Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753596AbeAFBx7 (ORCPT + 1 other); Fri, 5 Jan 2018 20:53:59 -0500 Received: from mga09.intel.com ([134.134.136.24]:15387 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753411AbeAFBx5 (ORCPT ); Fri, 5 Jan 2018 20:53:57 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,320,1511856000"; d="scan'208";a="7620077" Message-ID: <1515203635.26317.78.camel@linux.intel.com> Subject: Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via speculative execution From: Srinivas Pandruvada To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, gregkh@linuxfoundation.org, peterz@infradead.org, netdev@vger.kernel.org, Eduardo Valentin , Zhang Rui , torvalds@linux-foundation.org, tglx@linutronix.de, Elena Reshetova , alan@linux.intel.com Date: Fri, 05 Jan 2018 17:53:55 -0800 In-Reply-To: <151520105920.32271.1091443154687576996.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520105920.32271.1091443154687576996.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, 2018-01-05 at 17:10 -0800, Dan Williams wrote: > Static analysis reports that 'trip' may be a user controlled value > that > is used as a data dependency to read '*temp' from the 'd->aux_trips' > array.  In order to avoid potential leaks of kernel memory values, > block > speculative execution of the instruction stream that could issue > reads > based on an invalid value of '*temp'. Not against the change as this is in a very slow path. But the trip is not an arbitrary value which user can enter. This trip value is the one of the sysfs attribute in thermal zone. For example # cd /sys/class/thermal/thermal_zone1 # ls trip_point_?_temp trip_point_0_temp  trip_point_1_temp  trip_point_2_temp  trip_point_3_t emp  trip_point_4_temp  trip_point_5_temp  trip_point_6_temp Here the "trip" is one of the above trip_point_*_temp. So in this case it can be from 0 to 6 as user can't do # cat trip_point_7_temp as there is no sysfs attribute for trip_point_7_temp. The actual "trip" was obtained in thermal core via       if (sscanf(attr->attr.name, "trip_point_%d_temp", &trip) != 1)                 return -EINVAL; Thanks, Srinivas > > Based on an original patch by Elena Reshetova. > > Cc: Srinivas Pandruvada > Cc: Zhang Rui > Cc: Eduardo Valentin > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- >  .../thermal/int340x_thermal/int340x_thermal_zone.c |   14 ++++++++ > ------ >  1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > index 145a5c53ff5c..442a1d9bf7ad 100644 > --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > @@ -17,6 +17,7 @@ >  #include >  #include >  #include > +#include >  #include "int340x_thermal_zone.h" >   >  static int int340x_thermal_get_zone_temp(struct thermal_zone_device > *zone, > @@ -52,20 +53,21 @@ static int int340x_thermal_get_trip_temp(struct > thermal_zone_device *zone, >    int trip, int *temp) >  { >   struct int34x_thermal_zone *d = zone->devdata; > + unsigned long *elem; >   int i; >   >   if (d->override_ops && d->override_ops->get_trip_temp) >   return d->override_ops->get_trip_temp(zone, trip, > temp); >   > - if (trip < d->aux_trip_nr) > - *temp = d->aux_trips[trip]; > - else if (trip == d->crt_trip_id) > + if ((elem = nospec_array_ptr(d->aux_trips, trip, d- > >aux_trip_nr))) { > + *temp = *elem; > + } else if (trip == d->crt_trip_id) { >   *temp = d->crt_temp; > - else if (trip == d->psv_trip_id) > + } else if (trip == d->psv_trip_id) { >   *temp = d->psv_temp; > - else if (trip == d->hot_trip_id) > + } else if (trip == d->hot_trip_id) { >   *temp = d->hot_temp; > - else { > + } else { >   for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; > i++) { >   if (d->act_trips[i].valid && >       d->act_trips[i].id == trip) { >