Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 16 Feb 2018 09:55:05 +0100
From: Christian Borntraeger <borntraeger@...ibm.com>
To: Dan Williams <dan.j.williams@...el.com>, tglx@...utronix.de,
        mingo@...nel.org
Cc: linux-arch@...r.kernel.org, Cyril Novikov <cnovikov@...x.com>,
        kernel-hardening@...ts.openwall.com,
        Peter Zijlstra <peterz@...radead.org>,
        Catalin Marinas <catalin.marinas@....com>, x86@...nel.org,
        Will Deacon <will.deacon@....com>,
        Russell King <linux@...linux.org.uk>, linux-kernel@...r.kernel.org,
        Ingo Molnar <mingo@...hat.com>, gregkh@...uxfoundation.org,
        "H. Peter Anvin" <hpa@...or.com>, torvalds@...ux-foundation.org,
        alan@...ux.intel.com
Subject: Re: [PATCH v6 02/13] array_index_nospec: sanitize speculative array
 de-references



On 01/30/2018 02:02 AM, Dan Williams wrote:
> array_index_nospec() is proposed as a generic mechanism to mitigate
> against Spectre-variant-1 attacks, i.e. an attack that bypasses boundary
> checks via speculative execution. The array_index_nospec()
> implementation is expected to be safe for current generation CPUs across
> multiple architectures (ARM, x86).
> 
> Based on an original implementation by Linus Torvalds, tweaked to remove
> speculative flows by Alexei Starovoitov, and tweaked again by Linus to
> introduce an x86 assembly implementation for the mask generation.
> 
> Co-developed-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Co-developed-by: Alexei Starovoitov <ast@...nel.org>
> Suggested-by: Cyril Novikov <cnovikov@...x.com>
> Cc: Russell King <linux@...linux.org.uk>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Catalin Marinas <catalin.marinas@....com>
> Cc: Will Deacon <will.deacon@....com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Ingo Molnar <mingo@...hat.com>
> Cc: "H. Peter Anvin" <hpa@...or.com>
> Cc: x86@...nel.org
> Signed-off-by: Dan Williams <dan.j.williams@...el.com>
> ---
>  include/linux/nospec.h |   72 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 72 insertions(+)
>  create mode 100644 include/linux/nospec.h
> 
> diff --git a/include/linux/nospec.h b/include/linux/nospec.h
> new file mode 100644
> index 000000000000..cf7be4bbcf17
> --- /dev/null
> +++ b/include/linux/nospec.h
> @@ -0,0 +1,72 @@
> +// SPDX-License-Identifier: GPL-2.0
> +// Copyright(c) 2018 Linus Torvalds. All rights reserved.
> +// Copyright(c) 2018 Alexei Starovoitov. All rights reserved.
> +// Copyright(c) 2018 Intel Corporation. All rights reserved.
> +
> +#ifndef _LINUX_NOSPEC_H
> +#define _LINUX_NOSPEC_H


Hmmm, shouldn't we include asm/barrier.h here? Otherwise users might or might not
use the optimized variant depending on which headers are included by the users
of array_index_nospec.


> +
> +/**
> + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
> + * @index: array element index
> + * @size: number of elements in array
> + *
> + * When @index is out of bounds (@index >= @size), the sign bit will be
> + * set.  Extend the sign bit to all bits and invert, giving a result of
> + * zero for an out of bounds index, or ~0 if within bounds [0, @size).
> + */
> +#ifndef array_index_mask_nospec
> +static inline unsigned long array_index_mask_nospec(unsigned long index,
> +		unsigned long size)
> +{
> +	/*
> +	 * Warn developers about inappropriate array_index_nospec() usage.
> +	 *
> +	 * Even if the CPU speculates past the WARN_ONCE branch, the
> +	 * sign bit of @index is taken into account when generating the
> +	 * mask.
> +	 *
> +	 * This warning is compiled out when the compiler can infer that
> +	 * @index and @size are less than LONG_MAX.
> +	 */
> +	if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX,
> +			"array_index_nospec() limited to range of [0, LONG_MAX]\n"))
> +		return 0;
> +
> +	/*
> +	 * Always calculate and emit the mask even if the compiler
> +	 * thinks the mask is not needed. The compiler does not take
> +	 * into account the value of @index under speculation.
> +	 */
> +	OPTIMIZER_HIDE_VAR(index);
> +	return ~(long)(index | (size - 1UL - index)) >> (BITS_PER_LONG - 1);
> +}
> +#endif
> +
> +/*
> + * array_index_nospec - sanitize an array index after a bounds check
> + *
> + * For a code sequence like:
> + *
> + *     if (index < size) {
> + *         index = array_index_nospec(index, size);
> + *         val = array[index];
> + *     }
> + *
> + * ...if the CPU speculates past the bounds check then
> + * array_index_nospec() will clamp the index within the range of [0,
> + * size).
> + */
> +#define array_index_nospec(index, size)					\
> +({									\
> +	typeof(index) _i = (index);					\
> +	typeof(size) _s = (size);					\
> +	unsigned long _mask = array_index_mask_nospec(_i, _s);		\
> +									\
> +	BUILD_BUG_ON(sizeof(_i) > sizeof(long));			\
> +	BUILD_BUG_ON(sizeof(_s) > sizeof(long));			\
> +									\
> +	_i &= _mask;							\
> +	_i;								\
> +})
> +#endif /* _LINUX_NOSPEC_H */
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.