check_spectre pattern can utilize smatch_kernel_host_data.c
to optionally search for potential spectre v1 gadgets in the
untrusted input provided for the host/VMM <-> VM guest attack
surface. This attack surface is important for confidential
cloud computing technologies where a VM guest does not trust
the host/VMM.
Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
---
check_spectre.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/check_spectre.c b/check_spectre.c
index 16301a2e..009c7f0b 100644
--- a/check_spectre.c
+++ b/check_spectre.c
@@ -22,7 +22,13 @@ static int my_id;
extern int second_half_id;
extern void set_spectre_first_half(struct expression *expr);
+enum kernel_data_types {
+ USER_DATA_TYPE = 0,
+ HOST_DATA_TYPE = 1,
+};
+
static int suppress_multiple = 1;
+static int analyzed_data_type = USER_DATA_TYPE;
static int is_write(struct expression *expr)
{
@@ -173,8 +179,19 @@ static void array_check(struct expression *expr)
}
offset = get_array_offset(expr);
- if (!is_user_rl(offset))
- return;
+ switch(analyzed_data_type) {
+ case USER_DATA_TYPE:
+ if (!is_user_rl(offset))
+ return;
+ break;
+ case HOST_DATA_TYPE:
+ if (!is_host_rl(offset))
+ return;
+ break;
+ default:
+ return;
+ }
+
if (is_nospec(offset))
return;
@@ -208,6 +225,8 @@ void check_spectre(int id)
my_id = id;
suppress_multiple = getenv("FULL_SPECTRE") == NULL;
+ if (getenv("ANALYZE_HOST_DATA"))
+ analyzed_data_type = HOST_DATA_TYPE;
if (option_project != PROJ_KERNEL)
return;
--
2.25.1
