On 23/01/2019 17:01, Jan Beulich wrote: >>>> On 23.01.19 at 15:59, <andrew.coop...@citrix.com> wrote: >> +static inline struct vcpu *domain_vcpu(const struct domain *d, >> + unsigned int vcpu_id) >> +{ >> + unsigned int idx = array_index_nospec(vcpu_id, d->max_vcpus); >> + >> + return idx >= d->max_vcpus ? NULL : d->vcpu[idx]; >> +} > For an out of bounds incoming vcpu_id, isn't it the case that > idx then would be zero? In which case you'd return d->vcpu[0] > instead of NULL?
Speculatively, yes. array_index_nospec() works by forcing speculative mis-accesses to operate as if it request had been for index 0. What matters from a data-leaking perspective is whether d->vcpu[idx], when executed speculative, ends up being out-of-bounds or not. i.e. whether it is distinguishable from a path which can architecturally be taken. ~Andrew P.S. index 0 is actually better than NULL on any hardware lacking SMAP, because you won't potentially use guest-controlled data from 0 during the subsequent speculation. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel