Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution

From: Tony Luck
Date: Fri Jan 12 2018 - 19:15:43 EST

Next message: Niklas Cassel: "overlayfs non-persistent inodes"
Previous message: Fabio Estevam: "Re: [alsa-devel] [PATCH] ASoC: sgtl5000: fix powerup/down of micbias-voltage"
In reply to: Dan Williams: "Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution"
Next in thread: Linus Torvalds: "Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 11, 2018 at 5:19 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> Should the array access in entry_SYSCALL_64_fastpath be made to use
> the masking approach?

That one has a bounds check for an inline constant.

cmpq $__NR_syscall_max, %rax

so should be safe.

The classic Spectre variant #1 code sequence is:

int array_size;

if (x < array_size) {
something with array[x]
}

which runs into problems because the array_size variable may not
be in cache, and while the CPU core is waiting for the value it
speculates inside the "if" body.

The syscall entry is more like:

#define ARRAY_SIZE 10

if (x < ARRAY_SIZE) {
something with array[x]
}

Here there isn't any reason for speculation. The core has the
value of 'x' in a register and the upper bound encoded into the
"cmp" instruction. Both are right there, no waiting, no speculation.

-Tony

Next message: Niklas Cassel: "overlayfs non-persistent inodes"
Previous message: Fabio Estevam: "Re: [alsa-devel] [PATCH] ASoC: sgtl5000: fix powerup/down of micbias-voltage"
In reply to: Dan Williams: "Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution"
Next in thread: Linus Torvalds: "Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]