Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

From: Linus Torvalds
Date: Tue Feb 06 2018 - 20:23:55 EST


On Tue, Feb 6, 2018 at 4:33 PM, Dan Williams <dan.j.williams@xxxxxxxxx> wrote:
>
> Should we go with array_element_nospec() in the meantime? So we're not
> depending on jump labels? With the constraint fix and killing that
> superfluous AND the assembly is now:
>
> e26: 48 81 fd 4d 01 00 00 cmp $0x14d,%rbp
> e2d: 48 19 d2 sbb %rdx,%rdx
> NR_syscalls);
> if (likely(call))
> e30: 48 21 d0 and %rdx,%rax
> e33: 74 1e je e53 <do_syscall_64+0x73>
> regs->ax = (*call)(regs->di, regs->si, regs->dx,
> e35: 48 8b 4b 38 mov 0x38(%rbx),%rcx
> e39: 48 8b 53 60 mov 0x60(%rbx),%rdx
> e3d: 48 8b 73 68 mov 0x68(%rbx),%rsi
> e41: 48 8b 7b 70 mov 0x70(%rbx),%rdi
> e45: 4c 8b 4b 40 mov 0x40(%rbx),%r9
> e49: 4c 8b 43 48 mov 0x48(%rbx),%r8
> e4d: ff 10 callq *(%rax)

That looks fairly optimal, except for the fact that the callq is
through a register.

Of course, that register-indirect calling convention is forced on us
by retpoline anyway (which you don't have enabled, likely because of a
lack of compiler). But without retpoline that callq could be

callq sys_call_table(,%rax,8)

if the masking is done on the index (and if the conditional jump had
been done on the cmp rather than the later 'and').

Instead, you have a

leaq sys_call_table(,%rbp,8),%rax

hiding somewhere earlier that doesn't show in your asm snippet.

Oh well. We'll have an extra instruction however we do this. I guess
that's just something we'll have to live with. No more bikeshedding..

Linus