4.14-stable patches

added patches:
	drm-i915-kvmgt-fix-potential-spectre-v1.patch
	ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch

diff --git a/queue-4.14/drm-i915-kvmgt-fix-potential-spectre-v1.patch b/queue-4.14/drm-i915-kvmgt-fix-potential-spectre-v1.patch
new file mode 100644 (file)
index 0000000..cb9d579
--- /dev/null
+++ b/queue-4.14/drm-i915-kvmgt-fix-potential-spectre-v1.patch
@@ -0,0 +1,67 @@
+From de5372da605d3bca46e3102bab51b7e1c0e0a6f6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 2 Aug 2018 22:40:19 -0500
+Subject: drm/i915/kvmgt: Fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit de5372da605d3bca46e3102bab51b7e1c0e0a6f6 upstream.
+
+info.index can be indirectly controlled by user-space, hence leading
+to a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/i915/gvt/kvmgt.c:1232 intel_vgpu_ioctl() warn:
+potential spectre issue 'vgpu->vdev.region' [r]
+
+Fix this by sanitizing info.index before indirectly using it to index
+vgpu->vdev.region
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/kvmgt.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
+@@ -42,6 +42,8 @@
+ #include <linux/vfio.h>
+ #include <linux/mdev.h>
+ 
++#include <linux/nospec.h>
++
+ #include "i915_drv.h"
+ #include "gvt.h"
+ 
+@@ -953,7 +955,8 @@ static long intel_vgpu_ioctl(struct mdev
+       } else if (cmd == VFIO_DEVICE_GET_REGION_INFO) {
+               struct vfio_region_info info;
+               struct vfio_info_cap caps = { .buf = NULL, .size = 0 };
+-              int i, ret;
++              unsigned int i;
++              int ret;
+               struct vfio_region_info_cap_sparse_mmap *sparse = NULL;
+               size_t size;
+               int nr_areas = 1;
+@@ -1030,6 +1033,10 @@ static long intel_vgpu_ioctl(struct mdev
+                               if (info.index >= VFIO_PCI_NUM_REGIONS +
+                                               vgpu->vdev.num_regions)
+                                       return -EINVAL;
++                              info.index =
++                                      array_index_nospec(info.index,
++                                                      VFIO_PCI_NUM_REGIONS +
++                                                      vgpu->vdev.num_regions);
+ 
+                               i = info.index - VFIO_PCI_NUM_REGIONS;
+ 

diff --git a/queue-4.14/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch b/queue-4.14/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
new file mode 100644 (file)
index 0000000..56d9aba
--- /dev/null
+++ b/queue-4.14/ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
@@ -0,0 +1,54 @@
+From 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Thu, 2 Aug 2018 00:03:40 -0400
+Subject: ext4: fix spectre gadget in ext4_mb_regular_allocator()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.
+
+'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
+derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
+index arrays which makes it a potential spectre gadget. Fix this by
+sanitizing the value assigned to 'ac->ac2_order'.  This covers the
+following accesses found with the help of smatch:
+
+* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
+  spectre issue 'grp->bb_counters' [w] (local cap)
+
+* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
+
+* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
+  'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)
+
+Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/mballoc.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -26,6 +26,7 @@
+ #include <linux/log2.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <linux/backing-dev.h>
+ #include <trace/events/ext4.h>
+ 
+@@ -2152,7 +2153,8 @@ ext4_mb_regular_allocator(struct ext4_al
+                * This should tell if fe_len is exactly power of 2
+                */
+               if ((ac->ac_g_ex.fe_len & (~(1 << (i - 1)))) == 0)
+-                      ac->ac_2order = i - 1;
++                      ac->ac_2order = array_index_nospec(i - 1,
++                                                         sb->s_blocksize_bits + 2);
+       }
+ 
+       /* if stream allocation is enabled, use global goal */

diff --git a/queue-4.14/series b/queue-4.14/series
index e8c22dd4679333bca2ae4cce12c63d10f05b4b58..cfdd911de531f301d251aa4a171af47650a2ea19 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1,3 +1,5 @@
+ext4-fix-spectre-gadget-in-ext4_mb_regular_allocator.patch
+drm-i915-kvmgt-fix-potential-spectre-v1.patch
 edac-add-missing-mem_lrddr4-entry-in-edac_mem_types.patch
 pty-fix-o_cloexec-for-tiocgptpeer.patch
 arm-dts-armada-fix-cooling-cells-property-s-name.patch