Return-path: Received: from mail-qt0-f195.google.com ([209.85.216.195]:44242 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965312AbeAMAPO (ORCPT ); Fri, 12 Jan 2018 19:15:14 -0500 MIME-Version: 1.0 In-Reply-To: References: <151571798296.27429.7166552848688034184.stgit@dwillia2-desk3.amr.corp.intel.com> From: Tony Luck Date: Fri, 12 Jan 2018 16:15:12 -0800 Message-ID: (sfid-20180113_011552_676770_D23DF8AD) Subject: Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution To: Linus Torvalds Cc: Dan Williams , Linux Kernel Mailing List , Mark Rutland , kernel-hardening@lists.openwall.com, Peter Zijlstra , Alan Cox , Will Deacon , Alexei Starovoitov , Solomon Peachy , "H. Peter Anvin" , Christian Lamparter , Elena Reshetova , "linux-arch@vger.kernel.org" , Andi Kleen , "James E.J. Bottomley" , Linux SCSI List , Jonathan Corbet , "the arch/x86 maintainers" , Russell King , Ingo Molnar , Catalin Marinas , Alexey Kuznetsov , Linux Media Mailing List , Tom Lendacky , Kees Cook , Jan Kara , Al Viro , qla2xxx-upstream@qlogic.com, Thomas Gleixner , Mauro Carvalho Chehab , Kalle Valo , Alan Cox , "Martin K. Petersen" , Hideaki YOSHIFUJI , Greg KH , Linux Wireless List , "Eric W. Biederman" , Network Development , Andrew Morton , "David S. Miller" , Laurent Pinchart Content-Type: text/plain; charset="UTF-8" Sender: linux-wireless-owner@vger.kernel.org List-ID: On Thu, Jan 11, 2018 at 5:19 PM, Linus Torvalds wrote: > Should the array access in entry_SYSCALL_64_fastpath be made to use > the masking approach? That one has a bounds check for an inline constant. cmpq $__NR_syscall_max, %rax so should be safe. The classic Spectre variant #1 code sequence is: int array_size; if (x < array_size) { something with array[x] } which runs into problems because the array_size variable may not be in cache, and while the CPU core is waiting for the value it speculates inside the "if" body. The syscall entry is more like: #define ARRAY_SIZE 10 if (x < ARRAY_SIZE) { something with array[x] } Here there isn't any reason for speculation. The core has the value of 'x' in a register and the upper bound encoded into the "cmp" instruction. Both are right there, no waiting, no speculation. -Tony