[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241025112448.GBZxuAAD3kjAFYM_3A@fat_crate.local>
Date: Fri, 25 Oct 2024 13:24:48 +0200
From: Borislav Petkov <bp@...en8.de>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
x86@...nel.org, Andrew Cooper <andrew.cooper3@...rix.com>,
Josh Poimboeuf <jpoimboe@...nel.org>
Subject: Re: [PATCH] x86: fix user address masking non-canonical speculation
issue
On Thu, Oct 24, 2024 at 11:13:35AM -0700, Linus Torvalds wrote:
> Actually, I should also just remove the "or" and move that into C
> code. It will allow the compiler to decide which way it wants to do
> the bitwise 'or', which means that the compiler can pick whichever
> output register is a better choice.
>
> Probably never matters in practice, but leaving decisions like that to
> the compiler and avoiding one more fixed asm instruction is a good
> thing.
Yap, that's the impression I've got too from talking to compiler folks over
the years.
> It does result in a few more casts on the C side, since you can't just
> do bitwise 'or' on a pointer, but I think it's still the right thing
> to do. So that thing becomes
>
> static inline void __user *mask_user_address(const void __user *ptr)
> {
> unsigned long mask;
> asm("cmp %1,%0\n\t"
> "sbb %0,%0"
> :"=r" (mask)
> :"r" (ptr),
> "0" (runtime_const_ptr(USER_PTR_MAX)));
> return (__force void __user *)(mask | (__force unsigned long)ptr);
> }
>
> which I'm certainly not claiming is a thing of beauty,
Bah, 2 insns in asm and an OR in C code? That's fine.
> but the generated code looks ok if you just ignore the #APP/#NOAPP noise:
>
> # ./arch/x86/include/asm/uaccess_64.h:71: "0"
> (runtime_const_ptr(USER_PTR_MAX)));
> #APP
> # 71 "./arch/x86/include/asm/uaccess_64.h" 1
> mov $81985529216486895,%rax #, __ret
> 1:
> .pushsection runtime_ptr_USER_PTR_MAX,"a"
> .long 1b - 8 - . #
> .popsection
> # 0 "" 2
> # lib/strncpy_from_user.c:114: {
> #NO_APP
> pushq %rbx #
> movq %rdi, %r9 # tmp149, dst
> movq %rdx, %r11 # tmp151, count
> # ./arch/x86/include/asm/uaccess_64.h:67: asm("cmp %1,%0\n\t"
> #APP
> # 67 "./arch/x86/include/asm/uaccess_64.h" 1
> cmp %rsi,%rax # src, mask
> sbb %rax,%rax # mask
> # 0 "" 2
> # ./arch/x86/include/asm/uaccess_64.h:72: return (__force void
> __user *)(mask | (__force unsigned long)ptr);
> #NO_APP
> orq %rax, %rsi # mask, _44
>
> so you actually see gcc filling in variable names etc (well "variable
> names" may be a bit generous: "_44" is a pseudo for the new value of
> src,
Hmm, how did it come up with "src"?
Oh, strncpy_from_user(). That's actually nice.
> but that's just how compilers are with SSA - assignments create a
> whole new temporary).
Right.
> So legibility is very much in the eye of the beholder. You have to be
> pretty damn used to looking at the generated asm to find any of this
> even remotely legible.
Haha, yeah. Especially if one is curious to see what the compiler spits out.
In any case, yeah, that's readable enough.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Powered by blists - more mailing lists