[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V6 1/4] x86/mm: Add array_index_nospec to guest provided index values

  • To: George Dunlap <george.dunlap@xxxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Fri, 27 Dec 2019 07:59:56 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KqB1LUKcEs1vNnq0js4IMqyIzx2tZG13xXeyEBBTgmo=; b=LOQCP2XTxU+rVq6+LA/phyAXQx56g4acDDsFuNbT1aA2P0FrohxBAtVLWk64n+1RpEv7y+ic0+TWoJrE+1W6Iik31pzWftl2fy2DXJ40u/XvwKrG6RbClJP+bGq6J1DyLzTGsuIs3NZnkpN9oc1j7loyQr36nMf0/Z50gAJpT6H5JEX1gC/18Rgxp7BWuk+0bpqMSdT403ERFIcEAzWFoRObF+SrsRtfP0+NwwkXOtV0teLFo1vaRoNXrYnApSiz+kFfMng/zVeIUvvLv1dCAIjTQIZYVtp+YLd3VftepM5/IVhPIxk9ZyZ2ME5PwE+RfnJ4BRu+87dfZlW61r50yA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AK/WrlZy22P5cXIHvpATw3PwXUEhxTS8Nx1LEVBJwI2XvIuL9BVJj54FGcGL1TgdqLCamL+1l0ShD/dTggrfY982oTQsF2q1kGvyvvNiy9r9sTHewfAEm6Fx8eqHwNrgteyiuXFEy0UmI7ho6GKd8vWuPcFxcMWxnUk3uXUfOVUJcnEFuxen8x91QAj73o9Dc8j0cfAeQNRv5/njq+XJ5ldoyRuUuPodaLQ+yCSPlZJnZrOSdk/dgm9cykwl1EeGIGG3YltLxF97Ukm2HINtmXXPUaLJEHOjvjwtoVI7DafX/yw2pJXNThqt9vjJtbIyvVfNTd2ftqtgFAi1Uw01vA==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 27 Dec 2019 08:01:02 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVuZnmK7OgfjFiuE29BC4XwHoq4afIBKEAgAWfkAA=
  • Thread-topic: [PATCH V6 1/4] x86/mm: Add array_index_nospec to guest provided index values

On 23.12.2019 19:08, George Dunlap wrote:
> What about the attached series of patches (compile-tested only)?

This ...

>+#define nospec_clip(index, size)                 \
>+    ({                                           \
>+        bool clipped = (index >= size);          \
>+        index = array_index_nospec(index, size); \
>+        clipped;                                 \
>+    })

... in particular may misguide people on its use: If the clipped
"index" gets stored in a register, all is going to be fine (afaict),
but if it ends up in memory, there's be new (mis-)speculation
opportunities. Some of the clipping done in the patches is already
not fully safe against this, but in some other cases (especially
once array_access_nospec() would be used where possible) would at
least make things as safe as they can be made without compiler aid.

(As an aside, the suggested macro, if we were to put it in, would
need proper parenthesization of the macro parameter uses.)

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.