Date: Sun, 21 Jan 2018 15:07:57 +0000 From: Jann Horn <jannh@...gle.com> To: Russell King - ARM Linux <linux@...linux.org.uk> Cc: Dan Williams <dan.j.williams@...el.com>, Thomas Gleixner <tglx@...utronix.de>, linux-arch@...r.kernel.org, kernel-hardening@...ts.openwall.com, Peter Zijlstra <peterz@...radead.org>, Catalin Marinas <catalin.marinas@....com>, x86@...nel.org, Will Deacon <will.deacon@....com>, Ingo Molnar <mingo@...hat.com>, gregkh@...uxfoundation.org, "H. Peter Anvin" <hpa@...or.com>, torvalds@...ux-foundation.org, alan@...ux.intel.com Subject: Re: Re: [PATCH v4.1 02/10] asm/nospec, array_ptr: sanitize speculative array de-references On Sun, Jan 21, 2018, 11:40 Russell King - ARM Linux <linux@...linux.org.uk> wrote: > On Sat, Jan 20, 2018 at 01:06:09PM -0800, Dan Williams wrote: > > +/* > > + * If idx is negative or if idx > size then bit 63 is set in the mask, > > + * and the value of ~(-1L) is zero. When the mask is zero, bounds check > > + * failed, array_ptr will return NULL. > > The more times I see this the more times I'm unhappy with this comment: > > 1. does this really mean "idx > size" or "idx >= size" ? The code > implements the latter not the former. > Copying the code here for context: return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1); That part of the condition (ignoring the overflow edgecases) is equivalent to "!(idx > sz - 1)", which is equivalent to "idx <= sz - 1", which is (ignoring overflow edgecases) equivalent to "idx < sz". Handling of edgecases: idx>=2^(BITS_PER_LONG-1) will cause a NULL return through the first part of the condition. Hmm... a problematic case might be "sz==0 && idx==2^(BITS_PER_LONG-1)-1". The first part of the expression wouldn't trigger, the second part would be "2^(BITS_PER_LONG)-1-(2^(BITS_PER_LONG-1)-1) == 2^(BITS_PER_LONG)-2^(BITS_PER_LONG-1) == 2^(BITS_PER_LONG-1)", which also wouldn't trigger, I think? 2. is "bit 63" relevant here - what if longs are 32-bit? "the top bit" > or "the sign bit" would be better. > > 3. "and the value of ~(-1L) is zero." So does this mean that when > 0 <= idx < size, somehow the rules of logic change and ~(-1L) > magically becomes no longer zero! > > I'd suggest changing the description to something like: > > * If 0 <= idx < size, return a mask of ~0UL, otherwise return zero. > > or: > > * When idx is out of bounds (iow, is negative or idx >= sz), the sign > * bit will be set. Extend the sign bit to all bits and invert, giving > * a result of zero for an out of bounds idx, or ~0UL if within bounds. > > depending on how deeply you want to describe what's going on here. > > -- > RMK's Patch system: http://www.armlinux.org.uk/developer/patches/ > FTTC broadband for 0.8mile line in suburbia: sync at 8.8Mbps down 630kbps > up > According to speedtest.net: 8.21Mbps down 510kbps up > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.