1 /* SPDX-License-Identifier: BSD-3-Clause */ 2 /* Copyright (c) 2020 Linaro Limited */ 3 // Copyright 2019 The Fuchsia Authors. All rights reserved. 4 // Use of this source code is governed by a BSD-style license that can be 5 // found in the LICENSE file. 6 7 /* 8 * Content of LICENSE file mentioned above: 9 Copyright 2019 The Fuchsia Authors. All rights reserved. 10 Redistribution and use in source and binary forms, with or without 11 modification, are permitted provided that the following conditions are 12 met: 13 * Redistributions of source code must retain the above copyright 14 notice, this list of conditions and the following disclaimer. 15 * Redistributions in binary form must reproduce the above 16 copyright notice, this list of conditions and the following disclaimer 17 in the documentation and/or other materials provided with the 18 distribution. 19 * Neither the name of Google Inc. nor the names of its 20 contributors may be used to endorse or promote products derived from 21 this software without specific prior written permission. 22 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 25 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 26 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 27 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 28 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 32 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 #ifndef FBL_CONFINE_ARRAY_INDEX_H_ 35 #define FBL_CONFINE_ARRAY_INDEX_H_ 36 37 #include <stddef.h> 38 39 // confine_array_index() bounds-checks and sanitizes an array index safely in the presence of 40 // speculative execution information leak bugs such as Spectre V1. confine_array_index() always 41 // returns a sanitized index, even in speculative-path execution. 42 // 43 // Callers need to combine confine_array_index with a conventional bounds check; the bounds 44 // check will return any necessary errors in the nonspeculative path, confine_array_index will 45 // confine indexes in the speculative path. 46 // 47 // Use: 48 // confine_array_index() returns |index|, if it is < size, or 0 if |index| is >= size. 49 // 50 // Example (may leak table1 contents): 51 // 1: int lookup3(size_t index) { 52 // 2: if (index >= table1_size) { 53 // 3: return -1; 54 // 4: } 55 // 5: size_t index2 = table1[index]; 56 // 6: return table2[index2]; 57 // 7: } 58 // 59 // Converted: 60 // 61 // 1: int lookup3(size_t index) { 62 // 2: if (index >= table1_size) { 63 // 3: return -1; 64 // 4: } 65 // 5: size_t safe_index = confine_array_index(index, table1_size); 66 // 6: size_t index2 = table1[safe_index]; 67 // 7: return table2[index2]; 68 // 8: } 69 #ifdef __aarch64__ 70 static inline size_t confine_array_index(size_t index, size_t size) { 71 size_t safe_index; 72 // Use a conditional select and a CSDB barrier to enforce validation of |index|. 73 // See "Cache Speculation Side-channels" whitepaper, section "Software Mitigation". 74 // "" The combination of both a conditional select/conditional move and the new barrier are 75 // sufficient to address this problem on ALL Arm implementations... "" 76 asm( 77 "cmp %1, %2\n" // %1 holds the unsanitized index 78 "csel %0, %1, xzr, lo\n" // Select index or zero based on carry (%1 within range) 79 "csdb\n" 80 : "=r"(safe_index) 81 : "r"(index), "r"(size) 82 : "cc"); 83 return safe_index; 84 } 85 #endif 86 #ifdef __arm__ 87 static inline size_t confine_array_index(size_t index, size_t size) 88 { 89 size_t safe_index = 0; 90 91 /* 92 * For the ARMv7/AArch32 case we're basing the select and barrier 93 * code on __load_no_speculate1() in <speculation_barrier.h> as we 94 * lack the csel instruction. 95 */ 96 97 #ifdef __thumb2__ 98 asm volatile ( 99 ".syntax unified\n" 100 "cmp %1, %2\n" /* %1 holds the unsanitized index */ 101 "it cs\n" 102 "movcs %1, #0\n" 103 ".inst.n 0xf3af\t@ CSDB\n" 104 ".inst.n 0x8014\t@ CSDB" 105 : "=r" (safe_index) : "r" (index), "r" (size) : "cc"); 106 #else 107 asm volatile ( 108 ".syntax unified\n" 109 "cmp %1, %2\n" /* %1 holds the unsanitized index */ 110 "movcs %1, #0\n" 111 ".inst 0xe320f014\t@ CSDB" 112 : "=r" (safe_index) : "r" (index), "r" (size) : "cc"); 113 #endif 114 115 return safe_index; 116 } 117 #endif /* __arm__ */ 118 119 #ifdef __x86_64__ 120 static inline size_t confine_array_index(size_t index, size_t size) { 121 size_t safe_index = 0; 122 // Use a conditional move to enforce validation of |index|. 123 // The conditional move has a data dependency on the result of a comparison and cannot 124 // execute until the comparison is resolved. 125 // See "Software Techniques for Managing Speculation on AMD Processors", Mitigation V1-2. 126 // See "Analyzing potential bounds check bypass vulnerabilities", Revision 002, 127 // Section 5.2 Bounds clipping 128 __asm__( 129 "cmp %1, %2\n" 130 "cmova %1, %0\n" // Select between $0 and |index| 131 : "+r"(safe_index) 132 : "r"(index), "r"(size) 133 : "cc"); 134 return safe_index; 135 } 136 #endif 137 #endif // FBL_CONFINE_ARRAY_INDEX_H_ 138