]>
Commit | Line | Data |
---|---|---|
0a640a2e GKH |
1 | From 701956d4018e5d5438570e39e8bda47edd32c489 Mon Sep 17 00:00:00 2001 |
2 | From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> | |
3 | Date: Wed, 9 Jan 2019 13:02:36 -0600 | |
4 | Subject: char/mwave: fix potential Spectre v1 vulnerability | |
5 | ||
6 | From: Gustavo A. R. Silva <gustavo@embeddedor.com> | |
7 | ||
8 | commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream. | |
9 | ||
10 | ipcnum is indirectly controlled by user-space, hence leading to | |
11 | a potential exploitation of the Spectre variant 1 vulnerability. | |
12 | ||
13 | This issue was detected with the help of Smatch: | |
14 | ||
15 | drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap) | |
16 | ||
17 | Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs. | |
18 | ||
19 | Notice that given that speculation windows are large, the policy is | |
20 | to kill the speculation on the first load and not worry if it can be | |
21 | completed with a dependent load/store [1]. | |
22 | ||
23 | [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 | |
24 | ||
25 | Cc: stable@vger.kernel.org | |
26 | Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> | |
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
28 | ||
29 | --- | |
30 | drivers/char/mwave/mwavedd.c | 7 +++++++ | |
31 | 1 file changed, 7 insertions(+) | |
32 | ||
33 | --- a/drivers/char/mwave/mwavedd.c | |
34 | +++ b/drivers/char/mwave/mwavedd.c | |
35 | @@ -59,6 +59,7 @@ | |
36 | #include <linux/mutex.h> | |
37 | #include <linux/delay.h> | |
38 | #include <linux/serial_8250.h> | |
39 | +#include <linux/nospec.h> | |
40 | #include "smapi.h" | |
41 | #include "mwavedd.h" | |
42 | #include "3780i.h" | |
43 | @@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *fil | |
44 | ipcnum); | |
45 | return -EINVAL; | |
46 | } | |
47 | + ipcnum = array_index_nospec(ipcnum, | |
48 | + ARRAY_SIZE(pDrvData->IPCs)); | |
49 | PRINTK_3(TRACE_MWAVE, | |
50 | "mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC" | |
51 | " ipcnum %x entry usIntCount %x\n", | |
52 | @@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *fil | |
53 | " Invalid ipcnum %x\n", ipcnum); | |
54 | return -EINVAL; | |
55 | } | |
56 | + ipcnum = array_index_nospec(ipcnum, | |
57 | + ARRAY_SIZE(pDrvData->IPCs)); | |
58 | PRINTK_3(TRACE_MWAVE, | |
59 | "mwavedd::mwave_ioctl IOCTL_MW_GET_IPC" | |
60 | " ipcnum %x, usIntCount %x\n", | |
61 | @@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *fil | |
62 | ipcnum); | |
63 | return -EINVAL; | |
64 | } | |
65 | + ipcnum = array_index_nospec(ipcnum, | |
66 | + ARRAY_SIZE(pDrvData->IPCs)); | |
67 | mutex_lock(&mwave_mutex); | |
68 | if (pDrvData->IPCs[ipcnum].bIsEnabled == true) { | |
69 | pDrvData->IPCs[ipcnum].bIsEnabled = false; |