I believe the proposed behavior of the new builtin is over-specialized.
In principle the following snippet may be open to exploitation too:
if (predicate)
foo = arr[(secret >> untrusted) & 64];
assuming the attacker has a means to observe which part of 'arr' is brought into
cache, but cannot set 'predicate' to true (so has to rely on the speculative
population of the cache); and likewise if a store is predicated-off rather than
a load.
So shouldn't, for generality, the new builtin work "as if" by cleansing the
address rather than the result of the load, like the following? It would also be
applicable to stores then.
On Thu, 4 Jan 2018, Richard Earnshaw wrote:
> inline TYP __builtin_load_no_speculate
> (const volatile TYP *ptr,
> const volatile void *lower,
> const volatile void *upper,
> TYP failval,
> const volatile void *cmpptr)
> {
> TYP result;
>
> if (cmpptr >= lower && cmpptr < upper)
> result = *ptr;
> else
> result = failval;
> return result;
> }
{
if (!(cmpptr >= lower && cmpptr < upper))
ptr = NULL;
return *ptr;
}
Alexander
