-
Notifications
You must be signed in to change notification settings - Fork 6.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cleanup: include/: move misc/speculation.h to sys/speculation.h
move misc/speculation.h to sys/speculation.h and create a shim for backward-compatibility. No functional changes to the headers. A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES. Related to #16539 Signed-off-by: Anas Nashif <anas.nashif@intel.com>
- Loading branch information
Showing
4 changed files
with
65 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,55 +1,15 @@ | ||
/* | ||
* Copyright (c) 2019 Intel Corporation. | ||
* Copyright (c) 2019 Intel Corporation | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
#ifndef ZEPHYR_INCLUDE_MISC_SPECULATION_H_ | ||
#define ZEPHYR_INCLUDE_MISC_SPECULATION_H_ | ||
|
||
#ifndef ZEPHYR_MISC_SPECULATION_H | ||
#define ZEPHYR_MISC_SPECULATION_H | ||
#ifndef CONFIG_COMPAT_INCLUDES | ||
#warning "This header file has moved, include <sys/speculation.h> instead." | ||
#endif | ||
|
||
#include <zephyr/types.h> | ||
#include <sys/speculation.h> | ||
|
||
/** | ||
* Sanitize an array index against bounds check bypass attacks aka the | ||
* Spectre V1 vulnerability. | ||
* | ||
* CPUs with speculative execution may speculate past any size checks and | ||
* leak confidential data due to analysis of micro-architectural properties. | ||
* This will unconditionally truncate any out-of-bounds indexes to | ||
* zero in the speculative execution path using bit twiddling instead of | ||
* any branch instructions. | ||
* | ||
* Example usage: | ||
* | ||
* if (index < size) { | ||
* index = k_array_index_sanitize(index, size); | ||
* data = array[index]; | ||
* } | ||
* | ||
* @param index Untrusted array index which has been validated, but not used | ||
* @param array_size Size of the array | ||
* @return The original index value if < size, or 0 | ||
*/ | ||
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size) | ||
{ | ||
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION | ||
s32_t signed_index = index, signed_array_size = array_size; | ||
|
||
/* Take the difference between index and max. | ||
* A proper value will result in a negative result. We also AND in | ||
* the complement of index, so that we automatically reject any large | ||
* indexes which would wrap around the difference calculation. | ||
* | ||
* Sign-extend just the sign bit to produce a mask of all 1s (accept) | ||
* or all 0s (truncate). | ||
*/ | ||
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31; | ||
|
||
return index & mask; | ||
#else | ||
ARG_UNUSED(array_size); | ||
|
||
return index; | ||
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */ | ||
} | ||
#endif /* ZEPHYR_MISC_SPECULATION_H */ | ||
#endif /* ZEPHYR_INCLUDE_MISC_SPECULATION_H_ */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
/* | ||
* Copyright (c) 2019 Intel Corporation. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
*/ | ||
|
||
#ifndef ZEPHYR_MISC_SPECULATION_H | ||
#define ZEPHYR_MISC_SPECULATION_H | ||
|
||
#include <zephyr/types.h> | ||
|
||
/** | ||
* Sanitize an array index against bounds check bypass attacks aka the | ||
* Spectre V1 vulnerability. | ||
* | ||
* CPUs with speculative execution may speculate past any size checks and | ||
* leak confidential data due to analysis of micro-architectural properties. | ||
* This will unconditionally truncate any out-of-bounds indexes to | ||
* zero in the speculative execution path using bit twiddling instead of | ||
* any branch instructions. | ||
* | ||
* Example usage: | ||
* | ||
* if (index < size) { | ||
* index = k_array_index_sanitize(index, size); | ||
* data = array[index]; | ||
* } | ||
* | ||
* @param index Untrusted array index which has been validated, but not used | ||
* @param array_size Size of the array | ||
* @return The original index value if < size, or 0 | ||
*/ | ||
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size) | ||
{ | ||
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION | ||
s32_t signed_index = index, signed_array_size = array_size; | ||
|
||
/* Take the difference between index and max. | ||
* A proper value will result in a negative result. We also AND in | ||
* the complement of index, so that we automatically reject any large | ||
* indexes which would wrap around the difference calculation. | ||
* | ||
* Sign-extend just the sign bit to produce a mask of all 1s (accept) | ||
* or all 0s (truncate). | ||
*/ | ||
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31; | ||
|
||
return index & mask; | ||
#else | ||
ARG_UNUSED(array_size); | ||
|
||
return index; | ||
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */ | ||
} | ||
#endif /* ZEPHYR_MISC_SPECULATION_H */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters