Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753587AbeAFB5V (ORCPT + 1 other); Fri, 5 Jan 2018 20:57:21 -0500 Received: from mail-oi0-f50.google.com ([209.85.218.50]:34893 "EHLO mail-oi0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753498AbeAFB5T (ORCPT ); Fri, 5 Jan 2018 20:57:19 -0500 X-Google-Smtp-Source: ACJfBosAI05XYNFTUBE0CWtt+8SiFhVonktR+XpM7MrmB13eF4lIyndWFzMOvk37AlvJ5jNNZ/CU7+2Fe6W5+sOYL3k= MIME-Version: 1.0 In-Reply-To: <1515203635.26317.78.camel@linux.intel.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520105920.32271.1091443154687576996.stgit@dwillia2-desk3.amr.corp.intel.com> <1515203635.26317.78.camel@linux.intel.com> From: Dan Williams Date: Fri, 5 Jan 2018 17:57:18 -0800 Message-ID: Subject: Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via speculative execution To: Srinivas Pandruvada Cc: Linux Kernel Mailing List , linux-arch@vger.kernel.org, Greg KH , Peter Zijlstra , Netdev , Eduardo Valentin , Zhang Rui , Linus Torvalds , Thomas Gleixner , Elena Reshetova , Alan Cox Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, Jan 5, 2018 at 5:53 PM, Srinivas Pandruvada wrote: > On Fri, 2018-01-05 at 17:10 -0800, Dan Williams wrote: >> Static analysis reports that 'trip' may be a user controlled value >> that >> is used as a data dependency to read '*temp' from the 'd->aux_trips' >> array. In order to avoid potential leaks of kernel memory values, >> block >> speculative execution of the instruction stream that could issue >> reads >> based on an invalid value of '*temp'. > > Not against the change as this is in a very slow path. But the trip is > not an arbitrary value which user can enter. > > This trip value is the one of the sysfs attribute in thermal zone. For > example > > # cd /sys/class/thermal/thermal_zone1 > # ls trip_point_?_temp > trip_point_0_temp trip_point_1_temp trip_point_2_temp trip_point_3_t > emp trip_point_4_temp trip_point_5_temp trip_point_6_temp > > Here the "trip" is one of the above trip_point_*_temp. So in this case > it can be from 0 to 6 as user can't do > # cat trip_point_7_temp > as there is no sysfs attribute for trip_point_7_temp. > > The actual "trip" was obtained in thermal core via > > if (sscanf(attr->attr.name, "trip_point_%d_temp", &trip) != 1) > return -EINVAL; > > Thanks, > Srinivas Ah, great, thanks. So do we even need the bounds check at that point?