56 lines
1.7 KiB
C
56 lines
1.7 KiB
C
/*
|
|
* Copyright (c) 2019 Intel Corporation.
|
|
*
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
#ifndef ZEPHYR_MISC_SPECULATION_H
|
|
#define ZEPHYR_MISC_SPECULATION_H
|
|
|
|
#include <zephyr/types.h>
|
|
|
|
/**
|
|
* Sanitize an array index against bounds check bypass attacks aka the
|
|
* Spectre V1 vulnerability.
|
|
*
|
|
* CPUs with speculative execution may speculate past any size checks and
|
|
* leak confidential data due to analysis of micro-architectural properties.
|
|
* This will unconditionally truncate any out-of-bounds indexes to
|
|
* zero in the speculative execution path using bit twiddling instead of
|
|
* any branch instructions.
|
|
*
|
|
* Example usage:
|
|
*
|
|
* if (index < size) {
|
|
* index = k_array_index_sanitize(index, size);
|
|
* data = array[index];
|
|
* }
|
|
*
|
|
* @param index Untrusted array index which has been validated, but not used
|
|
* @param array_size Size of the array
|
|
* @return The original index value if < size, or 0
|
|
*/
|
|
static inline u32_t k_array_index_sanitize(u32_t index, u32_t array_size)
|
|
{
|
|
#ifdef CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION
|
|
s32_t signed_index = index, signed_array_size = array_size;
|
|
|
|
/* Take the difference between index and max.
|
|
* A proper value will result in a negative result. We also AND in
|
|
* the complement of index, so that we automatically reject any large
|
|
* indexes which would wrap around the difference calculation.
|
|
*
|
|
* Sign-extend just the sign bit to produce a mask of all 1s (accept)
|
|
* or all 0s (truncate).
|
|
*/
|
|
u32_t mask = ((signed_index - signed_array_size) & ~signed_index) >> 31;
|
|
|
|
return index & mask;
|
|
#else
|
|
ARG_UNUSED(array_size);
|
|
|
|
return index;
|
|
#endif /* CONFIG_BOUNDS_CHECK_BYPASS_MITIGATION */
|
|
}
|
|
#endif /* ZEPHYR_MISC_SPECULATION_H */
|