Re: [PATCH] perf/core: fix possible spectre-v1 write
From: Mark Rutland
Date: Wed Jul 11 2018 - 01:53:37 EST
On Tue, Jul 10, 2018 at 07:06:07PM +0100, Mark Rutland wrote:
> It's possible for userspace to control event_id. Sanitize event_id when
> using it as an array index, to inhibit the potential spectre-v1 write
> gadget.
>
> This class of issue is also known as CVE-2018-3693, or "bounds check bypass
> store".
>
> Found by smatch.
>
> Signed-off-by: Mark Rutland <mark.rutland@xxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> ---
> kernel/events/core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> For Arm CPUs, more details can be found in the Arm Cache Speculation
> Side-channels whitepaper, available from the Arm security updates site [1].
>
> Mark.
>
> [1] https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
>
> diff --git a/kernel/events/core.c b/kernel/events/core.c
> index 8f0434a9951a..eece719bd18e 100644
> --- a/kernel/events/core.c
> +++ b/kernel/events/core.c
> @@ -8155,6 +8155,7 @@ struct static_key perf_swevent_enabled[PERF_COUNT_SW_MAX];
> static void sw_perf_event_destroy(struct perf_event *event)
> {
> u64 event_id = event->attr.config;
> + event_id = array_index_nospec(event_id, PERF_COUNT_SW_MAX);
As the kbuild test robot has pointed out, I've failed to include
<linux/nospec.h> for this to compile.
I'll spin a v2 with that added, and the result tested.
Thanks,
Mark.