4.4-stable patches

added patches:
	drm-ioctl-fix-spectre-v1-vulnerabilities.patch

diff --git a/queue-4.4/drm-ioctl-fix-spectre-v1-vulnerabilities.patch b/queue-4.4/drm-ioctl-fix-spectre-v1-vulnerabilities.patch
new file mode 100644 (file)
index 0000000..6b1bec8
--- /dev/null
+++ b/queue-4.4/drm-ioctl-fix-spectre-v1-vulnerabilities.patch
@@ -0,0 +1,75 @@
+From 505b5240329b922f21f91d5b5d1e535c805eca6d Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 19 Dec 2018 18:00:15 -0600
+Subject: drm/ioctl: Fix Spectre v1 vulnerabilities
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
+
+nr is indirectly controlled by user-space, hence leading to a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue 'dev->driver->ioctls' [r]
+drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue 'drm_ioctls' [r] (local cap)
+
+Fix this by sanitizing nr before using it to index dev->driver->ioctls
+and drm_ioctls.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20181220000015.GA18973@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioctl.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -36,6 +36,7 @@
+ 
+ #include <linux/pci.h>
+ #include <linux/export.h>
++#include <linux/nospec.h>
+ 
+ static int drm_version(struct drm_device *dev, void *data,
+                      struct drm_file *file_priv);
+@@ -702,13 +703,17 @@ long drm_ioctl(struct file *filp,
+ 
+       if (is_driver_ioctl) {
+               /* driver ioctl */
+-              if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
++              unsigned int index = nr - DRM_COMMAND_BASE;
++
++              if (index >= dev->driver->num_ioctls)
+                       goto err_i1;
+-              ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE];
++              index = array_index_nospec(index, dev->driver->num_ioctls);
++              ioctl = &dev->driver->ioctls[index];
+       } else {
+               /* core ioctl */
+               if (nr >= DRM_CORE_IOCTL_COUNT)
+                       goto err_i1;
++              nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+               ioctl = &drm_ioctls[nr];
+       }
+ 
+@@ -810,6 +815,7 @@ bool drm_ioctl_flags(unsigned int nr, un
+ 
+       if (nr >= DRM_CORE_IOCTL_COUNT)
+               return false;
++      nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
+ 
+       *flags = drm_ioctls[nr].flags;
+       return true;

diff --git a/queue-4.4/series b/queue-4.4/series
index df2897e39ffc69e5566d9a17e77466881656fdc1..f9fa47cfb10f1e4dcbce957b5b0656f504b89f37 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -10,3 +10,4 @@ mmc-omap_hsmmc-fix-dma-api-warning.patch
 gpio-max7301-fix-driver-for-use-with-config_vmap_stack.patch
 drivers-hv-vmbus-return-einval-for-the-sys-files-for-unopened-channels.patch
 x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch
+drm-ioctl-fix-spectre-v1-vulnerabilities.patch