Re: [PATCH] kernel: sys: fix potential Spectre v1

From: Gustavo A. R. Silva
Date: Fri May 18 2018 - 17:15:55 EST

Next message: Boris Ostrovsky: "Re: [Xen-devel][RFC 2/3] xen/grant-table: Extend API to work with DMA buffers"
Previous message: Dan Williams: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
In reply to: Dan Williams: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
Next in thread: Gustavo A. R. Silva: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 05/18/2018 05:08 PM, Dan Williams wrote:

Oh I see now. Just to double check, then something like the following would
be broken too, because is basically the same as the code above, and well, it
doesn't make much sense to store the value returned by macro
array_index_nospec into x, correct?:

Correct, broken:

bool foo(int x)
{
if(x >= MAX)
return false;

Under speculation we may not return here when x is greater than max.

x = array_index_nospec(x, MAX);

x is now sanitized under speculation to zero, but the compiler would
likely just throw this away because nothing consumes it.

return true;
}

int vulnerable(int x)
{
if(!foo(x))
return -1;

cpu might speculate that this branch is not taken...

temp = array[x];

...so x had better be bounded here, otherwise Spectre.

I got it.

I appreciate the feedback.

Thanks, Dan.
--
Gustavo

Next message: Boris Ostrovsky: "Re: [Xen-devel][RFC 2/3] xen/grant-table: Extend API to work with DMA buffers"
Previous message: Dan Williams: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
In reply to: Dan Williams: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
Next in thread: Gustavo A. R. Silva: "Re: [PATCH] kernel: sys: fix potential Spectre v1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]