From patchwork Fri Feb 23 10:42:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jinpu Wang X-Patchwork-Id: 10237439 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D05B5602DC for ; Fri, 23 Feb 2018 11:24:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C60DF29515 for ; Fri, 23 Feb 2018 11:24:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BA4B529530; Fri, 23 Feb 2018 11:24:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id C0B9429515 for ; Fri, 23 Feb 2018 11:24:51 +0000 (UTC) Received: (qmail 15367 invoked by uid 550); 23 Feb 2018 11:22:33 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Delivered-To: moderator for kernel-hardening@lists.openwall.com Received: (qmail 5186 invoked from network); 23 Feb 2018 10:42:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=profitbricks-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FYfkWrAZ+iL2XxDYj3KfVwlKJO/T6kEOP1Udm/H+WJI=; b=RUwNXAIcNZsnR2pEtlYQEE7Nfd0D+4r9kkrpmItwNpOrnVpFkcjGbOhnwVQw/wFq2H JTVRM6NFzkMmFPdaexwLuEMYWeiKQfGnnhTZqzHXohTrBMFyrgn+ge07V89O/SLqyMnh VocL35Fmi94TiiruZm4okxMG1EO0KPDVzWDgPQaE7brqhsQLkywSlvqbvhLDfQRAUnbx rU+zzyXnS30gx91bEjzzfDybSDJbtUC37ehJAM0V878RUp+lDP9qRRyFgq62S2WsohWn uLCvit66IPeBzB9vDZk/wyZEZSguugLjAS6C0mo04GB8yxR9SrzSk0GI/EdVb2Yar/Aj aV6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FYfkWrAZ+iL2XxDYj3KfVwlKJO/T6kEOP1Udm/H+WJI=; b=bnRiycT0KhahcC+VSmoxmrI15P5wzB8b7nriNyz1002OJ2MOb764H9zwku/sFncdGP bILYD0pcC+7sM41xzsN41ess2BXdEcBYwAU8PupwwSGA63CSNdNWRNTmzUCFPSfXwJ/4 xqlWsGiQ8+2w/Qcz0rNzfT1yFuzkf4chbxfcPalPX50aoItTrG3K/KwcU4+B7i00M9EC 9LOc5IXQfDLpOyOw18wgWHKohuRARtwImSDrclxLJs64KG+Kd8UWC3ju2hDvH2FWkNPK AMMaCqI54ZteLk9yRi+ByMKf4EYbMyS2ZvE1zUC3urkaGl49FX9Ep1wCUbTgZlF6sAuB 5FRQ== X-Gm-Message-State: APf1xPD3g+W5rQMP3Ai5BI4FeEN66G5bW3emuh/03waHxeZW4wNtidtU FOyovmwSbzSCDdV7q5uz/cuxzw== X-Google-Smtp-Source: AG47ELvRtR7kKuOwklDmA5vlUOek0vfsEOI6pYnc5sUacxYHKxeurSj9VoiJAf82Dt7vVj0AFijxKg== X-Received: by 10.28.90.197 with SMTP id o188mr1269341wmb.34.1519382555346; Fri, 23 Feb 2018 02:42:35 -0800 (PST) From: Jack Wang X-Google-Original-From: Jack Wang To: gregkh@linuxfoundation.org, stable@vger.kernel.org Cc: Dan Williams , Thomas Gleixner , linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, alan@linux.intel.com, David Woodhouse , Jack Wang Subject: [stable 4.4 12/29] x86: Implement array_index_mask_nospec Date: Fri, 23 Feb 2018 11:42:01 +0100 Message-Id: <1519382538-15143-13-git-send-email-jinpu.wangl@profitbricks.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519382538-15143-1-git-send-email-jinpu.wangl@profitbricks.com> References: <1519382538-15143-1-git-send-email-jinpu.wangl@profitbricks.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Dan Williams (cherry picked from commit babdde2698d482b6c0de1eab4f697cf5856c5859) array_index_nospec() uses a mask to sanitize user controllable array indexes, i.e. generate a 0 mask if 'index' >= 'size', and a ~0 mask otherwise. While the default array_index_mask_nospec() handles the carry-bit from the (index - size) result in software. The x86 array_index_mask_nospec() does the same, but the carry-bit is handled in the processor CF flag without conditional instructions in the control flow. Suggested-by: Linus Torvalds Signed-off-by: Dan Williams Signed-off-by: Thomas Gleixner Cc: linux-arch@vger.kernel.org Cc: kernel-hardening@lists.openwall.com Cc: gregkh@linuxfoundation.org Cc: alan@linux.intel.com Link: https://lkml.kernel.org/r/151727414808.33451.1873237130672785331.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman [jwang:chery pick to 4.4] Signed-off-by: Jack Wang --- arch/x86/include/asm/barrier.h | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h index 0681d25..b5028e3 100644 --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -24,6 +24,30 @@ #define wmb() asm volatile("sfence" ::: "memory") #endif +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm ("cmp %1,%2; sbb %0,%0;" + :"=r" (mask) + :"r"(size),"r" (index) + :"cc"); + return mask; +} + +/* Override the default implementation from linux/nospec.h. */ +#define array_index_mask_nospec array_index_mask_nospec + #ifdef CONFIG_X86_PPRO_FENCE #define dma_rmb() rmb() #else