Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753164AbeAFKD2 (ORCPT + 1 other); Sat, 6 Jan 2018 05:03:28 -0500 Received: from mail-lf0-f67.google.com ([209.85.215.67]:46657 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753096AbeAFKDZ (ORCPT ); Sat, 6 Jan 2018 05:03:25 -0500 X-Google-Smtp-Source: ACJfBovMEe3kYOen91QY3K2Z+1IZML3ISN+nLKv7zeq5Rms9z5P+YUFNOR6UwAC4c1jLPKFCKUVA5g== Subject: Re: [PATCH 12/18] Thermal/int340x: prevent bounds-check bypass via speculative execution To: Dan Williams , linux-kernel@vger.kernel.org Cc: linux-arch@vger.kernel.org, gregkh@linuxfoundation.org, peterz@infradead.org, netdev@vger.kernel.org, Eduardo Valentin , Srinivas Pandruvada , Zhang Rui , torvalds@linux-foundation.org, tglx@linutronix.de, Elena Reshetova , alan@linux.intel.com References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520105920.32271.1091443154687576996.stgit@dwillia2-desk3.amr.corp.intel.com> From: Sergei Shtylyov Message-ID: Date: Sat, 6 Jan 2018 13:03:22 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <151520105920.32271.1091443154687576996.stgit@dwillia2-desk3.amr.corp.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 1/6/2018 4:10 AM, Dan Williams wrote: > Static analysis reports that 'trip' may be a user controlled value that > is used as a data dependency to read '*temp' from the 'd->aux_trips' > array. In order to avoid potential leaks of kernel memory values, block > speculative execution of the instruction stream that could issue reads > based on an invalid value of '*temp'. > > Based on an original patch by Elena Reshetova. > > Cc: Srinivas Pandruvada > Cc: Zhang Rui > Cc: Eduardo Valentin > Signed-off-by: Elena Reshetova > Signed-off-by: Dan Williams > --- > .../thermal/int340x_thermal/int340x_thermal_zone.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > index 145a5c53ff5c..442a1d9bf7ad 100644 > --- a/drivers/thermal/int340x_thermal/int340x_thermal_zone.c > +++ b/drivers/thermal/int340x_thermal/int340x_thermal_zone.c [...] > @@ -52,20 +53,21 @@ static int int340x_thermal_get_trip_temp(struct thermal_zone_device *zone, > int trip, int *temp) > { > struct int34x_thermal_zone *d = zone->devdata; > + unsigned long *elem; > int i; > > if (d->override_ops && d->override_ops->get_trip_temp) > return d->override_ops->get_trip_temp(zone, trip, temp); > > - if (trip < d->aux_trip_nr) > - *temp = d->aux_trips[trip]; > - else if (trip == d->crt_trip_id) > + if ((elem = nospec_array_ptr(d->aux_trips, trip, d->aux_trip_nr))) { And here... > + *temp = *elem; > + } else if (trip == d->crt_trip_id) { > *temp = d->crt_temp; > - else if (trip == d->psv_trip_id) > + } else if (trip == d->psv_trip_id) { > *temp = d->psv_temp; > - else if (trip == d->hot_trip_id) > + } else if (trip == d->hot_trip_id) { > *temp = d->hot_temp; > - else { > + } else { > for (i = 0; i < INT340X_THERMAL_MAX_ACT_TRIP_COUNT; i++) { > if (d->act_trips[i].valid && > d->act_trips[i].id == trip) { MBR, Sergei