From patchwork Wed Jan 3 22:38:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 123362 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp10722915qgn; Wed, 3 Jan 2018 14:39:27 -0800 (PST) X-Google-Smtp-Source: ACJfBouiuMrlZoIGdLcwv3thJsFbzySKzzpUDO2Cr1l9CiHhpwdv2E5Ka1swDlEvAInNu8Wf7rqm X-Received: by 10.159.242.131 with SMTP id u3mr2693322plr.442.1515019167134; Wed, 03 Jan 2018 14:39:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515019167; cv=none; d=google.com; s=arc-20160816; b=fRg075ewGBcDmjVC6UAfP0PP5mTKwjniPXV5eiBpTcDhg/F+N8rMzfNRrE2XJIQSGg t1/cQqMNQJG5BQPLdmMr6cIue7CEx0U8c8GObc9l3JklSd5A2iIJVygLuInHVqz0VY44 7vBstmjiQfiiUbKA+TkSYjE13l4Nwkf+JLGvkmitW4PxR+rVoIcbkQjyKUPDTzO27jZ7 mPcxjRRbqtDaGGbK7dXiilxU6/eGzybpKA2/+j3JBAbK4nZG1jn4gVcRBvQddYugauZI 7hStKZZSg/AAdnV3f1aw0v5jvlP1gvA0Sao2WvXBDQdCvxwX+GcyD+w10JGnUysqgBCk pcjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=HTylki0zXrryBetIITY6CoddAugxsVyrvUeqlT9MAZY=; b=VtKtbdZqfPruH7nmb0FmkaxytsMH72n/bed1R/QKbYPDqGpduDw6CxYdsYl+0grtK3 5ejPW2JIdDsuRkJ0gyg2WjDPCjCp4W3P3O3yc/mjoNB3/tZwsz7TgxIB0rrdUyWCk8IS Aqu8sxmNGqxVk/R4gMvlmOTGeJGISWfnvcAS97AjE3ZMUByzGO81DkTlGgeYYyMHbxqG oS/TvvaSDC+DxSSg/y4vt4bYE30Mm7XCUccrSqbN9VE9pUb+zeHmbjPako8Bnp/Orgio jtiNYL90GVJIBvhFQaLu4KCFuYHWSN1jbosM+B5NA/GvRWClw2f/Qoj/h/gDrTHbcI9J v/Sg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m13si1195963pgs.37.2018.01.03.14.39.26; Wed, 03 Jan 2018 14:39:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751545AbeACWjX (ORCPT + 28 others); Wed, 3 Jan 2018 17:39:23 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:55498 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751274AbeACWif (ORCPT ); Wed, 3 Jan 2018 17:38:35 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 657AB1529; Wed, 3 Jan 2018 14:38:35 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 79FB93F24A; Wed, 3 Jan 2018 14:38:34 -0800 (PST) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, Mark Rutland , Will Deacon Subject: [RFC PATCH 1/4] asm-generic/barrier: add generic nospec helpers Date: Wed, 3 Jan 2018 22:38:24 +0000 Message-Id: <20180103223827.39601-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180103223827.39601-1-mark.rutland@arm.com> References: <20180103223827.39601-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Under speculation, CPUs may mis-predict branches in bounds checks. Thus, memory accesses under a bounds check may be speculated even if the bounds check fails, providing a primitive for building a side channel. This patch adds helpers which can be used to inhibit the use of out-of-bounds pointers and/or valeus read from these under speculation. A generic implementation is provided for compatibility, but does not guarantee safety under speculation. Architectures are expected to override these helpers as necessary. Signed-off-by: Mark Rutland Signed-off-by: Will Deacon --- include/asm-generic/barrier.h | 76 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) -- 2.11.0 diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h index fe297b599b0a..5eba6ae0c34e 100644 --- a/include/asm-generic/barrier.h +++ b/include/asm-generic/barrier.h @@ -54,6 +54,82 @@ #define read_barrier_depends() do { } while (0) #endif +/** + * nospec_ptr() - Ensure a pointer is bounded, even under speculation. + * + * @ptr: the pointer to test + * @lo: the lower valid bound for @ptr, inclusive + * @hi: the upper valid bound for @ptr, exclusive + * + * If @ptr falls in the interval [@lo, @i), returns @ptr, otherwise returns + * NULL. + * + * Architectures should override this to ensure that ptr falls in the [lo, hi) + * interval both under architectural execution and under speculation, + * preventing propagation of an out-of-bounds pointer to code which is + * speculatively executed. + */ +#ifndef nospec_ptr +#define nospec_ptr(ptr, lo, hi) \ +({ \ + typeof (ptr) __ptr = (ptr); \ + typeof (ptr) __lo = (lo); \ + typeof (ptr) __hi = (hi); \ + \ + (__lo <= __ptr && __ptr < __hi) ? __ptr : NULL; \ +}) +#endif + +/** + * nospec_load() - Load a pointer, respecting bounds under speculation + * + * @ptr: the pointer to load + * @lo: the lower valid bound for @ptr, inclusive + * @hi: the upper valid bound for @ptr, exclusive + * + * If @ptr falls in the interval [@lo, @hi), returns the value at @ptr, + * otherwise returns (typeof(*ptr))0. + * + * Architectures should override this to ensure that ptr falls in the [lo, hi) + * interval both under architectural execution and under speculation, + * preventing speculative out-of-bounds reads. + */ +#ifndef nospec_load +#define nospec_load(ptr, lo, hi) \ +({ \ + typeof (ptr) __ptr = (ptr); \ + typeof (ptr) __lo = (lo); \ + typeof (ptr) __hi = (hi); \ + \ + (__lo <= __ptr && __ptr <= __hi) ? \ + *__ptr : \ + (typeof(*__ptr))(unsigned long)0; \ +}) +#endif + +/** + * nospec_array_load - Load an array entry, respecting bounds under speculation + * + * @arr: the base of the array + * @idx: the index of the element to load + * @sz: the number of elements in the array + * + * If @idx falls in the interval [0, @sz), returns the value at @arr[@idx], + * otherwise returns (typeof(*ptr))0. + * + * This is a wrapper around nospec_load(), provided for convenience. + * Architectures should implement nospec_load() to ensure this is the case + * under speculation. + */ +#define nospec_array_load(arr, idx, sz) \ +({ \ + typeof(*(arr)) *__arr = arr; \ + typeof(idx) __idx = idx; \ + typeof(sz) __sz = __sz; \ + \ + nospec_load(__arr + __idx, __arr, __arr + __sz); \ +}) + #ifndef __smp_mb #define __smp_mb() mb() #endif