From patchwork Thu Jan 4 14:31:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Richard Earnshaw \(lists\)" X-Patchwork-Id: 123426 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp11499662qgn; Thu, 4 Jan 2018 06:32:23 -0800 (PST) X-Google-Smtp-Source: ACJfBouJPKSFyNJDLmjUOhcd8Th4G1j9HDTXV8IDLox6Q92a6ZtfRXXMWarFvJ68xjRxMdDLoyLC X-Received: by 10.159.247.134 with SMTP id e6mr4684670pls.279.1515076343068; Thu, 04 Jan 2018 06:32:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515076343; cv=none; d=google.com; s=arc-20160816; b=vi3tQK513t44rDzWrywy4ijLr1/Kj+PaZauS9bw3TQF2G/Ujb2VR2N/6HLYbYrzEsb 1CcUka72Yzw90UIbGzxy5yOu8uq8G2XcgPPFsIoweXqsLhl75PZVqfBLMksumQNvAk8e AmYkCclR2YnJzZgCDX+ZFACxbBHAZJDFp9ZPo2Uvj114hI0+z+bYOoVMqkoNbjEAZJqL 7Oi4Qwdbd48yhI1I+OGT7PMGIzHUs21k1uKx38F9/ZLjUAq7WWEFbyMCWMnMrpqlobd7 kKRe8Ad8MRcweEnFgfgkrTu/QwrEFmh0ATJKYH18MEoBnvh+6crNhzNmQt/3zQtEfn0Y xKOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:message-id:date:subject:cc:to:from:delivered-to:sender :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:mailing-list:dkim-signature:domainkey-signature :arc-authentication-results; bh=5HRbz+Ga7k24t9S4orAWNgjwmFsl7MxgHanWNwPbtlk=; b=pVwFeNxAajfWENNSYT/ml8uXPgrdhMcob770MMdNAAa4lzhfjKAv4/PL0zTpMOmaYP o5u6mNTENRJ+VYOQGIDE8E/vd+NkUmCr7OyEHJfICLEYcSxMd4WfVU7b6NkkETWF9Q0e XdX7zhY9gfT2jv3v2IwJJF0Vo489r5ualu6L2Nu6L7jw5O3fjCsnLvyk7G+YZtvFdvf2 6/gt4ren3HTRhFlmL9tDbAVLLLrg30AlKRWw9IBJENJ1EeKqr4Z0flGW4dbHXQ57Fm7S GNt1PIEBgURVj+cey2pXGr78H4FcdEYhAo8KG4EutUcK/fvthXf56ovEHnwYckxUQ2yw +qsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=gVj/W+xw; spf=pass (google.com: domain of gcc-patches-return-470140-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=gcc-patches-return-470140-patch=linaro.org@gcc.gnu.org Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id b31si2372831plb.613.2018.01.04.06.32.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Jan 2018 06:32:23 -0800 (PST) Received-SPF: pass (google.com: domain of gcc-patches-return-470140-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=gVj/W+xw; spf=pass (google.com: domain of gcc-patches-return-470140-patch=linaro.org@gcc.gnu.org designates 209.132.180.131 as permitted sender) smtp.mailfrom=gcc-patches-return-470140-patch=linaro.org@gcc.gnu.org DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type; q=dns; s=default; b=TuiDvA9rXOICXBY21WzPVb5qQdOslEp4BZMSIkCrnnCs8Js5tk 5ffSMSXNp3Q/N6zlaGQnbp8jdfK8NsSog+m7TuxHZKJQBvbd0TDNlssMcyGV8saB Ag8FXqrp2Kf2Fjb7lUNlPvunv8vD7CYMVWcp6JW3QU7SifjKR4ZpoKhsY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:from :to:cc:subject:date:message-id:mime-version:content-type; s= default; bh=hVMw6QqwYes60paxBTZkyMo31TI=; b=gVj/W+xwubINtM0r/NZ0 feW92TiywVR5Zcee84zg0lD/Esd8HzTxwutf8m7cY3VaedljaBPpmZ/l0A5HPW27 tU2mboY7iHJuiP5j7TMdQqy8AtSBFBKM/WW2broYxQMqtRTNH1vEzV3jTZmNwQId Jr8DIqG30YY9zO+U5xixMrs= Received: (qmail 100251 invoked by alias); 4 Jan 2018 14:32:10 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 100066 invoked by uid 89); 4 Jan 2018 14:32:09 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-5.4 required=5.0 tests=BAYES_00, GIT_PATCH_3, KAM_SHORT, SPF_PASS, T_RP_MATCHES_RCVD, URIBL_BLACK autolearn=ham version=3.3.2 spammy= X-HELO: foss.arm.com Received: from usa-sjc-mx-foss1.foss.arm.com (HELO foss.arm.com) (217.140.101.70) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 04 Jan 2018 14:32:07 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 41B3980D; Thu, 4 Jan 2018 06:32:05 -0800 (PST) Received: from e105689-lin.cambridge.arm.com (e105689-lin.cambridge.arm.com [10.2.207.