Skip to content
Permalink
Browse files

cleanup: include/: move misc/speculation.h to sys/speculation.h

move misc/speculation.h to sys/speculation.h and
create a shim for backward-compatibility.

No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.

Related to #16539

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
  • Loading branch information...
nashif committed Jun 26, 2019
1 parent 536dd5a commit d222553931beffd6b44cbada74501661ee1b985e
Showing with 65 additions and 50 deletions.
  1. +1 −1 drivers/gpio/gpio_intel_apl.c
  2. +8 −48 include/misc/speculation.h
  3. +55 −0 include/sys/speculation.h
  4. +1 −1 lib/os/fdtable.c
@@ -27,7 +27,7 @@
#include <sys/sys_io.h>
#include <sys/__assert.h>
#include <sys/slist.h>
#include <misc/speculation.h>
#include <sys/speculation.h>

#include "gpio_utils.h"

@@ -1,55 +1,15 @@
/*
* Copyright (c) 2019 Intel Corporation.
* Copyright (c) 2019 Intel Corporation
*
* SPDX-License-Identifier: Apache-2.0
*/
#ifndef ZEPHYR_INCLUDE_MISC_SPECULATION_H_
#define ZEPHYR_INCLUDE_MISC_SPECULATION_H_

#ifndef ZEPHYR_MISC_SPECULATION_H
#define ZEPHYR_MISC_SPECULATION_H
#ifndef CONFIG_COMPAT_INCLUDES
#warning "This header file has moved, include <sys/speculation.h> instead."
#endif

#include <zephyr/types.h>
#include <sys/speculation.h>

/**
* Sanitize an array index against bounds check bypass attacks aka the
* Spectre V1 vulnerability.
*
* CPUs with speculative execution may speculate past any size checks and
* leak confidential data due to analysis of micro-architectural properties.
* This will unconditionally truncate any out-of-bounds indexes to
* zero in the speculative execution path using bit twiddling instead of
* any branch instructions.
*
* Example usage:
*
* if (index < size) {
* index = k_array_index_sanitize(index, size);
* data = array[index];
* }
*
* @param index Untrusted array index which has been validated, but not used
* @param array_size Size of the array
* @return The original index value if < size, or 0
*/
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
{
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
s32_t signed_index = index, signed_array_size = array_size;

/* Take the difference between index and max.
* A proper value will result in a negative result. We also AND in
* the complement of index, so that we automatically reject any large
* indexes which would wrap around the difference calculation.
*
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
* or all 0s (truncate).
*/
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;

return index & mask;
#else
ARG_UNUSED(array_size);

return index;
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
}
#endif /* ZEPHYR_MISC_SPECULATION_H */
#endif /* ZEPHYR_INCLUDE_MISC_SPECULATION_H_ */
@@ -0,0 +1,55 @@
/*
* Copyright (c) 2019 Intel Corporation.
*
* SPDX-License-Identifier: Apache-2.0
*/

#ifndef ZEPHYR_MISC_SPECULATION_H
#define ZEPHYR_MISC_SPECULATION_H

#include <zephyr/types.h>

/**
* Sanitize an array index against bounds check bypass attacks aka the
* Spectre V1 vulnerability.
*
* CPUs with speculative execution may speculate past any size checks and
* leak confidential data due to analysis of micro-architectural properties.
* This will unconditionally truncate any out-of-bounds indexes to
* zero in the speculative execution path using bit twiddling instead of
* any branch instructions.
*
* Example usage:
*
* if (index < size) {
* index = k_array_index_sanitize(index, size);
* data = array[index];
* }
*
* @param index Untrusted array index which has been validated, but not used
* @param array_size Size of the array
* @return The original index value if < size, or 0
*/
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
{
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
s32_t signed_index = index, signed_array_size = array_size;

/* Take the difference between index and max.
* A proper value will result in a negative result. We also AND in
* the complement of index, so that we automatically reject any large
* indexes which would wrap around the difference calculation.
*
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
* or all 0s (truncate).
*/
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;

return index & mask;
#else
ARG_UNUSED(array_size);

return index;
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
}
#endif /* ZEPHYR_MISC_SPECULATION_H */
@@ -17,7 +17,7 @@
#include <fcntl.h>
#include <kernel.h>
#include <sys/fdtable.h>
#include <misc/speculation.h>
#include <sys/speculation.h>

struct fd_entry {
void *obj;

0 comments on commit d222553

Please sign in to comment.
You can’t perform that action at this time.