ext/include/confine_array_index.h

6b40e452SJens Wiklander/* SPDX-License-Identifier: BSD-3-Clause */
*2b6dd0dfSJens Wiklander/* Copyright (c) 2020 Linaro Limited */
6b40e452SJens Wiklander// Copyright 2019 The Fuchsia Authors. All rights reserved.
6b40e452SJens Wiklander// Use of this source code is governed by a BSD-style license that can be
6b40e452SJens Wiklander// found in the LICENSE file.
6b40e452SJens Wiklander
6b40e452SJens Wiklander/*
6b40e452SJens Wiklander * Content of LICENSE file mentioned above:
6b40e452SJens WiklanderCopyright 2019 The Fuchsia Authors. All rights reserved.
6b40e452SJens WiklanderRedistribution and use in source and binary forms, with or without
6b40e452SJens Wiklandermodification, are permitted provided that the following conditions are
6b40e452SJens Wiklandermet:
6b40e452SJens Wiklander   * Redistributions of source code must retain the above copyright
6b40e452SJens Wiklandernotice, this list of conditions and the following disclaimer.
6b40e452SJens Wiklander   * Redistributions in binary form must reproduce the above
6b40e452SJens Wiklandercopyright notice, this list of conditions and the following disclaimer
6b40e452SJens Wiklanderin the documentation and/or other materials provided with the
6b40e452SJens Wiklanderdistribution.
6b40e452SJens Wiklander   * Neither the name of Google Inc. nor the names of its
6b40e452SJens Wiklandercontributors may be used to endorse or promote products derived from
6b40e452SJens Wiklanderthis software without specific prior written permission.
6b40e452SJens WiklanderTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
6b40e452SJens Wiklander"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
6b40e452SJens WiklanderLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
6b40e452SJens WiklanderA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
6b40e452SJens WiklanderOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
6b40e452SJens WiklanderSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
6b40e452SJens WiklanderLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
6b40e452SJens WiklanderDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
6b40e452SJens WiklanderTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
6b40e452SJens Wiklander(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
6b40e452SJens WiklanderOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
6b40e452SJens Wiklander */
6b40e452SJens Wiklander#ifndef FBL_CONFINE_ARRAY_INDEX_H_
6b40e452SJens Wiklander#define FBL_CONFINE_ARRAY_INDEX_H_
6b40e452SJens Wiklander
6b40e452SJens Wiklander#include <stddef.h>
6b40e452SJens Wiklander
6b40e452SJens Wiklander// confine_array_index() bounds-checks and sanitizes an array index safely in the presence of
6b40e452SJens Wiklander// speculative execution information leak bugs such as Spectre V1. confine_array_index() always
6b40e452SJens Wiklander// returns a sanitized index, even in speculative-path execution.
6b40e452SJens Wiklander//
6b40e452SJens Wiklander// Callers need to combine confine_array_index with a conventional bounds check; the bounds
6b40e452SJens Wiklander// check will return any necessary errors in the nonspeculative path, confine_array_index will
6b40e452SJens Wiklander// confine indexes in the speculative path.
6b40e452SJens Wiklander//
6b40e452SJens Wiklander// Use:
6b40e452SJens Wiklander// confine_array_index() returns |index|, if it is < size, or 0 if |index| is >= size.
6b40e452SJens Wiklander//
6b40e452SJens Wiklander// Example (may leak table1 contents):
6b40e452SJens Wiklander//  1: int lookup3(size_t index) {
6b40e452SJens Wiklander//  2:   if (index >= table1_size) {
6b40e452SJens Wiklander//  3:     return -1;
6b40e452SJens Wiklander//  4:   }
6b40e452SJens Wiklander//  5:   size_t index2 = table1[index];
6b40e452SJens Wiklander//  6:   return table2[index2];
6b40e452SJens Wiklander//  7: }
6b40e452SJens Wiklander//
6b40e452SJens Wiklander// Converted:
6b40e452SJens Wiklander//
6b40e452SJens Wiklander//  1: int lookup3(size_t index) {
6b40e452SJens Wiklander//  2:   if (index >= table1_size) {
6b40e452SJens Wiklander//  3:     return -1;
6b40e452SJens Wiklander//  4:   }
6b40e452SJens Wiklander//  5:   size_t safe_index = confine_array_index(index, table1_size);
6b40e452SJens Wiklander//  6:   size_t index2 = table1[safe_index];
6b40e452SJens Wiklander//  7:   return table2[index2];
6b40e452SJens Wiklander//  8: }
6b40e452SJens Wiklander#ifdef __aarch64__
6b40e452SJens Wiklanderstatic inline size_t confine_array_index(size_t index, size_t size) {
6b40e452SJens Wiklander  size_t safe_index;
6b40e452SJens Wiklander  // Use a conditional select and a CSDB barrier to enforce validation of |index|.
6b40e452SJens Wiklander  // See "Cache Speculation Side-channels" whitepaper, section "Software Mitigation".
6b40e452SJens Wiklander  // "" The combination of both a conditional select/conditional move and the new barrier are
6b40e452SJens Wiklander  // sufficient to address this problem on ALL Arm implementations... ""
6b40e452SJens Wiklander  asm(
6b40e452SJens Wiklander    "cmp %1, %2\n"  // %1 holds the unsanitized index
6b40e452SJens Wiklander    "csel %0, %1, xzr, lo\n"  // Select index or zero based on carry (%1 within range)
6b40e452SJens Wiklander    "csdb\n"
6b40e452SJens Wiklander  : "=r"(safe_index)
6b40e452SJens Wiklander  : "r"(index), "r"(size)
6b40e452SJens Wiklander  : "cc");
6b40e452SJens Wiklander  return safe_index;
6b40e452SJens Wiklander}
6b40e452SJens Wiklander#endif
*2b6dd0dfSJens Wiklander#ifdef __arm__
*2b6dd0dfSJens Wiklanderstatic inline size_t confine_array_index(size_t index, size_t size)
*2b6dd0dfSJens Wiklander{
*2b6dd0dfSJens Wiklander	size_t safe_index = 0;
*2b6dd0dfSJens Wiklander
*2b6dd0dfSJens Wiklander	/*
*2b6dd0dfSJens Wiklander	 * For the ARMv7/AArch32 case we're basing the select and barrier
*2b6dd0dfSJens Wiklander	 * code on __load_no_speculate1() in <speculation_barrier.h> as we
*2b6dd0dfSJens Wiklander	 * lack the csel instruction.
*2b6dd0dfSJens Wiklander	 */
*2b6dd0dfSJens Wiklander
*2b6dd0dfSJens Wiklander#ifdef __thumb2__
*2b6dd0dfSJens Wiklander      asm volatile (
*2b6dd0dfSJens Wiklander	".syntax unified\n"
*2b6dd0dfSJens Wiklander	"cmp	%1, %2\n" /* %1 holds the unsanitized index */
*2b6dd0dfSJens Wiklander	"it	cs\n"
*2b6dd0dfSJens Wiklander	"movcs	%1, #0\n"
*2b6dd0dfSJens Wiklander	".inst.n 0xf3af\t@ CSDB\n"
*2b6dd0dfSJens Wiklander	".inst.n 0x8014\t@ CSDB"
*2b6dd0dfSJens Wiklander	: "=r" (safe_index) : "r" (index), "r" (size) : "cc");
*2b6dd0dfSJens Wiklander#else
*2b6dd0dfSJens Wiklander      asm volatile (
*2b6dd0dfSJens Wiklander	".syntax unified\n"
*2b6dd0dfSJens Wiklander	"cmp	%1, %2\n" /* %1 holds the unsanitized index */
*2b6dd0dfSJens Wiklander	"movcs	%1, #0\n"
*2b6dd0dfSJens Wiklander	".inst	0xe320f014\t@ CSDB"
*2b6dd0dfSJens Wiklander	: "=r" (safe_index) : "r" (index), "r" (size) : "cc");
*2b6dd0dfSJens Wiklander#endif
*2b6dd0dfSJens Wiklander
*2b6dd0dfSJens Wiklander	return safe_index;
*2b6dd0dfSJens Wiklander}
*2b6dd0dfSJens Wiklander#endif /* __arm__ */
*2b6dd0dfSJens Wiklander
6b40e452SJens Wiklander#ifdef __x86_64__
6b40e452SJens Wiklanderstatic inline size_t confine_array_index(size_t index, size_t size) {
6b40e452SJens Wiklander  size_t safe_index = 0;
6b40e452SJens Wiklander  // Use a conditional move to enforce validation of |index|.
6b40e452SJens Wiklander  // The conditional move has a data dependency on the result of a comparison and cannot
6b40e452SJens Wiklander  // execute until the comparison is resolved.
6b40e452SJens Wiklander  // See "Software Techniques for Managing Speculation on AMD Processors", Mitigation V1-2.
6b40e452SJens Wiklander  // See "Analyzing potential bounds check bypass vulnerabilities", Revision 002,
6b40e452SJens Wiklander  //   Section 5.2 Bounds clipping
6b40e452SJens Wiklander  __asm__(
6b40e452SJens Wiklander    "cmp %1, %2\n"
6b40e452SJens Wiklander    "cmova %1, %0\n"  // Select between $0 and |index|
6b40e452SJens Wiklander  : "+r"(safe_index)
6b40e452SJens Wiklander  : "r"(index), "r"(size)
6b40e452SJens Wiklander  : "cc");
6b40e452SJens Wiklander  return safe_index;
6b40e452SJens Wiklander}
6b40e452SJens Wiklander#endif
6b40e452SJens Wiklander#endif  // FBL_CONFINE_ARRAY_INDEX_H_