From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Dan Williams <dan.j.williams@intel.com>,
tglx@linutronix.de, mingo@kernel.org
Cc: linux-arch@vger.kernel.org, Cyril Novikov <cnovikov@lynx.com>,
kernel-hardening@lists.openwall.com,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
x86@kernel.org, Will Deacon <will.deacon@arm.com>,
Russell King <linux@armlinux.org.uk>,
linux-kernel@vger.kernel.org, Ingo Molnar <mingo@redhat.com>,
gregkh@linuxfoundation.org, "H. Peter Anvin" <hpa@zytor.com>,
torvalds@linux-foundation.org, alan@linux.intel.com
Subject: Re: [PATCH v6 02/13] array_index_nospec: sanitize speculative array de-references
Date: Fri, 16 Feb 2018 09:55:05 +0100 [thread overview]
Message-ID: <366bb116-e375-458c-2b63-1b26b4c8bdac@de.ibm.com> (raw)
In-Reply-To: <151727414229.33451.18411580953862676575.stgit@dwillia2-desk3.amr.corp.intel.com>
On 01/30/2018 02:02 AM, Dan Williams wrote:
> array_index_nospec() is proposed as a generic mechanism to mitigate
> against Spectre-variant-1 attacks, i.e. an attack that bypasses boundary
> checks via speculative execution. The array_index_nospec()
> implementation is expected to be safe for current generation CPUs across
> multiple architectures (ARM, x86).
>
> Based on an original implementation by Linus Torvalds, tweaked to remove
> speculative flows by Alexei Starovoitov, and tweaked again by Linus to
> introduce an x86 assembly implementation for the mask generation.
>
> Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
> Co-developed-by: Alexei Starovoitov <ast@kernel.org>
> Suggested-by: Cyril Novikov <cnovikov@lynx.com>
> Cc: Russell King <linux@armlinux.org.uk>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: x86@kernel.org
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
> include/linux/nospec.h | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 72 insertions(+)
> create mode 100644 include/linux/nospec.h
>
> diff --git a/include/linux/nospec.h b/include/linux/nospec.h
> new file mode 100644
> index 000000000000..cf7be4bbcf17
> --- /dev/null
> +++ b/include/linux/nospec.h
> @@ -0,0 +1,72 @@
> +// SPDX-License-Identifier: GPL-2.0
> +// Copyright(c) 2018 Linus Torvalds. All rights reserved.
> +// Copyright(c) 2018 Alexei Starovoitov. All rights reserved.
> +// Copyright(c) 2018 Intel Corporation. All rights reserved.
> +
> +#ifndef _LINUX_NOSPEC_H
> +#define _LINUX_NOSPEC_H
Hmmm, shouldn't we include asm/barrier.h here? Otherwise users might or might not
use the optimized variant depending on which headers are included by the users
of array_index_nospec.
> +
> +/**
> + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
> + * @index: array element index
> + * @size: number of elements in array
> + *
> + * When @index is out of bounds (@index >= @size), the sign bit will be
> + * set. Extend the sign bit to all bits and invert, giving a result of
> + * zero for an out of bounds index, or ~0 if within bounds [0, @size).
> + */
> +#ifndef array_index_mask_nospec
> +static inline unsigned long array_index_mask_nospec(unsigned long index,
> + unsigned long size)
> +{
> + /*
> + * Warn developers about inappropriate array_index_nospec() usage.
> + *
> + * Even if the CPU speculates past the WARN_ONCE branch, the
> + * sign bit of @index is taken into account when generating the
> + * mask.
> + *
> + * This warning is compiled out when the compiler can infer that
> + * @index and @size are less than LONG_MAX.
> + */
> + if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX,
> + "array_index_nospec() limited to range of [0, LONG_MAX]\n"))
> + return 0;
> +
> + /*
> + * Always calculate and emit the mask even if the compiler
> + * thinks the mask is not needed. The compiler does not take
> + * into account the value of @index under speculation.
> + */
> + OPTIMIZER_HIDE_VAR(index);
> + return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1);
> +}
> +#endif
> +
> +/*
> + * array_index_nospec - sanitize an array index after a bounds check
> + *
> + * For a code sequence like:
> + *
> + * if (index < size) {
> + * index = array_index_nospec(index, size);
> + * val = array[index];
> + * }
> + *
> + * ...if the CPU speculates past the bounds check then
> + * array_index_nospec() will clamp the index within the range of [0,
> + * size).
> + */
> +#define array_index_nospec(index, size) \
> +({ \
> + typeof(index) _i = (index); \
> + typeof(size) _s = (size); \
> + unsigned long _mask = array_index_mask_nospec(_i, _s); \
> + \
> + BUILD_BUG_ON(sizeof(_i) > sizeof(long)); \
> + BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
> + \
> + _i &= _mask; \
> + _i; \
> +})
> +#endif /* _LINUX_NOSPEC_H */
>
next prev parent reply other threads:[~2018-02-16 8:55 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-30 1:02 [PATCH v6 00/13] spectre variant1 mitigations for tip/x86/pti Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 01/13] Documentation: document array_index_nospec Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 02/13] array_index_nospec: sanitize speculative array de-references Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-02-16 8:55 ` Christian Borntraeger [this message]
2018-02-16 8:55 ` Christian Borntraeger
2018-01-30 1:02 ` [PATCH v6 03/13] x86: implement array_index_mask_nospec Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 04/13] x86: introduce barrier_nospec Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 05/13] x86: introduce __uaccess_begin_nospec Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 06/13] x86, usercopy: replace open coded stac/clac with __uaccess_{begin, end} Dan Williams
2018-01-30 1:02 ` [PATCH v6 07/13] x86, __get_user: use __uaccess_begin_nospec Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:02 ` [PATCH v6 08/13] x86, get_user: use pointer masking to limit speculation Dan Williams
2018-01-30 1:02 ` [PATCH v6 09/13] x86: sanitize syscall table de-references under speculation Dan Williams
2018-01-30 1:02 ` Dan Williams
2018-01-30 1:03 ` [PATCH v6 10/13] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-30 1:03 ` Dan Williams
2018-01-30 1:03 ` [PATCH v6 11/13] kvm, x86: update spectre-v1 mitigation Dan Williams
2018-01-30 1:03 ` Dan Williams
2018-01-31 3:22 ` Dan Williams
2018-01-31 3:22 ` Dan Williams
2018-01-31 8:07 ` Thomas Gleixner
2018-01-31 8:07 ` Thomas Gleixner
2018-01-31 13:49 ` Paolo Bonzini
2018-01-31 13:49 ` Paolo Bonzini
2018-01-31 15:42 ` Thomas Gleixner
2018-01-31 15:42 ` Thomas Gleixner
2018-01-30 1:03 ` [PATCH v6 12/13] nl80211: sanitize array index in parse_txq_params Dan Williams
2018-01-30 1:03 ` Dan Williams
2018-01-30 1:03 ` [PATCH v6 13/13] x86/spectre: report get_user mitigation for spectre_v1 Dan Williams
2018-01-30 1:03 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=366bb116-e375-458c-2b63-1b26b4c8bdac@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=alan@linux.intel.com \
--cc=catalin.marinas@arm.com \
--cc=cnovikov@lynx.com \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox