On 23.12.2019 19:08, George Dunlap wrote:
> What about the attached series of patches (compile-tested only)?
This ...
>+#define nospec_clip(index, size) \
>+ ({ \
>+ bool clipped = (index >= size); \
>+ index = array_index_nospec(index, size); \
>+ clipped; \
>+ })
... in particular may misguide people on its use: If the clipped
"index" gets stored in a register, all is going to be fine (afaict),
but if it ends up in memory, there's be new (mis-)speculation
opportunities. Some of the clipping done in the patches is already
not fully safe against this, but in some other cases (especially
once array_access_nospec() would be used where possible) would at
least make things as safe as they can be made without compiler aid.
(As an aside, the suggested macro, if we were to put it in, would
need proper parenthesization of the macro parameter uses.)
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
