Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 21 Jan 2018 15:07:57 +0000
From: Jann Horn <jannh@...gle.com>
To: Russell King - ARM Linux <linux@...linux.org.uk>
Cc: Dan Williams <dan.j.williams@...el.com>, Thomas Gleixner <tglx@...utronix.de>, 
	linux-arch@...r.kernel.org, kernel-hardening@...ts.openwall.com, 
	Peter Zijlstra <peterz@...radead.org>, Catalin Marinas <catalin.marinas@....com>, x86@...nel.org, 
	Will Deacon <will.deacon@....com>, Ingo Molnar <mingo@...hat.com>, gregkh@...uxfoundation.org, 
	"H. Peter Anvin" <hpa@...or.com>, torvalds@...ux-foundation.org, alan@...ux.intel.com
Subject: Re: Re: [PATCH v4.1 02/10] asm/nospec, array_ptr:
 sanitize speculative array de-references

On Sun, Jan 21, 2018, 11:40 Russell King - ARM Linux <linux@...linux.org.uk>
wrote:

> On Sat, Jan 20, 2018 at 01:06:09PM -0800, Dan Williams wrote:
> > +/*
> > + * If idx is negative or if idx > size then bit 63 is set in the mask,
> > + * and the value of ~(-1L) is zero. When the mask is zero, bounds check
> > + * failed, array_ptr will return NULL.
>
> The more times I see this the more times I'm unhappy with this comment:
>
> 1. does this really mean "idx > size" or "idx >= size" ?  The code
>    implements the latter not the former.
>

Copying the code here for context:
return ~(long)(idx | (sz - 1 - idx)) >> (BITS_PER_LONG - 1);

That part of the condition (ignoring the overflow edgecases) is equivalent
to "!(idx > sz - 1)", which is equivalent to "idx <= sz - 1", which is
(ignoring overflow edgecases) equivalent to "idx < sz".

Handling of edgecases:
idx>=2^(BITS_PER_LONG-1) will cause a NULL return through the first part of
the condition.
Hmm... a problematic case might be "sz==0 && idx==2^(BITS_PER_LONG-1)-1".
The first part of the expression wouldn't trigger, the second part would be
"2^(BITS_PER_LONG)-1-(2^(BITS_PER_LONG-1)-1) ==
2^(BITS_PER_LONG)-2^(BITS_PER_LONG-1)
== 2^(BITS_PER_LONG-1)", which also wouldn't trigger, I think?

2. is "bit 63" relevant here - what if longs are 32-bit?  "the top bit"
>    or "the sign bit" would be better.
>
> 3. "and the value of ~(-1L) is zero."  So does this mean that when
>    0 <= idx < size, somehow the rules of logic change and ~(-1L)
>    magically becomes no longer zero!
>
> I'd suggest changing the description to something like:
>
>   * If 0 <= idx < size, return a mask of ~0UL, otherwise return zero.
>
> or:
>
>   * When idx is out of bounds (iow, is negative or idx >= sz), the sign
>   * bit will be set. Extend the sign bit to all bits and invert, giving
>   * a result of zero for an out of bounds idx, or ~0UL if within bounds.
>
> depending on how deeply you want to describe what's going on here.
>
> --
> RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
> FTTC broadband for 0.8mile line in suburbia: sync at 8.8Mbps down 630kbps
> up
> According to speedtest.net: 8.21Mbps down 510kbps up
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.