Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 4:33 PM, Dan Williams wrote: > > Should we go with array_element_nospec() in the meantime? So we're not > depending on jump labels? With the constraint fix and killing that > superfluous AND the assembly is now: > > e26: 48 81 fd 4d 01

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 4:33 PM, Dan Williams wrote: > > Should we go with array_element_nospec() in the meantime? So we're not > depending on jump labels? With the constraint fix and killing that > superfluous AND the assembly is now: > > e26: 48 81 fd 4d 01 00 00cmp$0x14d,%rbp

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 2:52 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 1:37 PM, Dan Williams wrote: >> >> At that point we're basically just back to the array_ptr() version >> that returned a sanitized pointer to an array element.

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 2:52 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 1:37 PM, Dan Williams wrote: >> >> At that point we're basically just back to the array_ptr() version >> that returned a sanitized pointer to an array element. > > .. that one does an extra unnecessary 'andq' instead

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 1:37 PM, Dan Williams wrote: > > At that point we're basically just back to the array_ptr() version > that returned a sanitized pointer to an array element. .. that one does an extra unnecessary 'andq' instead of the duplicated cmp. But at least

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 1:37 PM, Dan Williams wrote: > > At that point we're basically just back to the array_ptr() version > that returned a sanitized pointer to an array element. .. that one does an extra unnecessary 'andq' instead of the duplicated cmp. But at least it avoids comparing that

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 06, 2018 at 11:48:45AM -0800, Dan Williams wrote: > On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques wrote: > > On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: > >> The syscall table base is a user controlled function pointer in kernel > >> space.

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 06, 2018 at 11:48:45AM -0800, Dan Williams wrote: > On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques wrote: > > On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: > >> The syscall table base is a user controlled function pointer in kernel > >> space. Like, 'get_user, use

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:58 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 12:49 PM, Andy Lutomirski wrote: >> >> Can you use @cc to make an asm statement that outputs both the masked >> array index and the "if" condition? I can never

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:58 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 12:49 PM, Andy Lutomirski wrote: >> >> Can you use @cc to make an asm statement that outputs both the masked >> array index and the "if" condition? I can never remember the syntax, >> but something like: > > Yes.

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:49 PM, Andy Lutomirski wrote: > > Can you use @cc to make an asm statement that outputs both the masked > array index and the "if" condition? I can never remember the syntax, > but something like: Yes. Although I'd actually suggest just using an "asm

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:49 PM, Andy Lutomirski wrote: > > Can you use @cc to make an asm statement that outputs both the masked > array index and the "if" condition? I can never remember the syntax, > but something like: Yes. Although I'd actually suggest just using an "asm goto" if we really

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 8:42 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 12:37 PM, Dan Williams > wrote: >> >> Are there any compilers that would miscompile: >> >> mask = 0 - (index < size); >> >> That might be a way to improve

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 8:42 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 12:37 PM, Dan Williams > wrote: >> >> Are there any compilers that would miscompile: >> >> mask = 0 - (index < size); >> >> That might be a way to improve the assembly. > > Sadly, that is *very* easy to

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:42 PM, Linus Torvalds wrote: > > Sadly, that is *very* easy to miscompile. Side note: don't read email, go watch the falcon heavy takeoff. Linus

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:42 PM, Linus Torvalds wrote: > > Sadly, that is *very* easy to miscompile. Side note: don't read email, go watch the falcon heavy takeoff. Linus

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:37 PM, Dan Williams wrote: > > Are there any compilers that would miscompile: > > mask = 0 - (index < size); > > That might be a way to improve the assembly. Sadly, that is *very* easy to miscompile. In fact, I'd be very surprised indeed if

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:37 PM, Dan Williams wrote: > > Are there any compilers that would miscompile: > > mask = 0 - (index < size); > > That might be a way to improve the assembly. Sadly, that is *very* easy to miscompile. In fact, I'd be very surprised indeed if any compiler worth its

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:26 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 11:48 AM, Dan Williams > wrote: >> >> Just to clarify, when you say "this patch" you mean: >> >> 2fbd7af5af86 x86/syscall: Sanitize syscall table

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 12:26 PM, Linus Torvalds wrote: > On Tue, Feb 6, 2018 at 11:48 AM, Dan Williams > wrote: >> >> Just to clarify, when you say "this patch" you mean: >> >> 2fbd7af5af86 x86/syscall: Sanitize syscall table de-references >> under speculation >> >> ...not this early

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 11:48 AM, Dan Williams wrote: > > Just to clarify, when you say "this patch" you mean: > > 2fbd7af5af86 x86/syscall: Sanitize syscall table de-references > under speculation > > ...not this early MASK_NOSPEC version of the patch, right? I

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 11:48 AM, Dan Williams wrote: > > Just to clarify, when you say "this patch" you mean: > > 2fbd7af5af86 x86/syscall: Sanitize syscall table de-references > under speculation > > ...not this early MASK_NOSPEC version of the patch, right? I suspect not. If that patch is

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques wrote: > On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: >> The syscall table base is a user controlled function pointer in kernel >> space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds >>

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Tue, Feb 6, 2018 at 11:29 AM, Luis Henriques wrote: > On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: >> The syscall table base is a user controlled function pointer in kernel >> space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds >> speculation. While

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On Thu, Jan 18, 2018 at 04:02:21PM -0800, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On 01/19/2018, 01:02 AM, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it does not stop the

Re: [PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

On 01/19/2018, 01:02 AM, Dan Williams wrote: > The syscall table base is a user controlled function pointer in kernel > space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds > speculation. While retpoline prevents speculating into the user > controlled target it does not stop the

[PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

The syscall table base is a user controlled function pointer in kernel space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds speculation. While retpoline prevents speculating into the user controlled target it does not stop the pointer de-reference, the concern is leaking memory

[PATCH v4 07/10] x86: narrow out of bounds syscalls to sys_read under speculation

The syscall table base is a user controlled function pointer in kernel space. Like, 'get_user, use 'MASK_NOSPEC' to prevent any out of bounds speculation. While retpoline prevents speculating into the user controlled target it does not stop the pointer de-reference, the concern is leaking memory