Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation
From: Dan Williams
Date: Tue Feb 06 2018 - 19:33:27 EST
On Tue, Feb 6, 2018 at 2:52 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, Feb 6, 2018 at 1:37 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote:
>>
>> At that point we're basically just back to the array_ptr() version
>> that returned a sanitized pointer to an array element.
>
> .. that one does an extra unnecessary 'andq' instead of the duplicated
> cmp. But at least it avoids comparing that 32-bit integer twice, so
> it's probably slightly smaller.
>
> (And your code generation is without the "r" -> "ir" fix for the size argument)
>
> Probably doesn't matter. But a "asm goto" would give you at least
> potentially optimal code.
>
Should we go with array_element_nospec() in the meantime? So we're not
depending on jump labels? With the constraint fix and killing that
superfluous AND the assembly is now:
e26: 48 81 fd 4d 01 00 00 cmp $0x14d,%rbp
e2d: 48 19 d2 sbb %rdx,%rdx
NR_syscalls);
if (likely(call))
e30: 48 21 d0 and %rdx,%rax
e33: 74 1e je e53 <do_syscall_64+0x73>
regs->ax = (*call)(regs->di, regs->si, regs->dx,
e35: 48 8b 4b 38 mov 0x38(%rbx),%rcx
e39: 48 8b 53 60 mov 0x60(%rbx),%rdx
e3d: 48 8b 73 68 mov 0x68(%rbx),%rsi
e41: 48 8b 7b 70 mov 0x70(%rbx),%rdi
e45: 4c 8b 4b 40 mov 0x40(%rbx),%r9
e49: 4c 8b 43 48 mov 0x48(%rbx),%r8
e4d: ff 10 callq *(%rax)
e4f: 48 89 43 50 mov %rax,0x50(%rbx)
e53: 65 48 8b 04 25 00 00 mov %gs:0x0,%rax