xref: /optee_os/lib/libutils/ext/include/confine_array_index.h (revision 6b40e452c753ea54c32a5a792bf3788637b137bf) 
1 /* SPDX-License-Identifier: BSD-3-Clause */
2 // Copyright 2019 The Fuchsia Authors. All rights reserved.
3 // Use of this source code is governed by a BSD-style license that can be
4 // found in the LICENSE file.
5 
6 /*
7  * Content of LICENSE file mentioned above:
8 Copyright 2019 The Fuchsia Authors. All rights reserved.
9 Redistribution and use in source and binary forms, with or without
10 modification, are permitted provided that the following conditions are
11 met:
12    * Redistributions of source code must retain the above copyright
13 notice, this list of conditions and the following disclaimer.
14    * Redistributions in binary form must reproduce the above
15 copyright notice, this list of conditions and the following disclaimer
16 in the documentation and/or other materials provided with the
17 distribution.
18    * Neither the name of Google Inc. nor the names of its
19 contributors may be used to endorse or promote products derived from
20 this software without specific prior written permission.
21 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  */
33 #ifndef FBL_CONFINE_ARRAY_INDEX_H_
34 #define FBL_CONFINE_ARRAY_INDEX_H_
35 
36 #include <stddef.h>
37 
38 // confine_array_index() bounds-checks and sanitizes an array index safely in the presence of
39 // speculative execution information leak bugs such as Spectre V1. confine_array_index() always
40 // returns a sanitized index, even in speculative-path execution.
41 //
42 // Callers need to combine confine_array_index with a conventional bounds check; the bounds
43 // check will return any necessary errors in the nonspeculative path, confine_array_index will
44 // confine indexes in the speculative path.
45 //
46 // Use:
47 // confine_array_index() returns |index|, if it is < size, or 0 if |index| is >= size.
48 //
49 // Example (may leak table1 contents):
50 //  1: int lookup3(size_t index) {
51 //  2:   if (index >= table1_size) {
52 //  3:     return -1;
53 //  4:   }
54 //  5:   size_t index2 = table1[index];
55 //  6:   return table2[index2];
56 //  7: }
57 //
58 // Converted:
59 //
60 //  1: int lookup3(size_t index) {
61 //  2:   if (index >= table1_size) {
62 //  3:     return -1;
63 //  4:   }
64 //  5:   size_t safe_index = confine_array_index(index, table1_size);
65 //  6:   size_t index2 = table1[safe_index];
66 //  7:   return table2[index2];
67 //  8: }
68 #ifdef __aarch64__
69 static inline size_t confine_array_index(size_t index, size_t size) {
70   size_t safe_index;
71   // Use a conditional select and a CSDB barrier to enforce validation of |index|.
72   // See "Cache Speculation Side-channels" whitepaper, section "Software Mitigation".
73   // "" The combination of both a conditional select/conditional move and the new barrier are
74   // sufficient to address this problem on ALL Arm implementations... ""
75   asm(
76     "cmp %1, %2\n"  // %1 holds the unsanitized index
77     "csel %0, %1, xzr, lo\n"  // Select index or zero based on carry (%1 within range)
78     "csdb\n"
79   : "=r"(safe_index)
80   : "r"(index), "r"(size)
81   : "cc");
82   return safe_index;
83 }
84 #endif
85 #ifdef __x86_64__
86 static inline size_t confine_array_index(size_t index, size_t size) {
87   size_t safe_index = 0;
88   // Use a conditional move to enforce validation of |index|.
89   // The conditional move has a data dependency on the result of a comparison and cannot
90   // execute until the comparison is resolved.
91   // See "Software Techniques for Managing Speculation on AMD Processors", Mitigation V1-2.
92   // See "Analyzing potential bounds check bypass vulnerabilities", Revision 002,
93   //   Section 5.2 Bounds clipping
94   __asm__(
95     "cmp %1, %2\n"
96     "cmova %1, %0\n"  // Select between $0 and |index|
97   : "+r"(safe_index)
98   : "r"(index), "r"(size)
99   : "cc");
100   return safe_index;
101 }
102 #endif
103 #endif  // FBL_CONFINE_ARRAY_INDEX_H_
104