequent value-dependent sequence. i.e. the above would be: user_nospec = array_index_nospec(user, ARRAY_SIZE(size_table)); x = size_table[user_nospec]; memset(buf, 0, x); ... which IIUC avoids the leak in this particular case. Mark.