Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability

From: Dmitry Torokhov
Date: Tue Oct 16 2018 - 13:34:10 EST

Next message: Gustavo A. R. Silva: "[PATCH net-next v3 1/2] net: phy: mscc: fix signedness bug in vsc85xx_downshift_get"
Previous message: Pandruvada, Srinivas: "Re: issues with suspend on Dell XPS 13 2-in-1"
In reply to: Gustavo A. R. Silva: "[PATCH] Input: uinput - fix Spectre v1 vulnerability"
Next in thread: Gustavo A. R. Silva: "Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Gustavo,

On Tue, Oct 16, 2018 at 01:13:13PM +0200, Gustavo A. R. Silva wrote:
> setup.code can be indirectly controlled by user-space, hence leading to
> a potential exploitation of the Spectre variant 1 vulnerability.
>
> This issue was detected with the help of Smatch:
>
> drivers/input/misc/uinput.c:512 uinput_abs_setup() warn: potential
> spectre issue 'dev->absinfo' [w] (local cap)
>
> Fix this by sanitizing setup.code before using it to index dev->absinfo.

So we are saying that attacker, by repeatedly calling ioctl(...,
UI_ABS_SETUP, ...) will be able to poison branch predictor and discover
another program or kernel secrets? But uinput is a privileged interface
open to root only, as it allows injecting arbitrary keystrokes into the
kernel. And since only root can use uinput, meh?

Thanks.

--
Dmitry

Next message: Gustavo A. R. Silva: "[PATCH net-next v3 1/2] net: phy: mscc: fix signedness bug in vsc85xx_downshift_get"
Previous message: Pandruvada, Srinivas: "Re: issues with suspend on Dell XPS 13 2-in-1"
In reply to: Gustavo A. R. Silva: "[PATCH] Input: uinput - fix Spectre v1 vulnerability"
Next in thread: Gustavo A. R. Silva: "Re: [PATCH] Input: uinput - fix Spectre v1 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]