cleanup: include/: move misc/speculation.h to sys/speculation.h
move misc/speculation.h to sys/speculation.h and create a shim for backward-compatibility. No functional changes to the headers. A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES. Related to #16539 Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit is contained in:
parent
536dd5a71f
commit
d222553931
4 changed files with 65 additions and 50 deletions
|
@ -27,7 +27,7 @@
|
|||
#include <sys/sys_io.h>
|
||||
#include <sys/__assert.h>
|
||||
#include <sys/slist.h>
|
||||
#include <misc/speculation.h>
|
||||
#include <sys/speculation.h>
|
||||
|
||||
#include "gpio_utils.h"
|
||||
|
||||
|
|
|
@ -1,55 +1,15 @@
|
|||
/*
|
||||
* Copyright (c) 2019 Intel Corporation.
|
||||
* Copyright (c) 2019 Intel Corporation
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
#ifndef ZEPHYR_INCLUDE_MISC_SPECULATION_H_
|
||||
#define ZEPHYR_INCLUDE_MISC_SPECULATION_H_
|
||||
|
||||
#ifndef ZEPHYR_MISC_SPECULATION_H
|
||||
#define ZEPHYR_MISC_SPECULATION_H
|
||||
#ifndef CONFIG_COMPAT_INCLUDES
|
||||
#warning "This header file has moved, include <sys/speculation.h> instead."
|
||||
#endif
|
||||
|
||||
#include <zephyr/types.h>
|
||||
#include <sys/speculation.h>
|
||||
|
||||
/**
|
||||
* Sanitize an array index against bounds check bypass attacks aka the
|
||||
* Spectre V1 vulnerability.
|
||||
*
|
||||
* CPUs with speculative execution may speculate past any size checks and
|
||||
* leak confidential data due to analysis of micro-architectural properties.
|
||||
* This will unconditionally truncate any out-of-bounds indexes to
|
||||
* zero in the speculative execution path using bit twiddling instead of
|
||||
* any branch instructions.
|
||||
*
|
||||
* Example usage:
|
||||
*
|
||||
* if (index < size) {
|
||||
* index = k_array_index_sanitize(index, size);
|
||||
* data = array[index];
|
||||
* }
|
||||
*
|
||||
* @param index Untrusted array index which has been validated, but not used
|
||||
* @param array_size Size of the array
|
||||
* @return The original index value if < size, or 0
|
||||
*/
|
||||
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
|
||||
{
|
||||
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
|
||||
s32_t signed_index = index, signed_array_size = array_size;
|
||||
|
||||
/* Take the difference between index and max.
|
||||
* A proper value will result in a negative result. We also AND in
|
||||
* the complement of index, so that we automatically reject any large
|
||||
* indexes which would wrap around the difference calculation.
|
||||
*
|
||||
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
|
||||
* or all 0s (truncate).
|
||||
*/
|
||||
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
|
||||
|
||||
return index & mask;
|
||||
#else
|
||||
ARG_UNUSED(array_size);
|
||||
|
||||
return index;
|
||||
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
|
||||
}
|
||||
#endif /* ZEPHYR_MISC_SPECULATION_H */
|
||||
#endif /* ZEPHYR_INCLUDE_MISC_SPECULATION_H_ */
|
||||
|
|
55
include/sys/speculation.h
Normal file
55
include/sys/speculation.h
Normal file
|
@ -0,0 +1,55 @@
|
|||
/*
|
||||
* Copyright (c) 2019 Intel Corporation.
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#ifndef ZEPHYR_MISC_SPECULATION_H
|
||||
#define ZEPHYR_MISC_SPECULATION_H
|
||||
|
||||
#include <zephyr/types.h>
|
||||
|
||||
/**
|
||||
* Sanitize an array index against bounds check bypass attacks aka the
|
||||
* Spectre V1 vulnerability.
|
||||
*
|
||||
* CPUs with speculative execution may speculate past any size checks and
|
||||
* leak confidential data due to analysis of micro-architectural properties.
|
||||
* This will unconditionally truncate any out-of-bounds indexes to
|
||||
* zero in the speculative execution path using bit twiddling instead of
|
||||
* any branch instructions.
|
||||
*
|
||||
* Example usage:
|
||||
*
|
||||
* if (index < size) {
|
||||
* index = k_array_index_sanitize(index, size);
|
||||
* data = array[index];
|
||||
* }
|
||||
*
|
||||
* @param index Untrusted array index which has been validated, but not used
|
||||
* @param array_size Size of the array
|
||||
* @return The original index value if < size, or 0
|
||||
*/
|
||||
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
|
||||
{
|
||||
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
|
||||
s32_t signed_index = index, signed_array_size = array_size;
|
||||
|
||||
/* Take the difference between index and max.
|
||||
* A proper value will result in a negative result. We also AND in
|
||||
* the complement of index, so that we automatically reject any large
|
||||
* indexes which would wrap around the difference calculation.
|
||||
*
|
||||
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
|
||||
* or all 0s (truncate).
|
||||
*/
|
||||
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
|
||||
|
||||
return index & mask;
|
||||
#else
|
||||
ARG_UNUSED(array_size);
|
||||
|
||||
return index;
|
||||
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
|
||||
}
|
||||
#endif /* ZEPHYR_MISC_SPECULATION_H */
|
|
@ -17,7 +17,7 @@
|
|||
#include <fcntl.h>
|
||||
#include <kernel.h>
|
||||
#include <sys/fdtable.h>
|
||||
#include <misc/speculation.h>
|
||||
#include <sys/speculation.h>
|
||||
|
||||
struct fd_entry {
|
||||
void *obj;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue