]>
Commit | Line | Data |
---|---|---|
69a513a2 GKH |
1 | From de916736aaaadddbd6061472969f667b14204aa9 Mon Sep 17 00:00:00 2001 |
2 | From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> | |
3 | Date: Wed, 15 Aug 2018 10:50:41 -0500 | |
4 | Subject: misc: hmc6352: fix potential Spectre v1 | |
5 | ||
6 | From: Gustavo A. R. Silva <gustavo@embeddedor.com> | |
7 | ||
8 | commit de916736aaaadddbd6061472969f667b14204aa9 upstream. | |
9 | ||
10 | val is indirectly controlled by user-space, hence leading to a | |
11 | potential exploitation of the Spectre variant 1 vulnerability. | |
12 | ||
13 | This issue was detected with the help of Smatch: | |
14 | ||
15 | drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue | |
16 | 'map' [r] | |
17 | ||
18 | Fix this by sanitizing val before using it to index map | |
19 | ||
20 | Notice that given that speculation windows are large, the policy is | |
21 | to kill the speculation on the first load and not worry if it can be | |
22 | completed with a dependent load/store [1]. | |
23 | ||
24 | [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 | |
25 | ||
26 | Cc: stable@vger.kernel.org | |
27 | Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> | |
28 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
29 | ||
30 | --- | |
31 | drivers/misc/hmc6352.c | 2 ++ | |
32 | 1 file changed, 2 insertions(+) | |
33 | ||
34 | --- a/drivers/misc/hmc6352.c | |
35 | +++ b/drivers/misc/hmc6352.c | |
36 | @@ -27,6 +27,7 @@ | |
37 | #include <linux/err.h> | |
38 | #include <linux/delay.h> | |
39 | #include <linux/sysfs.h> | |
40 | +#include <linux/nospec.h> | |
41 | ||
42 | static DEFINE_MUTEX(compass_mutex); | |
43 | ||
44 | @@ -50,6 +51,7 @@ static int compass_store(struct device * | |
45 | return ret; | |
46 | if (val >= strlen(map)) | |
47 | return -EINVAL; | |
48 | + val = array_index_nospec(val, strlen(map)); | |
49 | mutex_lock(&compass_mutex); | |
50 | ret = compass_command(c, map[val]); | |
51 | mutex_unlock(&compass_mutex); |