Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1052570imm;
        Fri, 8 Jun 2018 09:13:58 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJ8JX0vGAno5mChuIxT15NT5+rBEZfTBBwJYGRcl9dLQoB+B9ufafKv3A/3ga56Ad0hQsq0
X-Received: by 2002:a17:902:52ee:: with SMTP id a101-v6mr7297139pli.131.1528474438240;
        Fri, 08 Jun 2018 09:13:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528474438; cv=none;
        d=google.com; s=arc-20160816;
        b=Toyp4siVTGOhy5yEnEBYMBpavPp3L3R1mEZoF4ESyeRS1udF6YHizGt0srxah/Nml2
         NdBhRswBMLkL6acCMum67rfzQV9Cl/P7cvZpl0M9awy5zKfPGgpOoImDhrNDlH4JezdP
         nmPdrnYeAQ5Ql/uDIzwLkyeQMrEMCeF8iY7qwVeWYLEcT/e0F34HaiLSJng1j+OBFRPG
         8vTAox9F+O5uAT/ulsYy0+ctxhvxyWfBkzuC11aRY4GQieOogz5mhFy46ACXxJRXOmft
         4VND/fC4q+8X8GlNTz8VToF3jSifEYZMkVEYdvQtopq/ELHwClBmXnwWH+KDgLzdm88Y
         d4bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=Kbe+bjRbdfHcgLjMSYVGUtpLTLqM4/9SuFQSxebWISo=;
        b=FRF7xp6N0e8it1VVPJEvGjcaPMO5GvZsfulN8IaVXD4awlh0gzbQakMFxAurFrvk2v
         bKCSRryG9Q12mOHjvoi0Pqi3ryQBi4NAcRJVs39krmjp9iu3VuPH7uPDQnF8MDN2X/R4
         KisbdEANXzfYk4NCtjbyK9ZaMSk3opygyQFounfEpY7b5KgDug+wt/aVJ76GiT+2ASUg
         MKk2FLkLr4QTIVL68Opi6AKGUQTFVu17zXTW/Atw3ofraz82T6HntAMB/ArvvH05er/l
         9Ki+ED3n4VCNP8/VbLpPiQ50M7+yrdJiw82pyecLhKZV34VtEN6mFjs9nYkCZVpkQGQJ
         5KtA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a11-v6si14662050pgt.205.2018.06.08.09.13.43;
        Fri, 08 Jun 2018 09:13:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752753AbeFHQMX (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Fri, 8 Jun 2018 12:12:23 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:39686 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752075AbeFHQMW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Jun 2018 12:12:22 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 8015740252EB;
        Fri,  8 Jun 2018 16:12:21 +0000 (UTC)
Received: from treble (ovpn-120-53.rdu2.redhat.com [10.10.120.53])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 2A5C42026DFD;
        Fri,  8 Jun 2018 16:12:21 +0000 (UTC)
Date:   Fri, 8 Jun 2018 11:12:19 -0500
From:   Josh Poimboeuf <jpoimboe@redhat.com>
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     linux-kernel@vger.kernel.org,
        Peter Zijlstra <peterz@infradead.org>,
        "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Subject: Re: Smatch check for Spectre stuff
Message-ID: <20180608161219.q3lwvlydvs4l2gxa@treble>
References: <20180419051510.GA21898@mwanda>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180419051510.GA21898@mwanda>
User-Agent: NeoMutt/20180323
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Fri, 08 Jun 2018 16:12:21 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Fri, 08 Jun 2018 16:12:21 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'jpoimboe@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Apr 19, 2018 at 08:15:10AM +0300, Dan Carpenter wrote:
> Several people have asked me to write this and I think one person was
> maybe working on writing it themselves...
> 
> The point of this check is to find place which might be vulnerable to
> the Spectre vulnerability.  In the kernel we have the array_index_nospec()
> macro which turns off speculation.  There are fewer than 10 places where
> it's used.  Meanwhile this check complains about 800 places where maybe
> it could be used.  Probably the 100x difference means there is something
> that I haven't understood...
> 
> What the test does is it looks at array accesses where the user controls
> the offset.  It asks "is this a read?" and have we used the
> array_index_nospec() macro?  If the answers are yes, and no respectively
> then print a warning.
> 
> http://repo.or.cz/smatch.git/blob/HEAD:/check_spectre.c
> 
> The other thing is that speculation probably goes to 200 instructions
> ahead at most.  But the Smatch doesn't have any concept of CPU
> instructions.  I've marked the offsets which were recently compared to
> something as "local cap" because they were probably compared to the
> array limit.  Those are maybe more likely to be under the 200 CPU
> instruction count.
> 
> This obviously a first draft.
> 
> What would help me, is maybe people could tell me why there are so many
> false positives.  Saying "the lower level checks for that" is not
> helpful but if you could tell me the exact function name where the check
> is that helps a lot...
> 
> I have included the warnings from yesterday's linux-next.

Hi Dan,

Smatch is amazing.  I've been going through a lot of the results.  The
false positive rate is much lower than I expected.

I have a few questions/comments.

1) I've noticed a common pattern for many of the false positives.
   Smatch doesn't seem to detect when the code masks off the array index
   to ensure that it's safe.

   For example:

   > ./include/linux/mmzone.h:1161 __nr_to_section() warn: potential spectre issue 'mem_section[(nr / (((1) << 12) / 32))]'

   1153 static inline struct mem_section *__nr_to_section(unsigned long nr)
   1154 {
   1155 #ifdef CONFIG_SPARSEMEM_EXTREME
   1156         if (!mem_section)
   1157                 return NULL;
   1158 #endif
   1159         if (!mem_section[SECTION_NR_TO_ROOT(nr)])
   1160                 return NULL;
   1161         return &mem_section[SECTION_NR_TO_ROOT(nr)][nr & SECTION_ROOT_MASK];
   1162 }

   In the 2-D array access, it seems to be complaining about the '[nr &
   SECTION_ROOT_MASK]' reference.  But that appears to be safe because
   all the unsafe bits are masked off.
 
   It would be great if Smatch could detect that situation if possible.

2) Looking at the above example, it seems that the value of 'nr' is
   untrusted.  If so, then I wonder why didn't it warn about the other
   array accesses in the function: line 1559 and the first dimension
   access in 1161?

3) One thing that I think would help with analyzing the results would be
   if there was a way to see the call chain for each warning, so that
   it's clear which value isn't trusted and why.

4) Is there a way to put some results in a whitelist to mark them as
   false positives so they won't show up in future scans?  Something
   like that would help with automatic detection and reporting of new
   issues by the 0-day kbuild test robot, for example.

-- 
Josh