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 789723F41F; Thu, 4 Jan 2018 06:32:04 -0800 (PST) From: Richard Earnshaw To: gcc-patches@gcc.gnu.org Cc: Richard Earnshaw Subject: [PATCH 0/3] [gcc-7 backport] Add __builtin_load_no_speculate Date: Thu, 4 Jan 2018 14:31:52 +0000 Message-Id: MIME-Version: 1.0 This is a back-port of the __builtin-load_no_speculate builtin to the GCC-7 branch. Recently, Google Project Zero disclosed several classes of attack against speculative execution. One of these, known as variant-1 (CVE-2017-5753), allows explicit bounds checks to be bypassed under speculation, providing an arbitrary read gadget. Further details can be found on the GPZ blog [1] and the documentation that is included with the first patch. This patch set adds a new builtin function for GCC to provide a mechanism for limiting speculation by a CPU after a bounds-checked memory access. I've tried to design this in such a way that it can be used for any target where this might be necessary. The patch set provides a generic implementation of the builtin and then target-specific support for Arm and AArch64. Other architectures can utilize the internal infrastructure as needed. Most of the details of the builtin and the hooks that need to be implemented to support it are described in the updates to the manual, but a short summary is given below. TYP __builtin_load_no_speculate (const volatile TYP *ptr, const volatile void *lower, const volatile void *upper, TYP failval, const volatile void *cmpptr) Where TYP can be any integral type (signed or unsigned char, int, short, long, etc) or any pointer type. The builtin implements the following logical behaviour: inline TYP __builtin_load_no_speculate (const volatile TYP *ptr, const volatile void *lower, const volatile void *upper, TYP failval, const volatile void *cmpptr) { TYP result; if (cmpptr >= lower && cmpptr < upper) result = *ptr; else result = failval; return result; } in addition the specification of the builtin ensures that future speculation using *ptr may only continue iff cmpptr lies within the bounds specified. Some optimizations are permitted to make the builtin easier to use. The final two arguments can both be omitted (c++ style): failval will default to 0 in this case and if cmpptr is omitted ptr will be used for expansions of the range check. In addition either lower or upper (but not both) may be a literal NULL and the expansion will then ignore that boundary condition when expanding. The patch set is constructed as follows: 1 - generic modifications to GCC providing the builtin function for all architectures and expanding to an implementation that gives the logical behaviour of the builtin only. A warning is generated if this expansion path is used that code will execute correctly but without providing protection against speculative use. 2 - AArch64 support 3 - AArch32 support (arm) for A32 and thumb2 states. These patches can be used with the header file that Arm recently published here: https://github.com/ARM-software/speculation-barrier. Kernel patches are also being developed, eg: https://lkml.org/lkml/2018/1/3/754. The intent is that eventually code like this will be able to use support directly from the compiler in a portable manner. Similar patches are also being developed for LLVM and will be posted to their development lists shortly. [1] More information on the topic can be found here: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html Arm specific information can be found here: https://www.arm.com/security-update Richard Earnshaw (3): [builtins] Generic support for __builtin_load_no_speculate() [aarch64] Implement support for __builtin_load_no_speculate. [arm] Implement support for the de-speculation intrinsic gcc/builtin-types.def | 16 +++++ gcc/builtins.c | 99 +++++++++++++++++++++++++ gcc/builtins.def | 22 ++++++ gcc/c-family/c-common.c | 164 ++++++++++++++++++++++++++++++++++++++++++ gcc/c-family/c-cppbuiltin.c | 5 +- gcc/config/aarch64/aarch64.c | 91 +++++++++++++++++++++++ gcc/config/aarch64/aarch64.md | 28 ++++++++ gcc/config/arm/arm.c | 108 ++++++++++++++++++++++++++++ gcc/config/arm/arm.md | 40 ++++++++++- gcc/config/arm/unspecs.md | 1 + gcc/doc/cpp.texi | 4 ++ gcc/doc/extend.texi | 53 ++++++++++++++ gcc/doc/tm.texi | 6 ++ gcc/doc/tm.texi.in | 2 + gcc/target.def | 20 ++++++ gcc/targhooks.c | 67 ++++++++++++++++- gcc/targhooks.h | 3 + 17 files changed, 726 insertions(+), 3 deletions(-)