cmov: fix provided Cmov::cmovz impl (#1351)

tarcieri · web-flow · commit f2a5213bc0d6 · 2026-01-15T16:20:12.000-07:00
We didn't notice it was broken because all of the impls for all of the core types in the crate explicitly write both methods. However, #1350 just impl'd `Cmov` for `[u8; N]` and didn't have an impl of `cmovz` because the `cmovnz` impl is non-trivial and ideally we could just rely on the provided method, but the definition on the trait was just doing `!condition`, which will only flip a non-zero value into a zero value if provided `$int::MAX`. Though I was happy to eliminate macros in #1339, this unfortunately brings them back, adapting the previous `bitnz!` macro used in the `portable` backend into a new internal `masknz!` macro placed in a new `macros` module accessible to the whole crate. Though it's annoying to use macros again, #1339 duplicated the definition twice, and for such a touchy piece of code with the potential to introduce non-constant-time behavior (see CVE-2026-23519) it's nice to have it defined in a single place. The default implementation of `Cmov::cmovz` has been changed to use the new `masknz!` macro to output `u8::MAX` for non-zero values, which we can invert with `!` to get `0`, and `0` will invert to `u8::MAX`, which is the behavior we wanted. The `masknz!` macro has also been used to write `masknz32!` and `masknz64!` in the portable backend, which were previously duplicated.
diff --git a/cmov/src/lib.rs b/cmov/src/lib.rs
@@ -27,6 +27,9 @@
     unused_qualifications
 )]
 
+#[macro_use]
+mod macros;
+
 #[cfg(not(miri))]
 #[cfg(target_arch = "aarch64")]
 mod aarch64;
@@ -57,7 +60,8 @@ pub trait Cmov {
     /// equal to zero, and if so, conditionally moves `value` to `self`
     /// when `condition` is equal to zero.
     fn cmovz(&mut self, value: &Self, condition: Condition) {
-        self.cmovnz(value, !condition)
+        let nz = masknz!(condition: Condition);
+        self.cmovnz(value, !nz)
     }
 }
 
diff --git a/cmov/src/macros.rs b/cmov/src/macros.rs
@@ -0,0 +1,58 @@
+//! Macro definitions.
+
+/// Generates a mask the width of the input type if the input value is non-zero.
+///
+/// Uses `core::hint::black_box` to coerce our desired codegen based on real-world observations
+/// of the assembly generated by Rust/LLVM.
+///
+/// See also:
+/// - CVE-2026-23519
+/// - RustCrypto/utils#1332
+macro_rules! masknz {
+    ($value:tt : $int:ident) => {{
+        let mut value: $int = $value;
+        value |= value.wrapping_neg(); // has MSB `1` if non-zero, `0` if zero
+
+        // use `black_box` to obscure we're computing a 1-bit value
+        core::hint::black_box(
+            value >> ($int::BITS - 1), // Extract MSB
+        )
+        .wrapping_neg() // Generate $int::MAX mask if `black_box` outputs `1`
+    }};
+}
+
+#[cfg(test)]
+mod tests {
+    // Spot check up to a given limit
+    const TEST_LIMIT: u8 = 128;
+
+    macro_rules! masknz_test {
+        ( $($name:ident : $int:ident),+ ) => {
+            $(
+                #[test]
+                fn $name() {
+                    assert_eq!(masknz!(0: $int), 0);
+
+                    // Test lower values
+                    for i in 1..=$int::from(TEST_LIMIT) {
+                        assert_eq!(masknz!(i: $int), $int::MAX);
+                    }
+
+                    // Test upper values
+                    for i in ($int::MAX - $int::from(TEST_LIMIT))..=$int::MAX {
+                        assert_eq!(masknz!(i: $int), $int::MAX);
+                    }
+                }
+            )+
+        }
+    }
+
+    // Ensure the macro works with any types we might use it with (we only use u8, u32, and u64)
+    masknz_test!(
+        masknz_u8: u8,
+        masknz_u16: u16,
+        masknz_u32: u32,
+        masknz_u64: u64,
+        masknz_u128: u128
+    );
+}
diff --git a/cmov/src/portable.rs b/cmov/src/portable.rs
@@ -118,17 +118,13 @@ fn maskne64(x: u64, y: u64) -> u64 {
 /// Return a [`u32::MAX`] mask if `condition` is non-zero, otherwise return zero for a zero input.
 #[cfg(not(target_arch = "arm"))]
 fn masknz32(condition: u32) -> u32 {
-    let x = condition | condition.wrapping_neg(); // MSB of `x` now `1` if non-zero
-    let nz = core::hint::black_box(x >> (u32::BITS - 1)); // Extract MSB
-    nz.wrapping_neg()
+    masknz!(condition: u32)
 }
 
 /// Return a [`u64::MAX`] mask if `condition` is non-zero, otherwise return zero for a zero input.
 #[cfg(not(target_arch = "arm"))]
 fn masknz64(condition: u64) -> u64 {
-    let x = condition | condition.wrapping_neg(); // MSB of `x` now `1` if non-zero
-    let nz = core::hint::black_box(x >> (u64::BITS - 1)); // Extract MSB
-    nz.wrapping_neg()
+    masknz!(condition: u64)
 }
 
 /// Optimized mask generation for ARM32 targets.
diff --git a/cmov/tests/core_impls.rs b/cmov/tests/core_impls.rs
@@ -166,6 +166,19 @@ mod arrays {
             assert_eq!(x, EXAMPLE_B);
         }
     }
+
+    #[test]
+    fn u8_cmovz_works() {
+        let mut x = EXAMPLE_A;
+        x.cmovz(&EXAMPLE_B, 0);
+        assert_eq!(x, EXAMPLE_B);
+
+        for cond in 1..u8::MAX {
+            let mut x = EXAMPLE_A;
+            x.cmovz(&EXAMPLE_B, cond);
+            assert_eq!(x, EXAMPLE_A);
+        }
+    }
 }
 
 mod slices {

Original file line number	Diff line number	Diff line change
`@@ -166,6 +166,19 @@ mod arrays {`
`166`	`166`	`assert_eq!(x, EXAMPLE_B);`
`167`	`167`	`}`
`168`	`168`	`}`
	`169`	`+`
	`170`	`+ #[test]`
	`171`	`+ fn u8_cmovz_works() {`
	`172`	`+ let mut x = EXAMPLE_A;`
	`173`	`+ x.cmovz(&EXAMPLE_B, 0);`
	`174`	`+ assert_eq!(x, EXAMPLE_B);`
	`175`	`+`
	`176`	`+ for cond in 1..u8::MAX {`
	`177`	`+ let mut x = EXAMPLE_A;`
	`178`	`+ x.cmovz(&EXAMPLE_B, cond);`
	`179`	`+ assert_eq!(x, EXAMPLE_A);`
	`180`	`+ }`
	`181`	`+ }`
`169`	`182`	`}`
`170`	`183`
`171`	`184`	`mod slices {`