lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 Jan 2018 16:15:12 -0800
From:   Tony Luck <>
To:     Linus Torvalds <>
Cc:     Dan Williams <>,
        Linux Kernel Mailing List <>,
        Mark Rutland <>,,
        Peter Zijlstra <>,
        Alan Cox <>,
        Will Deacon <>,
        Alexei Starovoitov <>,
        Solomon Peachy <>,
        "H. Peter Anvin" <>,
        Christian Lamparter <>,
        Elena Reshetova <>,
        "" <>,
        Andi Kleen <>,
        "James E.J. Bottomley" <>,
        Linux SCSI List <>,
        Jonathan Corbet <>,
        "the arch/x86 maintainers" <>,
        Russell King <>,
        Ingo Molnar <>,
        Catalin Marinas <>,
        Alexey Kuznetsov <>,
        Linux Media Mailing List <>,
        Tom Lendacky <>,
        Kees Cook <>, Jan Kara <>,
        Al Viro <>,,
        Thomas Gleixner <>,
        Mauro Carvalho Chehab <>,
        Kalle Valo <>,
        Alan Cox <>,
        "Martin K. Petersen" <>,
        Hideaki YOSHIFUJI <>,
        Greg KH <>,
        Linux Wireless List <>,
        "Eric W. Biederman" <>,
        Network Development <>,
        Andrew Morton <>,
        "David S. Miller" <>,
        Laurent Pinchart <>
Subject: Re: [PATCH v2 00/19] prevent bounds-check bypass via speculative execution

On Thu, Jan 11, 2018 at 5:19 PM, Linus Torvalds
<> wrote:
> Should the array access in entry_SYSCALL_64_fastpath be made to use
> the masking approach?

That one has a bounds check for an inline constant.

     cmpq    $__NR_syscall_max, %rax

so should be safe.

The classic Spectre variant #1 code sequence is:

int array_size;

       if (x < array_size) {
               something with array[x]

which runs into problems because the array_size variable may not
be in cache, and while the CPU core is waiting for the value it
speculates inside the "if" body.

The syscall entry is more like:

#define ARRAY_SIZE 10

     if (x < ARRAY_SIZE) {
          something with array[x]

Here there isn't any reason for speculation. The core has the
value of 'x' in a register and the upper bound encoded into the
"cmp" instruction.  Both are right there, no waiting, no speculation.


Powered by blists - more mailing lists