[PATCH] loop: Fix potential Spectre v1 vulnerability

From: Gustavo A. R. Silva
Date: Tue Dec 18 2018 - 11:14:50 EST

Next message: Noralf TrÃnnes: "Re: [Xen-devel][PATCH v2 2/3] drm/xen-front: Use Xen common shared buffer implementation"
Previous message: Rob Herring: "Re: [PATCH v2 4/4] media: dt-bindings: Add binding for si470x radio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

type is indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.

This issue was detected with the help of Smatch:

drivers/block/loop.c:1208 loop_set_status() warn: potential spectre issue 'xfer_funcs' [r] (local cap)

Fix this by sanitizing type before using it to index xfer_funcs.

Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].

[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
---
drivers/block/loop.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 0939f36548c9..015d255f451b 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -83,6 +83,8 @@

#include <linux/uaccess.h>

+#include <linux/nospec.h>
+
static DEFINE_IDR(loop_index_idr);
static DEFINE_MUTEX(loop_ctl_mutex);

@@ -1205,6 +1207,7 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
err = -EINVAL;
goto out_unfreeze;
}
+ type = array_index_nospec(type, MAX_LO_CRYPT);
xfer = xfer_funcs[type];
if (xfer == NULL) {
err = -EINVAL;
--
2.19.2

Next message: Noralf TrÃnnes: "Re: [Xen-devel][PATCH v2 2/3] drm/xen-front: Use Xen common shared buffer implementation"
Previous message: Rob Herring: "Re: [PATCH v2 4/4] media: dt-bindings: Add binding for si470x radio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]