Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933569AbeAKWPQ (ORCPT + 1 other); Thu, 11 Jan 2018 17:15:16 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:44413 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933167AbeAKWPN (ORCPT ); Thu, 11 Jan 2018 17:15:13 -0500 X-Google-Smtp-Source: ACJfBovg1btH9yng5zbRz50YlSAXiqk29jAoOVRpfQdRpnIpAhnCrR3gzzZRw/nBFddxSr94jDCHTQvJIKqYsD3DSq4= MIME-Version: 1.0 In-Reply-To: <20180106090322.GF4380@kroah.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520104838.32271.7038801336240727574.stgit@dwillia2-desk3.amr.corp.intel.com> <20180106090322.GF4380@kroah.com> From: Dan Williams Date: Thu, 11 Jan 2018 14:15:12 -0800 Message-ID: Subject: Re: [PATCH 10/18] qla2xxx: prevent bounds-check bypass via speculative execution To: Greg KH Cc: Linux Kernel Mailing List , linux-arch@vger.kernel.org, "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi , Peter Zijlstra , Netdev , qla2xxx-upstream@qlogic.com, Thomas Gleixner , Linus Torvalds , Elena Reshetova , Alan Cox Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sat, Jan 6, 2018 at 1:03 AM, Greg KH wrote: > On Fri, Jan 05, 2018 at 05:10:48PM -0800, Dan Williams wrote: >> Static analysis reports that 'handle' may be a user controlled value >> that is used as a data dependency to read 'sp' from the >> 'req->outstanding_cmds' array. In order to avoid potential leaks of >> kernel memory values, block speculative execution of the instruction >> stream that could issue reads based on an invalid value of 'sp'. In this >> case 'sp' is directly dereferenced later in the function. > > I'm pretty sure that 'handle' comes from the hardware, not from > userspace, from what I can tell here. If we want to start auditing > __iomem data sources, great! But that's a bigger task, and one I don't > think we are ready to tackle... I think it falls in the hygiene bucket of shutting off an array index from a source that could be under attacker control. Should we leave this one un-patched while we decide if we generally have a problem with trusting completion 'tags' from hardware? My vote is patch it for now.