It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.
Signed-off-by: Jordy Zomer <[email protected]>
---
drivers/md/dm-ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 21fe8652b095..0c1f9983f080 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1788,6 +1788,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
return NULL;
+ cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
*ioctl_flags = _ioctls[cmd].flags;
return _ioctls[cmd].fn;
}
--
2.27.0
It appears like cmd could be a Spectre v1 gadget as it's supplied by a
user and used as an array index. Prevent the contents
of kernel memory from being leaked to userspace via speculative
execution by using array_index_nospec.
Forgot to add the nospec include, that's the reason for the v2 :)
Signed-off-by: Jordy Zomer <[email protected]>
---
drivers/md/dm-ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 21fe8652b095..901abd6dea41 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -18,6 +18,7 @@
#include <linux/dm-ioctl.h>
#include <linux/hdreg.h>
#include <linux/compat.h>
+#include <linux/nospec.h>
#include <linux/uaccess.h>
#include <linux/ima.h>
@@ -1788,6 +1789,7 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
return NULL;
+ cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
*ioctl_flags = _ioctls[cmd].flags;
return _ioctls[cmd].fn;
}
--
2.27.0
Hi Jordy,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on device-mapper-dm/for-next]
[also build test ERROR on linux/master linus/master v5.17-rc1 next-20220128]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Jordy-Zomer/dm-ioct-prevent-potential-specter-v1-gadget/20220129-223840
base: https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git for-next
config: hexagon-buildonly-randconfig-r001-20220129 (https://download.01.org/0day-ci/archive/20220130/[email protected]/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 33b45ee44b1f32ffdbc995e6fec806271b4b3ba4)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/494fed5461aa05e0efaf098b57a2a47dc19ba226
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Jordy-Zomer/dm-ioct-prevent-potential-specter-v1-gadget/20220129-223840
git checkout 494fed5461aa05e0efaf098b57a2a47dc19ba226
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash drivers/md/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
>> drivers/md/dm-ioctl.c:1791:8: error: implicit declaration of function 'array_index_nospec' [-Werror,-Wimplicit-function-declaration]
cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
^
1 error generated.
vim +/array_index_nospec +1791 drivers/md/dm-ioctl.c
1752
1753 /*-----------------------------------------------------------------
1754 * Implementation of open/close/ioctl on the special char
1755 * device.
1756 *---------------------------------------------------------------*/
1757 static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
1758 {
1759 static const struct {
1760 int cmd;
1761 int flags;
1762 ioctl_fn fn;
1763 } _ioctls[] = {
1764 {DM_VERSION_CMD, 0, NULL}, /* version is dealt with elsewhere */
1765 {DM_REMOVE_ALL_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, remove_all},
1766 {DM_LIST_DEVICES_CMD, 0, list_devices},
1767
1768 {DM_DEV_CREATE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_create},
1769 {DM_DEV_REMOVE_CMD, IOCTL_FLAGS_NO_PARAMS | IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_remove},
1770 {DM_DEV_RENAME_CMD, IOCTL_FLAGS_ISSUE_GLOBAL_EVENT, dev_rename},
1771 {DM_DEV_SUSPEND_CMD, IOCTL_FLAGS_NO_PARAMS, dev_suspend},
1772 {DM_DEV_STATUS_CMD, IOCTL_FLAGS_NO_PARAMS, dev_status},
1773 {DM_DEV_WAIT_CMD, 0, dev_wait},
1774
1775 {DM_TABLE_LOAD_CMD, 0, table_load},
1776 {DM_TABLE_CLEAR_CMD, IOCTL_FLAGS_NO_PARAMS, table_clear},
1777 {DM_TABLE_DEPS_CMD, 0, table_deps},
1778 {DM_TABLE_STATUS_CMD, 0, table_status},
1779
1780 {DM_LIST_VERSIONS_CMD, 0, list_versions},
1781
1782 {DM_TARGET_MSG_CMD, 0, target_message},
1783 {DM_DEV_SET_GEOMETRY_CMD, 0, dev_set_geometry},
1784 {DM_DEV_ARM_POLL, IOCTL_FLAGS_NO_PARAMS, dev_arm_poll},
1785 {DM_GET_TARGET_VERSION, 0, get_target_version},
1786 };
1787
1788 if (unlikely(cmd >= ARRAY_SIZE(_ioctls)))
1789 return NULL;
1790
> 1791 cmd = array_index_nospec(cmd, ARRAY_SIZE(_ioctls));
1792 *ioctl_flags = _ioctls[cmd].flags;
1793 return _ioctls[cmd].fn;
1794 }
1795
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]