From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dan.carpenter@oracle.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc
 : subject : message-id : references : mime-version : content-type :
 in-reply-to; s=corp-2018-07-02;
 bh=te0EIP73JAWaAHQBeSYG2Pdh7khYRtdVP2w+1BQ9QMY=;
 b=xkOCARDp8YS4ZQ48grBQW4C6IzrDP82OC0YATAljFNC8bM4gHvuDaNn1hQQz0q0bCZNC
 jXhL1ZoIIRgI5GvIL4W2E660DoPagxozrujIlBMNK/tv0ysrk9z18hMwh7M5GUc3QZDY
 gESmeRi3/fNKrRjrH/kAA7FmYjGUnvqW6jIIxzyYWP88qcmjWUJ29yU5dyEvYut5N9Dm
 jH+LEjlZn83rasopuPIM+5qKBHur7AFgM4Oj6eTeV9SZBcXuh6w69HGqmfyGYh6CsNsR
 HczfZunTP+rlRZZ6/Jzx7SemwFMk5I3vjyVu2ZVj9VO5mPhmOTLcinMJPm/atnM+WkTf kA== 
Date: Fri, 3 May 2019 22:32:25 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: I would like to contribute to smatch
Message-ID: <20190503193225.GO2239@kadam>
References: <CAL1p7m49h+gM7iXvYmbyk7NvxAtUxirXY2OU1kJpxTd=7xbqPA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAL1p7m49h+gM7iXvYmbyk7NvxAtUxirXY2OU1kJpxTd=7xbqPA@mail.gmail.com>
To: Joel Savitz <jsavitz@redhat.com>
Cc: smatch@vger.kernel.org, error27@gmail.com
List-ID: <smatch.vger.kernel.org>

Hi Joel,

Smatch has two checks for Spectre v1 issues:

ipc/sem.c:445 sem_unlock() warn: potential spectre issue 'sma->sems' [r]

	copy_from_user(var, src, size);
	if (var >= ARRAY_SIZE())
		return -EINVAL;
	foo = array[bar];

These warning are for when we read from an array without using
array_index_nospec() or a different method of turning off speculation.
One of the issues with this warning is that most are not exploitable.

The second warning is for Spectre second halves:

block/genhd.c:117 __disk_get_part() warn: possible spectre second half.  '__u.__val'

	/* First half */
	copy_from_user(var, src, size);
	if (var >= ARRAY_SIZE())
		return -EINVAL;
	foo = array[bar];

	/* The second half is when we use "foo" */
	if (foo) {

I'm looking through the warnings now and they seem pretty low
quality...  :(  Part of it is that the CPU can only speculate maybe 200
instructions ahead so if the bounds checking is a long way from the
first or second half then it's not exploitable.  I think what's
is that it's restarting the clock at the start of the function?

I could just check to see if we have compared the index with something
in the function.  That's stored in smatch_comparison.c.  Or I could pass
the counter and store that in the DB.  I would be counting C statements
and not machine instructions, but they are obviously correlated.

What would really help me is if someone looked through the results and
pointed out what's false positives.

Btw, the smatch_data/db/smdb.py script is really essential to
understanding any of the spectre warnings.  It's looking at USER_DATA
which comes from copy_from_user() etc.

Also it's essential to build the DB.  The Smatch program to do that is:
~/smatch/smatch_scripts/build_kernel_data.sh
It's straightforward, but it takes 5 hours to complete.

regards,
dan carpenter